Given the current work-from-home (WFH) situation, IT security managers need to ensure that their network security infrastructure is up to snuff and can evolve with the times. There are some elements that are obvious. For example, just because everyone has their own corporate laptop doesn’t mean that they can make the WFH transition successfully. (Think docking stations, external monitors and other key peripherals.) Let’s examine the other, more complex implications of everyone connecting remotely and what you need to protect your most valuable corporate assets.
To get you thinking about these issues, check out what Slack’s CEO Stewart Butterfield has documented in this Twitter stream on what his company did internally to transition. There are a lot of moving parts to consider.
First, do you have the right network protections and will they scale? Chances are you already have a virtual private network (VPN) — but does your VPN also cover smartphones and tablets too, and have the appropriate licenses to handle the entire WFH user base? Having a VPN doesn’t prevent phishing attacks from compromising network access from within, so you might not want everyone on the VPN all the time anyway. Does your network protection track privileged access changes in any actionable fashion? Does your network help desk have sufficient staff and training to handle the influx of new users? Can everyone access a common file system with sufficient bandwidth? Do you need to update your asset inventory with the new locations, IP addresses and other endpoint information? What about how your users will print when they are at home, and can you ensure that their home routers have appropriate security and password protection? Chances are you will need to make changes in some of these areas.
Once you have hardened your network, you need to look carefully at your endpoint policies and ensure that everything is patched and updated to the most current versions. If you have been doing this with the devices in your office, that is great, but you will need to examine whether your existing endpoint protection process will work with most remote devices and whether you will have sufficient licenses to install this software on non-corporate-owned devices too.
One policy that has seen better days is “bring your own device” or BYOD. It was all the rage several years ago. In this case study of a Nebraska hospital, their BYOD plan was revived and used to expand support for all the newly-minted WFH users. Before remote users can connect to a shared virtual workspace platform, they have to pass through a web-based portal that installs various security apps to manage their endpoints. The program allowed the hospital staff to make the transition quickly to WFH in March.
Next, it is time to re-examine your identity access and authentication policies. It may be time to roll out multi-factor authentication (MFA), particularly for those users who are handling financial transactions or who have more sensitive access. “If your company doesn’t use MFA to protect its network, there’s never been a better time to start,” says corporate strategist Paul Gillin here. Gillin also suggests ramping up training efforts, particularly around phishing awareness and avoiding other kinds of malware.
Another item to consider is the role played by shadow IT services. Cloud-based applications like Dropbox are very easy to set up and work around any IT protections, especially when everyone is working remotely. Don’t let convenience be your enemy, plan ahead, anticipate this situation and standardize based on a common cloud-based file sharing and office productivity suite if you haven’t already.
Finally, establish a common collaboration environment, using a combination of instant messaging and video conferencing tools that everyone can have access to. Video conferencing will become more important to keep your staff connected, and that also means that you need to secure these links with the necessary configuration and password controls. You might also need to purchase additional microphones and video cameras to support these efforts. With a careful, thorough approach, you’ll be able to ensure your network security, even with most of your workforce working from home.