The 2020 Coronavirus pandemic has lead many workers to work from home to slow its spread. Business owners have had to proactively deal with these changes while doing their best to operate effectively and securely. The new normal for companies is a workforce that continues to deliver business services remotely. This article describes some tips and strategies companies are using to secure their remote workers successfully.
Before we dive in, CyberHoot needs to separate companies into two unique types as follows:
- Businesses that have gone through a digital transformation to cloud-enabled services for the majority of their operational needs; and
- More traditional businesses running their business using onsite applications and services.
Digital Transformation Maturity
Companies who have gone through a digital transformation may have a leg up for remote worker security than companies with more traditional on-premises solutions. The myriad of cybersecurity challenges are simplified for these cloud-enabled companies. Companies operating their business in the cloud must have the following measures in place to truly secure themselves.
- First, all cloud services must have strong authentication measures in place including two primary tools:
- utilize two-factor authentication on all Internet-enabled services
- use a password manager throughout the company
- Second, companies must establish strong administrative processes including:
- adopting effective on-boarding and off-boarding practices
- establishing governance policies/processes to guide employees on the selection, use, and security configuration of Software-as-a-Service (SaaS) solutions
- Finally, strong cybersecurity practices need to be in place including:
- ensuring least privileges has been set up within those cloud-enabled applications to limit access to just what’s needed
- encrypting all critical and sensitive data in transit and at rest
- First, all cloud services must have strong authentication measures in place including two primary tools:
Not all companies that have gotten to the same level of digital transformation maturity yet. Some have yet to tackle many of the above security recommendations. CyberHoot often identifies gaps in remote worker programs even at companies that have long finished their digital transformation to cloud services. However, securing remote workers in businesses that have been working in the cloud is fundamentally easier than companies operating more traditional on-premises technology solutions. This is where we turn our attention to next.
On-Site Application Security Considerations for Remote Workers
Remote workers represent additional unique cybersecurity challenges for on-site business operations than cloud-based service operations. Concerns shift from providing local access to resources to ensuring remote workers continue to have reliable and secure access to those same on-premises applications. Unfortunately, too often, those on-premises applications were not secured and hardened for remote users instead of relying on a small number of local users. Our next sections analyze these differences often found as on-premises companies migrated to remote workforces.
End-Point Insecurities on Personal devices
When working on-site, endpoint security is typically quite robust and reliable. Company-owned devices run antivirus protection, with privilege rights management in place, device locks after inactivity, and regular patching of both operating systems and applications. Many companies did not budget for a mobile work from home workforce. Faced with purchasing laptops for every employee (and laptops have been in short supply for months), many companies have opted to allow potentially less secure home machines to connect into local resources and applications. This puts less secure machines on your internal network in some configurations. That can put additional risks on your data. These are all considerations that need to be addressed by policy and in some cases technology.
Access to Applications Originally secured only for Local Connections
Enabling access to these same applications from personal devices in the home can open those applications up to risks from insecure and potentially compromised home machines, poor permissions that might allow greater damage when a breach occurs, complexity in enabling secure remote access into systems that previously were wide open to local but finite connections. To contrast this, Cloud-solutions always assume the worst possible connections from compromised machines. They assume and witness hacker attacks from all over the entire Internet on a daily basis. They go through rigorous penetration testing to ensure systems are locked down and secure in contrast to most local applications, servers, and networks that were never designed for such things.
Regardless of whether your applications on in the cloud or on-premises, there are some important security practices to ensure are in place and functioning as designed. Let’s turn our attention to secure remote access and beyond that into best practices for privilege management, encryption, and two-factor authentication.
Security Tips For a Remote Workforce
While it may be easier to secure company-wide remote access than it is to secure numerous company-provided laptops, there are still additional best practices that should be followed. To reduce the likelihood of data breaches while using remote access, businesses should do the following:
Requiring Two-Factor Authentication (2FA)
All end-users must be configured for 2FA usage for remote access. To do otherwise is to invite security incidents and compromise. Too many employees reuse passwords on their VPN accounts as they do to multiple websites one of which is certain to be compromised and those credentials floating around the dark web. This is additionally important if you need compliance with security standards like PCI, HIPAA, or CMMC. If you only do one thing, it should be this – enabling 2FA into your local network and the data/applications it hosts.
Principle of Least Privilege
Access rights to both on-site and cloud applications must be carefully assigned so end-users can access only the resources they need. One way companies do this while also restricting the attack surface to a single protocol is by enabling Remote Desktop Protocol into a workstation in the office. This single door allows all existing security within the work environment to be enforced from application permissions, to default storage locations, to reducing additional licensing costs for home machines when a work machine has said license already paid for.
This might require additional limits be placed on traditional Virtual Private Network (VPN) connections that grant network based access to all resources on a typically flat internal network while the VPN client is connected. This artificially lowers the bar for remote access users to that of the security of the end point that if compromised could introduce ransomware and viruses to the corporate network. In contrast, enabling a single router on an RDP gateway to ones workstation and no other port or protocol can significantly improve your overall security for remote workers.
Encrypt all traffic between the end user’s device and their desktops
This can be accomplished via VPN, but going that route requires the installation and configuration of a VPN client, limiting end-users to specific devices and increasing complexity. A remote access solution that takes advantage of the universality of web browsers can provide proper encryption while also avoiding the limitations of a VPN. Such solutions should still be tied down to single destinations on a per user basis if possible.
Do not allow direct access
Insecure remote access services are common targets for hackers and should never be exposed to the public Internet. Placing these services behind a remote desktop gateway shields them from direct public access and provides an additional layer of security and access control preferably paired with two-factor authentication.
Isolate (SEGMENT) your remote desktops in Unique networks
Lastly, it crucially important to keep segment and isolate your internal networks. With a remote desktop gateway in place, servers can be configured to accept inbound connections only from 2FA authenticated users. Various internal segments should exist to limit the damage of one network segment were it to become infected with a virus, worm, or hacker.
Cybersecurity and Remote Worker Conclusions
Companies that transitioned to cloud-enabled services years ago adjusted rather quickly and securely to a migration to remote workers. However, by implementing the protections outlined in this article regardless of your use of on-premises applications or cloud applications, you will be able to secure your business operations and limit your risks to compromise, down-time, brand damage, and client/revenue loss.
Secure remote access to your company network is a must-have depending upon how far down the digital transformation road you’ve traveled. Securing the internal equipment as outlined above with patching, monitoring, capital expense upgrades, and such makes it more challenging to be certain, but it is doable. It does however highlight some of the benefits for a more aggressive migration to cloud-enabled services for your mobile and increasingly remote workforce.