Cobalt Crowdsourced Application PentestCobalt Crowdsourced Application PentestCobalt Crowdsourced Application Pentest

<
Back to Main

Adapting Security Processes to a Remote Model

Cobalt
May 26, 2020

Although a pandemic has reshuffled millions of workers from their offices to their kitchen tables, at least temporarily, the number of remote workers has increased 91 percent over the last 10 years. As organizations see how working offsite can offer more efficiency and cost savings, it is likely that as businesses begin to open up and restrictions are lifted, a sizable portion of the workforce will continue to work from home. Companies like Twitter and Square have already announced that employees may choose to work from home forever.

This change in workforce location will require a new look at organizational security systems, as security teams must adapt processes and programs to provide the same levels of protections for data when more employees permanently access the network from different locations.

During the recent “Adapting Security Processes and Programs for a Shift to Virtual Part 1,” a panel of four industry professionals including Adam Surak, Darshan Dodia, Felipe Coe, and Helen Rabe discussed tips on how to meet the security challenges for the work from home (WFH) workforce.

Based on their discussion, here are the eight areas for security leaders to think about when catering to WFH:

1. Protecting Intellectual Property

Right now, research surrounding Covid-19 is as valuable as gold to both researchers and cybercriminals alike. Now more than ever it’s important for that information to stay in the right hands. As one example, Rabe and her team at Abcam are working on a portal focusing on human genetic sequencing, and they’ve started allowing access to specific researchers during the pandemic. To be able to do this securely, the company has done strict vetting of those requesting access, created a portal structure that is securely accessed, and conducted pentesting.

It’s important to understand how and where you store valuable intellectual property and shoring up defenses around the data. One level of protection is to do a thorough vetting of anyone who requests access. Another level of access to work with an enterprise solution provider who can collaborate with your company to offer secure storage and can handle access controls.

2. Safeguarding Access

Many of our tools and systems were not designed with remote work arrangements in mind. There has to be thought given to protecting the Operational Technology (OT) side during this time of work from home, said Dodia. “We have nuclear sites where we create energy, and the resource assets can’t be taken home,” he stated. Someone needs to be there, in person, to operate and maintain the system in case there is a failure. The person who is onsite must be able to authenticate himself and needs to be vetted by security protocols.”

Another concern in these very specific times are the lockdowns, where only essential persons are allowed to physically go to a job site. But here is where the authentication process can be a challenge. At one site, Dodia explained, if they had a worker test positive for Covid-19, that individual couldn’t come to work. Their replacement would need to be authenticated to be at the location and given proper security tokens and access into the system. Dodia says it’s a long process, but you have to go through proper procedures to ensure security of the facility and systems.

3. Shifting Security to the Home

Pandemics aren’t the only reason work suddenly shifts from the office to the home. Emergencies like severe weather, fires, and power outages may also force employees to stay home. Have a plan in place that spells out security processes with regards to taking devices home and accessing sensitive data remotely readily available to every employee (i.e. in Google Drive or an Intranet). Work devices should have all security and software updates installed, and contingency plans should be put in place for those who have unreliable internet connections.

4. Off/Onboarding

When a person is leaving the organization, there are steps you should take to properly offboard the employee such as collecting keys, badges, laptops, and VPNs and shutting down network access. But how do you do that if the whole company is asked to work offsite, or in the case of a quarantine, you can’t be in physical contact? In this case, you may have to sacrifice the hardware temporarily and cut off the access remotely. The items can be returned when workers are back in the office to reduce the risk of theft.

When onboarding new employees remotely, the steps are similar but in reverse. Provide limited access to the company portal for training and limit or prohibit access to sensitive areas to the network until their secure, approved devices arrive.

5. Meeting Compliance Requirements

As employees work remotely all across the world, data is going to be moving around, but your systems and data protection efforts must continue to meet compliance regulations. Now more than ever, it is necessary to have boundaries surrounding data. Are you okay with the vendor hosting the data? Are you comfortable with the country where the data is stored? Your data compliance needs to be well defined in order to meet those regulations.

6. Maintaining Business Continuity

With services like Office 365 and G Suite, it would seem like everybody working remotely would have easy access, but one thing you may find is that your work from home employees want to access fewer used services, like an intranet. But there are only so many software licenses to be used. For secure business continuity, determine what people need to access and what the best way to access that information is. For many, Office 365 and G Suite is enough, but others need to have access to more sensitive data. By giving employees the right access authentication, you maintain business continuity and security.

7. Limiting At-Home Assets

Not all data and not all infrastructure is created equally. Not everything used and accessed at the office should be used and accessed at home. Data should be properly classified to make sure it isn’t removed and given higher security protections.

8. Managing Expectations

Remote security looks different than onsite security, and you might make mistakes as you adjust. The work from home effort is unlikely to end, so security professionals need to sit down and look at how they can continue to optimize moving forward. This may be the best test of a continuity plan that any company may ever have, and it will show how security fits into business continuity from an operational standpoint.

The reason companies do security is to keep the business in business. Sometimes that requires fast decisions or decisions that must be made with deeper research. But to keep the business running, security has to adapt to the situation, and that has never been more clear than now, as millions of companies have shifted from an onsite workforce to a virtual one.

Learn more about pentesting and how it can help strengthen your overall security posture.