Encryption & Virtual Private Network
These are used widely to allow secure access remotely. An incorrect configuration could give attackers the key to the network. Check the encryption standard which is in use for the connection, and if it follows current best practice guidelines. Also consider that if you have all employees connecting in via one VPN connection, have you inadvertently created a single point of failure, or is there a backup tunnel?
You need to make sure that all devices taken off-site are logged because valuable configurations or documents on these devices can create an opportunity for an attacker. Also, consider tracking the devices out, but also back in again, how does this fit with a leavers process if an employee decides to leave during this time?
Bring Your Own Device (BYOD)
Are you allowing your people to use their own equipment to access the corporate network? An insecure BYOD device that has access to corporate data could be a disaster waiting to happen because there are fewer protections you can apply. Have you enforced anti-malware software and when was the last time it had security updates?
We have already seen a massive increase in phishing attacks around Covid-19, people are especially susceptible as they are desperate for information, clarity and for decisions to be made for them. Regularly patching remote computers will be essential. Do you have central control and monitoring of the device to enforce the patch and make sure the device is re-booted for installation?
What security exists in your people’s homes? If a device was to be stolen or lost; is the data protected on the hard drive using a tool like BitLocker to encrypt the hard drive? Are you sure that more physical data (notebooks with passwords or key documents etc) are being properly secured in people’s houses? Limit where possible the data stored on local devices to ensure if a device is lost or stolen the impact is reduced.
Worst case scenario and a device is stolen, broken, corrupted, or data is taken – what recovery options are in place and how quickly can you recover? How quickly do you think the reporting/logging will provide you with an alert for action? Backups are a crucial part of any modern company, but with your data now widely distributed is it still being centrally collated? Have you utilised a cloud solution like OneDrive or Dropbox, and if so, have you had access restricted or penetration tested?
People can report concerns easily when in an office environment. Working remotely makes this harder. Do people know the process and that support is available to them, even if they make a mistake? Clicking a phishing link is embarrassing - will they let you know outside an office environment? Develop a robust user education programme for spotting phishing and other social engineering attacks so your people are aware and able to report issues as and when they occur.
We publish on Chess LinkedIn too, so that you can share and like with your network.