Working from home, what about security?

Is Your Remote Workforce Secure?

COVID-19 has forced most companies to have their people work from home. In the rush to rapidly get users setup with remote access to the corporate network, security can be seen as secondary as business continuity takes priority in a crisis. Now that we are settled into our new norm, it is time to ensure people and data are secure.

Security threats are at an all-time high due to the pandemic. The bad guys know that the world’s workforce has been briskly displaced to their homes, where they may be using less secure devices and networks routers to connect to corporate information and systems. Our trusted and tested security perimeter has changed and so security may have been reduced accordingly. Think of it this way – security threats are multiplying faster than COVID-19 is spreading!

Unfortunately, the bad guys know this and see it as an opportunity to profit. It’s the Wild West out there right now and a new generation of bush ranges is upon us. With defences compromised, hackers are profiting through intellectual property theft and ransoming companies that have not put the proper security measures in place.  The good news is all is not lost, and it is not too late. There are some simple steps to do – but do them now.

Don’t allow your people to use their personal devices to connect to your corporate network unless you have some level of control over the level of security they have in place. There is a risk that these devices are unpatched, unsecure, shared by other family members, and possibly already compromised.  Issuing company laptops with corporate security controls in place is recommended but for commercial reasons that may not be practical. Using a security and governance management tool like Microsoft Intune and having staff enrol their home devices is the right thing to do. This BYOD method can be achieved via Modern Application Management (MAM) which manages just the corporate data and Cloud App Security (CAS) which manages how the data is manipulated on an untrusted device/application.  This will also however require a simple policy document to be created so your people have confidence and know what you will or won’t do with the control you will have over their device.

Implementing multi factor authentication (MFA) is also a great idea to make sure that whoever is trying to access your systems knows something (username, password) and has something (i.e. their mobile phone with Microsoft Authenticator installed and configured). This is easy for people and quite unobtrusive yet makes a massive difference to security.

Consider the implementation of an information protection tool like Azure Information Protection. This will aid when people send company emails or files to non-company-controlled locations.  Imagine if someone on the sales team emails a confidential file to their personal Gmail or drops it into DropBox.  The second your company data touches these non-company-controlled locations, you will never really be able to completely control it again.  At that point, there is no putting the genie back in the bottle.   The only way to protect access is to control it at its source. This type of access control means that the “control” lives with the document so if it does get sent on Gmail or opened from DropBox it is useless and can’t be viewed or edited

Make sure your people are connecting into your company network via an encrypted virtual private network (VPN). For on-premises systems, Microsoft Always on VPN (AoVPN) is a great tool that can be relatively simple to configure. AoVPN provides secure and transparent access to systems from anywhere your people have internet access.

Train your people how to spot and report phishing attempts.  COVID-19 scams and fake alerts are rampant and tempting in these uncertain times.  Security awareness training solutions like Brainstorm’s QuickHelp is highly recommended, not just during this pandemic. This can be used for application training as well.

Configuring cloud services can be challenging particularly with how fast tools like Microsoft 365 are evolving. Generation-e’s Cloud Security Review takes a thorough view on your current state and makes recommendations to bring you in line with Microsoft Best practices. Generation-e also has a Teams Governance Assessment to makes sure your information is protected.  If you need help reach out.