The social distancing measures introduced by Governments across the globe in an attempt to prevent COVID-19 from spreading, have resulted in significantly more people working from home. This has inadvertently opened up a can of worms, as most companies are woefully unprepared to secure a mobile work force.
Remote workers are not only more likely to put their own privacy at risk, but they are more likely to expose sensitive company data, which will inevitably result in a data breach.
A remote employee will typically lack the technical knowledge and infrastructure to adequately protect the data they are entrusted with. For example, many employees will access the company network from unsecured locations, such as public Wi-Fi hotspots.
They use personal devices, with many potential vulnerable or malicious applications installed. They probably won’t have the latest and greatest anti-virus software installed. They may have a misconfigured or disabled firewall and fail to keep regular backups.
Companies who have already adopted the BYOD (Bring Your Own Device) trend, will be in a much better position to protect their data during the current pandemic, while those who haven’t, might be in for a shock. Below are some tips to help administrators keep their sensitive data locked-down, during the lock-down.
1. Establish an Incident Response Plan (IRP)
It’s not a question of it, but when, a data breach will occur. Security teams must ensure that they have formal policies in place that cover the 6 phases of incident response namely: preparation, identification, containment, eradication, recovery and lessons learned.
The plan needs to be thoroughly tested, periodically reviewed, and all relevant stakeholders need to be well-informed about the details of the plan. An Incident Response Plan (IRP) is essential for minimizing down-time, avoiding costly fines and reputational damage, and mitigating future incidents.
2. Use Network Device Discovery and Management Software
There are many solutions available that provide network device discovery and management. Some of which are native to your operating system, and some are provided by third-party vendors. You will need an inventory of all devices connecting to your network, which includes all relevant information about those devices and their location. You must be able to easily add and remove devices from the list.
3. Use Mobile Device Management (MDM) software
In addition to controlling which devices are allowed to connect to your network, you should ideally have a means by which to control the devices themselves. This is often achieved using Mobile Device Management (MDM).
MDM provides businesses with visibility and control over the data stored on the device, and the applications installed. They provide OS configuration management tools and even remote wiping functionality, were a device to get lost or stolen. Administrators will also need to ensure that all devices are password protected, and that employees are using a VPN to connect to the company network (see below).
4. Use a Virtual Private Network (VPN)
The purpose of a Virtual Private Network (VPN) service is to ensure that all data transmissions between the remote worker and the company network are encrypted. Using a VPN ensures that nobody can eavesdrop on your connection and are especially useful when using an unsecure Wi-Fi network.
5. Use a Data Discovery and Classification Solution
Knowing what data you have, where it is stored, and how sensitive the data is, is a crucial part of data security, regardless of whether your employees are working remotely or not.
Fortunately, there are a number of solutions available which can automatically discover and classify a wide range of data types, such as Social Security numbers, payment card information, protected health information, and any information that is covered by the applicable data protection laws.
Once you know where your sensitive data is located, it will be much easier to assign access controls to the data and keep track of how it is being accessed.
6. Encrypt Sensitive Data at Rest and in Transit
Encrypting unstructured data at rest is relatively straight forward. It’s common practice to setup a “container” or disk partition, which automatically encrypts the data that is stored in it, and only the user who has the decryption key can read the stored data.
There are various tools that will allow you to setup an encrypted container, some of which might be built into your operating system, such as BitLocker for MS Windows, or you can use a third-party solution such as VeraCrypt. For encrypting “structured” data, such as data stored in a database, Transparent Data Encryption (TDE) is the most commonly used approach – assuming the application that interacts with the data doesn’t handle this for you.
In terms of encrypting data in transit, as mentioned already, using a VPN will ensure that remote workers can communicate with the company server securely. However, a VPN does not affect how your email is handled.
While most major email service provides support TLS encryption, messages are only encrypted if both the sender and recipient are using the same service. You will either need to use a service provider that offers end-to-end encryption, use a browser extension to encrypt/decrypt the emails, or you will need to encrypt the data yourself, which means providing the recipient with the decryption key.
Additionally, if your company website asks for login credentials, or any kind of PII, you must obtain an SSL certificate to ensure that the data is encrypted in transit.
7. Use Multi-Factor Authentication (MFA)
Naturally, if you are allowing employees to login to your company server from a remote location, you need to ensure that your authentication protocols are robust. Most authentication protocols rely on something you know, such as a username and password.
MFA takes it a step further and introduces additional factors, such as something you have (a token of some sort) or something you are (biometric data). While MFA is significantly more secure than traditional authentication protocols, it should only be used when accessing sensitive data.
8. Enforce “Least Privilege” Access
Naturally, administrators are required to setup access controls to determine who should have access to what data, and the reasons should be documented. They should adhere to the “principal of least privilege” as closely as possible, to protect against “privilege escalation”.
9. Use a User Behavior Analytics (UBA) solution
When allowing employees to access sensitive data remotely, it is crucially important that administrators have as much visibility as possible to help them identify anomalous user activity.
A UBA solution uses machine learning (ML) to learn the behavioral patterns of each user. Once it has learned these patterns (usually over the course of a few weeks), it will fire an alert when user activity deviates too far these patterns.
A UBA solution will aggregate and correlate event data from multiple sources, including any cloud platforms which you use, and display all relevant data via an intuitive console. This gives administrators real-time information about who is accessing what data, from what location, and when.
10. Security Awareness Training
Given that employees are our first line of defense, security awareness training is a crucial part of our defense strategy. Of course, in order to deliver training about company security polices, we must ensure that all company security policies have been carefully drafted.
Employees must be well trained to spot phishing emails and must be informed about the importance of adhering to password best practices (i.e. don’t write them down on post-it notes!). Employees have a tenancy to send company data to the wrong recipients, and so they must be trained to double check the recipient, when sending emails.