Remote Workers & Cyber Security

Ross Marston

Published Mar 17, 2020

+ Follow

With the fast pace of the current COVID-19 changes impacting all our lives, the main thing we need to be focused on is most certainly people and their safety. They are always the most important considerations. But what about some of the other considerations...

Remote workers and people working from home pose some unique cyber risks for business that need to be addressed from the outset. The actual technical ability for your office staff to work remotely may not be that hard to achieve. A device to site VPN (Not a VPN like you use for watching Netflix from the US. They're completely different and not useful in this case) may be useful for businesses with On-Premise infrastructure. Alternatively, many businesses will have some level of decentralised cloud architecture and SaaS (Software as a Service) Apps already that users can access remotely. Or maybe it's a combination of these and IaaS for you business.

But these pose many risks you need to address to ensure your data stays safe, and so you know who is accessing it. For example, do you know what sort of equipment is being used to access your critical business data? Is it outdated and therefore more vulnerable (e.g. Windows XP or Windows 7)? Does it get regularly patched and updated for vulnerabilities? Many home PCs and devices are heavily infected with Malware due to much lower protection levels than those at the office. Or even if there environment is squeaky clean, what about IAM? (Identity and Access Management). How do you know who is accessing your data?

These issues may well pose an unacceptable risk to your business data. Imagine for a moment if a person called your tech support line claiming to be Steven from sales, and he was having trouble accessing the data necessary from his remote work place. Imagine if this was a malicious third party! These types risks need to be addressed before you find your business on the wrong end security incident.

So what can be done mitigate these risks? This is going to vary widely from business to business. Every business is different of course. But, here are some general guidelines for SMEs or small businesses to consider before things get out of hand...

Don't do this...

Its often tempting for scrambling IT departments to just get a quick solution out the door when being pressed by the senior management. Please instruct your IT department or teams to take a careful and measured approach. Strategies like just opening up RDP (Remote Desktop Protocol, even on a non-standard port) to the world on your corporate firewall, to allow remote users access is a strategy doomed to disaster for your business. This is a very commonly exploited security hole.

If you're going to use RDP (which can be a good strategy depending on your setup), make sure that users authenticate either over a corporate VPN or at least from a predetermined static IP prior to authenticating over RDP. And as always, Multi Factor Authentication is the preferred solution for authentication.

Scams

Unfortunately Scams and malicious websites (we call them watering holes) are going in to overdrive at the moment. At the best of times, scammers and phishing emails abound. They play on peoples fears to get them to click on malicious links. With the current levels of FUD (Fear, uncertainty and doubt) in the media and community, the scammers and phishers have gone in to overdrive in a big way. Everyone from criminals to nation states are getting in on the act unfortunately.

[Update:] Scams and phishing is just massively increasing as this event unfolds. It is imperative to instruct all your staff to be Hyper Vigilante about ...

what sites they go to,
what links they click on,
and what attachments get opened.

This applies no matter where the link or attachment is. Social Media, or in email.

If in doubt, DON'T OPEN OR CLICK

We HIGHLY recommend having a link and attachment sanitising solution in place for all your users. For O365 consider ATP with properly configured SafeLinks and Safe Attachments as a bare minimum. GSuite has some good options also.

If users are prompted to enter credentials after clicking a link, it is highly likely to be a Scam that could compromise your email system. But by then it is possibly too late. Users need training in understanding the risks associated with links and attachments.

Multi factor authentication (MFA or 2FA or 2SV as some call it) are also now more important than ever. Talk to your Security Experts about the best way to implement this without disruption for your staff.

As a Bare minimum have your staff well versed in reporting ANYTHING at all suspicious to your security teams.

Many malicious sites are springing up. Some with legitimate information, some with misleading or false information. Many with malware on the site. Clicking on unknown links is now more dangerous than ever. This malware can compromise the computer and could result in ransomware or other malicious payload.

https://krebsonsecurity.com/2020/03/live-coronavirus-map-used-to-spread-malware/

Advise your staff to be hyper vigilant regarding links in social media or email. If you don't know what the site really is, and don't know how to find out, don't click on it. Advise them to only rely on Government (they're domain end in .gov.au/), reputable news sites (they end in thngs like .abc.net.au/ etc), or World Health organisation sites (they end in who.int/)to get information on the Corona virus. Other sites may possibly be infected. If you have no way to tell for yourself, it is better to be safe than sorry.

