Security & Gap Analysis – Remote Working & BCP Next Steps
Hopefully you are all now well established in the pattern of everyone in your company working from home, although some of you may still be deploying additional infrastructure to support this – particularly if most of your infrastructure is still on-premises. However, even those that are fully leveraging Cloud services need to progress to a second phase now that your people are at home and working away successfully. You’ve invoked your business continuity plan and gotten over any initial problems, but there is still work to do to protect your company. In order of priority we have:
You can run as normally as possible in the current situation, but could you cope with a major security breach or outage on top of everything else right now? You can avoid this disruption by checking the following:
a. Phishing readiness and training. We are seeing a massive increase in COVID-19 related phishing and telephony-based scam attempts right now. If your colleagues are working from home, they are not as likely to be able to just ask the person next for them for advice on calls and email, and are much more likely to fall for these sorts of scams. Now is not the time to deprioritise security training or loosen security measures. Implement this simple action plan:
- Send out an email or have a call with everyone, explaining that there is a large increase in these sorts of attacks, and everyone needs to be wary of all unsolicited approaches. There are some good examples here, https://www.gov.uk/government/publications/phishing-and-bogus-emails-hm-revenue-and-customs-examples/phishing-emails-and-bogus-contact-hm-revenue-and-customs-examples and here https://fullfact.org/online/coronavirus-phishing-scam
- Maintain your current anti-phishing campaign or if you don’t have one, get one.
- Discuss the risks openly in any town hall or open meetings you are having with staff to keep awareness raised.
b. Authentication and identity management. We are seeing an increased number of attempts to log on to Cloud services using email address and password combinations that have come from previous breaches such as LinkedIn, Adobe etc. Protect your company by:
- Implementing Multi Factor Authentication (MFA or 2FA etc). There is no excuse for not having some sort of MFA in place and if you only have usernames and passwords then you will be breached. It is just a matter of time. MFA via text/sms message is pretty rubbish, but it is still better than nothing. Use a secure mobile app like Microsoft Authenticator or SecurID if your infrastructure and apps support it natively.
- Raise awareness and ensure that all users, regardless of seniority, have strong passwords and do not use the same passwords for work systems as they do for anywhere else.
- If you currently have regular password tests carried out, don’t defer them and if you don’t have this then find a trusted provider to do this for you.
c. Data leakage. In a bid to make home working as frictionless as possible you may have relaxed some rules that you normally wouldn’t, and this exposes you to a whole range of data leakage issues such as:
- People auto-forwarding work email to personal email accounts such as Gmail etc. This is problematic as it will almost certainly take the mail out of the UK/Europe jurisdiction and exposes the data to whatever (usually poor) password and authentication controls they have on their personal mail. We have seen clients have to inform the ICO in cases where users have setup such rules, although the sanctions vary hugely depending on how many people and what personal data is in each mail. Even the analysis of this can be time consuming and costly. Block all auto-forwarding of company mail and let your colleagues know why this is unacceptable.
- Similar for personal file sharing accounts and video conferencing solutions. What may make for a great solution for weekly conversations with Granny, may not be great for discussing a client’s merger when the whole call is being transcribed and stored overseas! Let your colleagues know why this is and make sure you have an acceptable, company solution.
- Home workers being able to save documents to their local, personally owned computer. Corporate Office 365 and G Suite can be incredibly enabling tools, but if not controlled correctly you may end up with company and personal sensitive data ending up on employee’s computers that may not end up being disposed of correctly. NCC carried out a survey of randomly bought second-hand devices on eBay a few years ago and found that one in ten of them contained data that would result in companies or individuals being fined or scammed. You have three options here:
- 1. Give all users a secured corporate laptop or PC or provide a hosted virtual desktop. At the same time block non-corporate PCs or Macs from being able to save and work locally. Mobile devices such as iPhones, iPads, Android phones and Android tablets can be controlled via Mobile Application Management and are much less of a risk.
- 2. Provide users with Web only applications and block all local saving of files. This works better for reading documents and spreadsheets than it does for creating and performing major edits to them as the Web versions of apps are usually a bit more limited.
- 3. Provide the users with clear instructions on what you expect them to save and never to save locally, which devices they can do it on (no shared devices for example) and make them sign up to a disposal and deletion agreement that covers their own personal computing devices. Very tricky to enforce and users should follow this advice from the ICO https://ico.org.uk/your-data-matters/online/deleting-your-data-from-computers-laptops-and-other-devices
d. Malware and virus prevention. If you think that a Business Continuity event is hard, combine it with a crypto locking malware outbreak or major virus challenge at the same time. On one hand, you have fewer issues with it spreading from desktop to desktop, but on the other hand, right now you are more reliant on your back-end systems than ever. Protect yourself against the following:
- VPN connections from user’s domestic machines. This is one of the most dangerous situations an organisation can encounter, as you have untrusted, and insecure personal machines connected directly to your internal network for long periods of time. Combine that with the fact that domestic PCs are also often used by other family members and you have the perfect environment for malware transmission. Over 50% of the malware we encountered in legal firms last year came in via this route.
