Amidst the COVID-19 pandemic, many organisations and people may be feeling anxious about the next few months, we hope to help remove a small portion of this anxiety by providing easy to follow practical steps that organisations and people can take from. We want you to secure your employees while they work from home.
We are going to focus on organisations in this first blog, next week we will focus on the end-user.
It is unlikely that everyone will be able to do everything mentioned in this blog, at least not immediately. The one action almost all organisations can do is security education and awareness, getting this right will likely have the biggest impact in the short term.
With a big change in business operations - like the introduction of home working - it is important to consider changes to the threat landscape. Review your current risks and consider any new risks. An example may be the risk of a DDOS attack against your VPN increasing due to a higher impact if successful. Understanding your new threat landscape will help prioritise your next steps.
Most organisations will be advising employees to work from home where possible, a common way they would facilitate this is through a virtual private network (VPN). When organisations deploy a VPN, they will try and plan network capacity, they typically do this by making assumptions on demand. You must monitor your current utilisation against current capacity and make plans to increase capacity if required. This may include increasing your license if required.
Using Two-Factor Authentication (2FA) can help reduce the risk of password theft or guessing attack. 2FA is the best practice for remote workers connecting into your network or using cloud services, ensure 2FA is enabled on your VPN and all cloud services that support it. This may mean stocking up on physical tokens, or if you provide mobile phones or have a BYOD policy, having users install an app.
There have already been several news articles about bad guys using COVID-19 in phishing campaigns. This raises a difficult question, do you include COVID-19 templates in your internal phishing campaigns? Savanti would say no, it is likely your user base is already stressed and currently being bombarded with COVID-19 news. Sending internal phishing emails relating to COVID-19 could have a negative effect. Instead, provide clear guidance on phishing including common ways to spot phishing emails. Highlight that bad guys are using COVID-19 as a scare tactic.
You should also be looking to your technical controls, if you have DMARC set up it may be a time to review your DMARC policies and considering setting it to BLOCK. If you do not currently have DMARC, have a look HERE also consider the NCSC insight. DMARC should not be considered a silver bullet and is only one part of layered phishing defence.
For many people, this is a huge period of unknown, they’ll be worried about family, health and the economy, to top it off this may be the first time they have worked from home.
Identify your organisation's priorities. A good place to start is the following three area’s:
1. Social engineering
2. Strong password (using a password manager)
3. Keeping systems updated
Having a 'Security Home Working Top-10' is a good way to provide clear easy to digest advice for people working from home, you can customise it to be specific to your organisation.
If remote working isn’t something you as an organisation are used to, it may mean having to quickly provision several new SaaS productivity and collaboration services, providing clear How-To’s that include security best practice will be key to ensure secure productivity.
Remote workers are more likely to lose or have their laptops stolen, it’s important to be able to remotely manage and wipe the device if necessary. Depending on your existing controls it may be worthwhile looking into mobile device management software.
Ensure laptops have disk encryption enabled, provide guidance to end users on how to keep their laptops up-to-date, this may involve enabling Auto-Updates built into most operating systems.