Key steps for SMEs to securely live with COVID-19
With Ireland’s new 5 level plan for living with COVID-19 now in effect, it has become apparent people are being advised to work from home where possible for at least the next 6 months. The entire country is currently on Level 2 which states in relation to work that you are advised to only attend work for essential on-site meetings, inductions and training. In all other instances, you should work from home where possible. The work from home message is the same for Level 1 which is the lowest level in the new framework.
In this ‘new normal’ with many within the workforce adapting to remote working, it is imperative Irish SMEs remain secure. Adopting a remote working environment without the proper planning and security considerations may introduce new avenues of attack for cyber criminals. At a time when the future is uncertain for so many Irish SMEs, ensuring you remain secure should be paramount. A cyber-attack for a business already struggling with cash flow issues would be devastating.
Secora Consulting was founded with remote working central to its operations. We have extensive knowledge in securing cloud platform implementations and have helped many of our clients transition to cloud platforms while ensuring the security of data and privacy is central to their migration process.
We have deep digital expertise and are able to develop clear and simple security roadmaps for our clients to help them navigate through this crisis. Therefore we thought we would share with you what we believe are key steps to protecting your workforce while they work remotely.
Improve Staff Awareness of COVID-19 scams
Cyber criminals are using the confusion and misinformation associated with COVID-19 pandemic to their benefit. In particular, there has been a marked increase in Phishing emails offering advice on Coronavirus and how to combat it. One of our clients received emails which were sent company-wide pretending to be from the CEO. These emails told all employees to work from home and to find further information via clicking a particularly safe looking URL.
Phishing isn’t a new phenomenon; it is one of the most commonly known and used forms of a cyber attack, simply because it is effective and works.
Thankfully, the success of a phishing campaign hinges on human interaction and therefore can be easily combated. Making your staff aware of what a phishing email looks like and how to spot them, can greatly reduce the threat to your organisation.
Don’t introduce unnecessary risk
To accommodate the sudden transition to a remote workforce many IT departments had to suddenly set up and license remote access servers almost overnight.
Our advice would not be to blindly open remote access ports without thinking of the risks and consequences accordingly. If remote access is required, ensure the firewall is configured correctly so that it will only respond to certain whitelisted IP addresses or ranges.
Now that your organisation may be looking to make this transition more permanent, we would also recommend going back and reviewing any remote access ports which may have been opened at the outset to see if these are still necessary.
Introduce a multi-factor authentication (MFA) policy
Many remote access and cloud-based solutions currently available come with multi-factor authentication features. It should be a strict policy that any new solutions introduced and indeed current solutions in place have the multi-factor authentication enforced.
This additional security step will help ensure that the only people accessing your network are those within the company and not attackers.
Ensure all employees are using an up-to-date virtual private network (VPN)
Now that you have employees sitting at home accessing the corporate network it is imperative they do this using a virtual private network (VPN).
A VPN will ensure that the connection from your employee’s device to your network is encrypted. It will help prevent unauthorised people from eavesdropping on the traffic and allow your staff to securely work remotely. Using a VPN will also allow you to restrict access to your remote devices, for example, you could use your corporate network as a whitelisted range, only allowing access to remote devices from your corporate network. This coupled with requiring MFA on all services and devices will significantly increase your security posture.
It is crucial that you make sure the VPN solution your organisation is using is up-to-date both on the organisation’s server or firewall and the desktop clients of your remote workforce.
Ensure all employees have endpoint protection installed.
If your workforce were predominantly office-based prior to the COVID-19 outbreak then it is likely some of them worked from desktop computers.
To accommodate the sudden need for a remote workforce we have seen two common scenarios organisations have found themselves in. Firstly ordering a large number of laptops at short notice and have them delivered directly to employees homes or allowing employees to use their personal laptops for work purposes.
In both scenarios IT departments were at a disadvantage as they would not have been able to ensure all laptops were set up correctly. This includes not using gold images, installing security tools or not being able to push group policy or other controls and policies out to end-users.
With the transition to remote working likely to be longer than planned for many, organisations should take time to ensure that all employees have endpoint protection installed on the device they are working on. If possible organisations should ensure all staff now have a company issued device and aren’t using their personal devices. This will give the organisation more control over the device and ultimately the ability to reduce their exposure to risk. We recommend implementing a policy that requires all laptops to be set up using corporate gold images, endpoint protection in place, and ensuring laptops are fully aligned with company policies.
Review software before installing
To allow employees to work effectively in a remote world, you may find your organisation is introducing several new software applications.
It is crucial that you do your due diligence before introducing any software to your infrastructure. As highlighted with Zoom, the sudden need for organisations to operate remotely can put their organisation at risk if they don’t do their due diligence software.
We recommend making a list of what tasks you need a software application for and then have your IT department compare each offering taking security and remote working into consideration.
Ensure that any policies and procedures you have in place around computer use or security are adequately updated to cover the new home office environment as well as any changes to your office. Take into consideration GDPR especially around new technologies which you’re using to store data.
Update any policies and procedures to include remote working. The home office should be viewed as an extension of your organisation’s office and your policies should state this to ensure employees are using corporate devices and accessing corporate information correctly and safely while working remotely.
How Secora Consulting can help
If you are looking for guidance on how to secure your remote workforce or want to understand what vulnerabilities are present or were introduced into your infrastructure due to the transition, we are here to help.
We offer a wide range of services which are tailored to your requirements. We can help you prepare for the worst-case scenario by simulating threats to your organisation via each service line.
Partner with us to ensure your organisation stays secure as you prepare to live with COVID-19.
- Validate your current security controls
- Understand risks based on their exploitability and impact
- Receive expert and effective advice to immediately improve your cyber security posture.
All of Secora Consulting's assessments are tailored to our client's needs.
Using our experience, we can help you determine which services are right for you.
We have arranged our services into four groups based on the objective of the tests.