Cybersecurity is Never Out-of-Office | SecurityWeek.Com
Things to consider which may help keep attacks at bay and allow everyone to enjoy their well-earned break
Over the last year, up to two-thirds of us had to work remotely, and a significant number will continue to do so. This has caused a blurring of the boundary between work and home, with many people using personal devices for work use or work devices for personal use. Security teams have seen traffic increases on the corporate network for shopping, social media and online education. Introducing new policies to manage risk on corporate devices and monitor home-network traffic without encroaching on staff privacy has proved a tricky balance, attempting to remain vigilant, fully compliant and provide protection without affecting the end-user experience.
Now summer is upon us and, unlike last year, many folks will get to use their much-needed PTO to get out of the “office” and travel now that more countries are opening. But while workers need to rest and recharge, cybersecurity hygiene can never take a break. Summer almost always means fewer hands on deck as people set off for vacations but, this year, the added layer of the world beginning to open up a little may lead to even more skeletal skeleton crews.
Add to this the complexity of supporting and securing systems now operating in a hybrid model with remote working still normal but staff also slowly returning to the office, the risk of cyberattack increases. We are too close to the holiday season. It is too late to implement complex new systems – but it’s never too late to start planning. So, what are a few things to consider which may help keep attacks at bay and allow everyone to enjoy their well-earned break?
Help Your Colleagues Take that Well-Earned Break
When we’ve all been working for so long, it can be hard to close the laptop lid and shut it down for a week. Many of us have already changed our working hours due to being remote, so being disconnected from colleagues can make some feel that being online is the same as being ‘there.’
A straightforward idea that can help employee wellbeing and cybersecurity safety is to run an internal awareness campaign on the importance of taking a proper break. Educate users on setting effective out-of-office messages, delegating activities and putting work on pause for a week. Not only will everyone feel so much better on their return to the office, but the security team’s workload is reduced if no one uses ‘free Wi-Fi’ in the holiday hotel or leaves their corporate phone unattended on the beach while they go swimming.
Enforce VPN, but Make Sure it’s Up to the Challenge
Forcing people to use the corporate VPN is one way of better protecting access to sensitive information, as we all know that some people can never switch work off during a vacation. During the lockdown, many organizations upgraded VPN concentrators or even moved to cloud-based solutions to deal with additional scale requirements of remote working, so performance should not be an issue. However, vacation is not the same as remote-working because employees can be anywhere on the planet, attempting to use whatever Wi-Fi that is available at a given moment.
Review which sensitive applications are available outside of the VPN, consider re-configuring access to only be available when using the VPN. One thing to remember with a VPN is that typically the software grants access to portions of the network inside the firewall, which can be a risk if the device accessing the resource is infected with malware. An excellent recommendation to enhance network access is to move to cloud-based solutions where possible, ensuring that multi-factor authentication is enabled and looking into a CASB (Cloud Access Security Broker) solution that provides highly granular access controls and reporting/auditing of user access.
Review Security Policies, don’t Over-Complicate
A security policy should be invisible to users with templates put in place to protect data in and out of the network and enforce rights over access to applications and settings. In the last year, new policies will have been created to support remote working and security teams needing visibility over remote workers.
If policies become too complex, users will attempt to circumvent them. This is not an attempt to break security, but simply because they want to be as efficient in their job as possible and may feel that the burden of security slows things down.
Now is a great time to perform a policy review. Ensure that the VPN is enabled as needed, and DLP (Data Leakage Protection) controls protect sensitive documents without making it hard to view/edit them on a mobile device (a common problem!). The review may also highlight areas for future investment, such as cloud-based services or advanced threat sandboxes to help keep attacks outside the network.
And What About the Next Big Project?
Eventually, the summer holidays will be over, and after successfully protecting the business from threats, it is time for the security team to start planning its next project.
ZTNA or Zero-Trust Network Access should be a strong contender. If you’ve not started already, it’s too late to implement for the upcoming holiday season, but with planning it could be ready for Christmas.
ZTNA is the concept of only providing the lowest possible level of access to users for them to complete their role, and ZTNA solutions grant the least permissions to specific applications and resources based on role or user and whether the resource is hosted in a cloud or data center location.
This level of configuration makes it much harder for an attacker to break in and steal data. At the same time, if a device infected with malware connects to the network, it is less likely to spread laterally or compromise other devices.
I hope that we can all take a proper vacation this year – whether it’s overseas or just camping in the back garden, the break is needed, and downtime is essential. Just remember that cybersecurity – and the bad guys – won’t take a break at the same time as you, but I hope that this article highlights that some simple steps can be taken to keep your business safe whilst you are out-of-office.