BTW if you don't already know, the domain is the first part of the URL after the https:// and before the next /.

Password Security

User password security is highly critical at the moment. It always is, but even moreso currently. Rather than repeat myself, check out this post on Password security for your business.

https://www.bisecure.com.au/password-security

GRC

Governance, Risk and Compliance. Cyber is not an IT issue. It never has been. It never will be. It is first and foremost, a business risk issue . It needs to be handled by the businesses senior management as a whole. Departments like HR, Legal, Training, Sales and Marketing play a role just as important in protecting your business as the IT department do.

Hence, to mitigate the Cyber Security risks you need a Senior Management approach. Typically this will involve a GRC framework. An ISMS (Information Security Management System) will form a large part of this. If you're not familiar with this, think of it like any other management system you may have in place, (e.g. ISO 9001, 14001 etc) But specific to Cyber Security. It is where the Security starts from and it is where you can begin to address the risks.

It also doesn't have to be an ISO standard (in this case though the standard is ISO/IEC 27001). There are also other excellent frameworks out there that may suit your business best. (e.g. NIST SP800-53 or ASD ISMS)

The point is, your business needs to have an excellent policy framework in place so users know up front what is acceptable and what is not for remote workers. If your business is not at this point yet, and you need to react quickly, make sure you at least have a clear set of guidelines that your remote users know and understand before sending them all to work from home. What they are, are aren't permitted to do whilst working from home.

If you're unsure what this should look like for your business, contact your Cyber Security Team to find out what is best for your business. If you don't have an existing Cyber Security Team in your corner, feel free to reach out to discuss what may be appropriate for your business.

Communications

If you have remote workers the integrity of your communications becomes far more critical. Particularly things like ensuring private communications. It's one thing to lean over a cubicle to ask a question of a colleague, it's another to be communicating only through electronic means.

Pick up the phone at every opportunity and communicate, communicate, communicate with your team. Don't let your staff or team members feel isolated.

Consider using video chat much more extensively. Particularly for sensitive subjects. Even simply mandating a daily video huddle would be a good start. Maybe even a policy that prescribed that topics involving certain subjects (money transfers, staff, IP topics etc) must only be performed over bidirectional video chat, where both parties can see each other. We use and recommend both Zoom and Microsoft Teams (if properly Administered).

Products like Signal, Slack, Teams, Asana and Hangouts, can also greatly improve productivity for remote teams. But again they need to be properly administered to ensure compliance to your policies and regulatory compliance. (BTW WhatsApp is not recommended at all, or FB Messenger.)

Do be careful of App Sprawl though. Now is not the time for you to onboard a whole heap of new Apps for your team unless essential. Get your team settled working remotely and when it is all going okay carefully consider if more tools are needed to support them. App Sprawl is a common reason for data breaches.

Speak to your trusted technical advisors about which ones will work best for your business. But please make sure they are administered properly by professionals who know how to manage them correctly. Mis-configuration is also a frequent cause of data breaches.

Email

There is rarely a day goes by where we don't at least hear of another Business who has had their email "Hacked". Usually though, it isn't hacked per se. It's just that a malicious third party has obtained the credentials to an account through one means or another. This can pose an even greater threat when you are relying on the email for communications within your remote workforce.

Once a criminal or malicious third party has access to your email system it is, a) more difficult to fully evict them than many people think. Simply changing passwords is not sufficient. And b) they often have access for a long time and do considerable damage before anyone realises that it is happening.

Ask your tech team to ensure there is a link sanitising solution on your email. We use and recommend microsoft ATP (Advanced threat protection) with safelinks for our clients with Office 365. There are other good ones out there though.

Make sure part of your policy framework directs users to confirm by a number of means critical topics, like money transfers, invoice payment, or other more sensitive topics. We see people being defrauded by malicious third parties in their email systems on a daily basis unfortunately. Don't be one of them.

