Work-from-home employees have always presented challenges for IT workers and information security offices. COVID-19 recently multiplied those challenges when many organizations enforced remote work for all employees.
Many companies already had the infrastructure in place and were prepared to take on this new way of life. However, other organizations have had to change on the fly and rush to get up and running, which may have left them open to security risks.
If you fall into the latter category, here are three elements of remote work security to investigate and address amidst the surge in remote workers due to COVID-19.
Before COVID-19, remote workers typically had a number of security precautions in place.
They’d have home firewalls and network intrusion detection. They’d have strong credentials on their wireless access points (no default passwords). Their work laptop would be on a separate VLAN from other personal devices, and they’d use a crazy strong WPA key.
All the employees working from home because of the coronavirus pandemic, however, are likely less prepared. For example, your newly remote workers might not have a VLAN in place because it’s advanced for a home network. This could pose a problem as IoT devices present a real threat to the security of company networks.
Organizations must ensure employees have the proper security measures in place to protect the company network. Start by performing an asset and network discovery for home users – a simple questionnaire is a basic and effective method – to gather user information on what security measures employees already have in place.
With that information, talk to your employees about separating those devices by VLAN or implementing other forms of network security. Advise them to check their wireless routers, as popular models from only a couple years ago may not have been spec’d to handle the large number of devices connecting to them now (phones, tablets, smart TVs, game consoles, printers, IoT devices and laptops).
If employees need to upgrade their home wireless routers, here are a few guidelines to pass on to them:
With your applications, there are two common use cases affected by the shift to a remote workforce. Business applications that were architected to work well on-premise and cloud applications that were configured for a small number of users will both need to be adapted.
For on-prem applications, companies must now set up VPN tunnels for a large number of employees. If employees are working on personal devices, implement controls to only allow devices with a baseline security level to directly connect to your VPN. This will help prevent malicious traffic from being passed to your company network. At a minimum, devices used for work purposes should have anti-virus software, up-to-date security patches, secure credential storage and should only use safe and approved software.
Make sure the preferred remote connection uses strong encryption in transit (typically SSL/TLS or IPSEC VPN) and is authenticated using multi-factor authentication (MFA). While MFA is not 100 percent foolproof, it provides a high assurance level against low-effort attacks. It can also be rolled out in phases, keeping disruptions to a minimum when the business is already disrupted.
In the case of cloud applications, it’s usually easy to procure and expand your cloud applications to allow for a greater number of users. The challenge is doing so under the stress of dynamically changing your workforce model and extending your authentication services. Federate the authentication and accounting source so users don’t have to remember yet another credential. Be sure to use MFA, and set up appropriate logging for all your applications, both cloud and on-premise.
The great debate in networking and security circles is whether to implement split tunneling or not.
Split tunneling ensures that only traffic intended for the remote network traverses the VPN, saving bandwidth for those VPN chokepoints. However, the use of split tunneling bypasses the ingress and egress boundary controls that IT departments typically use. So, what can you do?
Perform a risk analysis to determine if the loss of controls is warranted. While many security professionals advise against split tunneling, many companies use the technique to support applications that aren’t designed to be accessed remotely while they upgrade their compute resources and bandwidth.
Many organizations need to make those upgrades on the fly to support a full-time remote workforce. In an effort to keep operations running, some companies have opened up firewalls to unsecure services and web applications that were not originally intended for remote access, leaving them vulnerable to cyberattacks.
With more employees working remote than ever before, security becomes even more important. But there are steps you can take, even retroactively, to tidy up your IT operating posture.
Make sure employees’ home networks are hardened, MFA is utilized when setting up new resources and security baselines are in place for VPNs. Weigh the pros and cons of split tunneling, and if you choose to do it, make sure it’s only used with strong end-point controls.
The coronavirus pandemic caused a sudden surge of remote workers, taking many organizations by surprise. While it may have forced on-the-fly adjustments to work environments worldwide, now more than ever, is the time to review your security.