- The only acceptable thing is to only allow corporate PCs to VPN in or alternatively, have a VPN solution that thoroughly inspects the health of each connecting machine before providing it access. Bear in mind that even this doesn’t control the data leakage issues mentioned above. Finally, don’t kid yourself that Mac users or even Linux users are somehow safer. Despite Windows being the largest attack area for malware due to the size of its install base, we have increasingly been seeing Macs as “symptomless carriers” of malware into corporate networks.
- Remote desktop solutions that allow local disk access. Virtual desktops accessed from home are one of the most secure solutions for remote access if setup correctly, but if they allow access to local drives on the user’s desktop machine then this would be a problem.
Ok so now you have all of your users working from home it will probably become apparent that there are one or two gaps between what your users need now and what they have. If you don’t explain how you are going to fill them then the users will adopt their own solutions and all your good work on security goes out the window!
Start with the following: a. Telephony. Hopefully you have a cloud PBX or hosted telephony solution of some sort and your users are now using a softphone as though they were back in the office. If your plan involved redirecting on-premise desk phones to mobiles, then you are no doubt experiencing some of the limitations of that such as lack of hunt groups etc. You may wish to add a small population of cloud PBX users for the affected groups and divert from on-prem to that rather than mobile handsets. Without wanting to look like I’m pushing any particular solution, Microsoft 365 Business Voice can be enabled on a per user, per month basis by a Microsoft Cloud Solutions Provider (CSP) such as ourselves. The advantage of this is you can cancel it immediately it is no longer required.
b. Video and Audio Conferencing. Depending on who we are speaking to or who has arranged the meeting I’m spending a lot of times in either Zoom or Teams right now. Both are great, both are sometimes patchy depending on demand, it kind of doesn’t matter which one you pick just so long as you integrate either with Microsoft Azure AD and Multi Factor Authentication. Saying that, if you already have Teams licences why would you pay for Zoom as well? Also, the Office integration is smoother long term as Microsoft keep the products in lock step.
c. File sharing. Again, you should probably already have something in play for this such as OneDrive for Business or corporately managed DropBox. The common theme to all of this is that you need to be in control of the data and authentication. MFA needs to be enforced and your data needs to be in the EU for now – not the US. You also need to make sure that your data isn’t being shared with people outside of your company without your knowledge. The one thing that you can’t allow is users picking their own solution just because they feel like it. Shadow IT is understandable when there are major gaps in your internal capability, but users picking their own products because they prefer them, presents dangers to the company that they won’t have thought through.
d. Desktop access and secondary apps. Sometimes you have legacy applications that really don’t work well over a wide area network and don’t work at all over a VPN. This is very common in legal and some finance environments, and is generally due to older, niche applications not being architected in a way that has kept up with the rest of IT. Your BCP might have deemed these apps as not being essential as you can go for several days or even weeks without accessing them, but in the current situation it is apparent that a solution is needed. I’m hoping that I don’t need to say that simply publishing the remote desktop protocol directly to the Internet or even worse, allowing VNC access direct to user’s desktop is wildly irresponsible? This is tantamount to leaving a keyboard, mouse and monitor nailed to the outside of your office building!
There are a number of solutions that can be rapidly deployed here, but they all need a bit of planning. The desktop virtualisation products from Citrix are the very best way of delivering a great and secure experience to users and can be deployed on-premises, in the cloud or across both. However, there is a reasonable amount of complexity in doing so and unfortunately Citrix’s pricing model doesn’t work for short-term scenarios. Allowing remote control of PCs sitting in the empty office can be a solution but needs to be under corporate control and integrated with MFA. Users deploying their own GoToMyPC is bad, a corporate deployment of GoToMyPC can be a good solution with a bit of planning. We’ve been deploying Microsoft Windows Virtual Desktop (WVD) across several of our customers to give secure access to internal desktop PCs, legacy apps and full virtual desktops to users and it’s a brilliant technology that can be implemented securely and in a few days depending on your current network readiness.
As ever, this isn’t a complete list and there will always be company specific pain points to deal with. Hopefully this has given some of you some food for thought and ideas for staying ahead of the game in this challenging time. As always feel free to get in touch for a general discussion on any of this or to talk over any of the specifics.
AWARDS & RECOGNITION