It is vital that you have a very solid email infrastructure. Both Microsoft and Google offer great products, but out of the box they are very insecure. You need to do quite a bit to secure them properly. MFA, ATP, AAD P2, SPF, DKIM, DMARC, the boring acronyms roll on and on, but they are essential to make your email secure and trustworthy. If you don't know what they mean, speak to a trusted professional who understands them all, what they do, and why their essential to a secure email system.

Computer Security

It's always best if users take work laptops or devices if they're to work away from the office. This resolves a lot of issues straight out of the gate, as the devices should have MDM (mobile device management) already installed. But this may not be feasible in this rapidly changing environment we currently live in.

A number of aspects of computer Security need to be considered for remote workers using their own devices. For example, your work environment most likely has a reasonably extensive IAM (Identity and Access Management) system. How you Identify users and grant them access to certain company resources. But on a home device this may not work as well. In addition some users may be tempted to "share" credentials in an effort to get things done in the easiest manner. This can create a lot of problems for your data integrity.

Also simple issues like having effective EDR (Endpoint Detection and Response. Sort of like modern antivirus) may not exist on some home devices. If users are using home devices it's important to know they have a reasonable level of safety for them and your business data. If your remote user's child is sharing the same computer as your remote user, you may have potential problems brewing.

BC/DR

Business Continuity and Disaster Recovery. They are two quite different topics, but they need to be in place even if staff are working from home.

Business continuity involves plans to keep your business operational, in the event of a significant incident (kind of like what we're in now), until normal operations can be resumed. Disaster recovery is the plan for how to get back to normal after a significant incident. They're both plans that need to be carefully thought out, and planned prior to being needed. They also should be tested. How do you know it works if it has never been tested?

I won't spend any time on BC at this point as I am sure many of you are already implementing parts of your BC plans at the moment.

In the case of Disaster Recovery, consider for a moment if (heaven forbid), your Backup process relied on a person taking a disk home each night. How would this happen if they're not in the office? You can't risk not having effective offsite backups. You need an automated (and secure) off-site backup strategy in place. Even if your data resides completely in the cloud you still need to know you have other copies of it, no matter what.

The minimum backup strategy uses a 3-2-1 rule. A minimum of 3 copies of the data, on at least 2 different media types, with a minimum of one of them being offsite to the production data.

Conclusion

Rule one is, make sure your staff are safe. That's most important. But also make sure that your data is safe. I am quite sure that no one wants a data breach on top of everything else that is going on at the moment. An ounce of prevention is worth a tone of cure.

Next most important is communicate effectively with your remote team members and manage effectively. Don't leave remote team members in isolation. Give clear direction and communicate and support them as much as possible using the above frames works and good old fashion phone calls. Communicate, communicate, communicate.

Avoiding SCAMs, GRC, communications security, email security, computer security, BC/DR plans, are a good starting points to consider if your scrambling to keep your staff safe by having them work remotely. If you haven't already, please consider implementing an overall ISMS (Information Security Management System) for your business. It is the starting point for Cyber Security.

Remember Cyber is NOT an IT problem. It is not your IT departments job to solve. It is the role of the senior management to effectively address. Direct Message me if you would like more information on this.

Please also feel free to Direct Message me here on Linked In, if you would like any assistance with any of these topics.

Keep safe.

Ross Marston CISSP

Dominic Brunet

Well written Ross. Great insight into the issues that many businesses (especially small ones) will face over the coming weeks and months.

Thanks Dominic. Yes you're correct, businesses large and small will have to tackle these issues. Many will not be prepared by not having business continuity strategies in place prior.

Jonathan Mamaril

Great guidance here Ross Marston - for any managers and employers who will be utilising staff working from home this is a must read.

Thanks Jonathan.

See more comments

LinkedIn respects your privacy

Remote Workers & Cyber Security

Ross Marston

Don't do this...

Scams

Password Security

GRC

Communications

Email

Computer Security

BC/DR

Conclusion

More articles by this author

Don't do this...

Scams

Password Security

GRC

Communications

Email

Computer Security

BC/DR

Conclusion

Survivorship Bias, Cyber, Boards and Businesses.

Feb 25, 2021

Avoid the heartache - Don't open the attachment.

Dec 8, 2020

Everything you ever wanted to know about Password Managers (but were too afraid to ask).

Oct 26, 2020

Come On Aussie!

Jun 19, 2020