It’s important that we understand how to protect ourselves and our businesses while working remotely, so we teamed up with Immersive Labs to provide some practical advice.
We can now make on-line cyber awareness training available to our member companies at a highly discounted rate.
Recent public health developments mean many workers are now working from home. It’s important as a global workforce that we understand how to protect ourselves and our businesses while working remotely.
Types of device
Perhaps the most important thing to consider is the security of the devices that you are using, as remote working provides attackers with extra opportunities to breach your defenses.
Remote workers are likely to connect via two types of device: organisational devices which have been acquired, configured and managed by their organisation and ‘bring your own’ devices which are controlled by the worker.
Organisations should also consider how to maintain the security of PC and mobile devices.
Types of threat
There are several potential risks that remote working presents to an organisation, and it is important to cover all bases. The most prevalent ones are laid out below:
Physical – The organisation cannot ensure the physical security of the device, leaving it open to theft or loss. Workers should be encouraged to be vigilant with their devices if working in public places such as coffee shops.
Malware – Malware is malicious software. Remote working can increase the likeliness of this threat, as workers may not be as security-conscious with their own devices as those configured and managed by their organisation. This can leave gaps in security for malware to exploit.
Unsecured networks – Remote access is dependent on the Internet, so organisations cannot control the security of networks that remote workers use. These communication systems could be compromised, leaving your sensitive information at risk of being uncovered by malicious actors. Unsecured networks also leave you vulnerable to man-in-the-middle attacks, whereby your communications are intercepted or modified.
Connection of infected devices to internal networks – If a remote worker is using their own malware-infected device and it is connected to an internal network, this malware could spread.
Availability of internal resources to external hosts – Providing external hosts with access to internal servers, particularly from untrusted devices or networks, increases the likelihood that internal servers will be compromised.
The National Institute of Standards and Technology (NIST) recommends assuming that hostile threats exist on external facilities, networks and devices and preparing for remote working based on that assumption. This means a heavy focus in three key areas: keeping remote devices updated, ensuring authentication is effective and securing access from outside corporate networks.
How to protect devices when remote working
Organisations will have to make risk-based decisions about remote access from devices based on the sensitivity of their work. Organisations can consider tiered levels of remote access; this means devices with the most stringent security measures can have the most access, while those the organisation has least control over have the least access.
It is also important to ensure that sensitive data is encrypted on client devices – or better still, not stored on these devices at all.
Devices used for remote working should have the same levels of security as internal devices. This means ensuring that updates are completed on time, extending patching protocol to these devices, ensuring anti-malware software is installed, and configuring firewalls correctly.
Another thing to consider is network access control, which is authorization based on a type of device and that device’s policies. This is known as a security policy enforcement mechanism. Network access control checks can include verifying security patches, checking anti-malware software is functioning and ensuring personal firewalls are operating correctly.
Strong authentication is another good step to take to ensure security, and it could take the form of passwords, digital certificates or hardware authentication tokens. Federal agencies use two-factor authentication (2FA) that requires a cryptographic token and password; this measure provides better security than passwords alone.
Introducing periodic re-authentication – for example, after eight hours of a session or 30 minutes idle – can help organisations determine that the person using remote access is authorized to do so.
VPNs create a tunnel between a remote worker’s device and an organisation’s VPN gateway, allowing the remote worker to access computing resources with secure end-to-end
There are additional modules of learning covered under Work Force Security with specific sections on Cyber Safety and Staying Safe on-line. See Appendix. Great advice considering the current situation.
Please contact Annette Coburn at firstname.lastname@example.org for further information.
Appendix: Immersive labs Awareness Training
|Immersive Labs Awareness Training Labs|
|Workforce Security Training|
|What Is Cyber Security?|
|History of Cybersecurity|
|Cyber Security Basics|
|Disposing of Old Technology|
|Physical Access Security|
|Using Your Own Tech At Work|
|Cybersecurity On The Go|
|Staying safe on line|
|Why Cyber Security Is Everyone’s Business|
|Consequences and Impact of Cyber-attacks|
|Firewalls and VPNs|
|Mobile Security Tips|
|Updates and Patches|
|Why Hackers Hack|
|Who are the Hackers?|
|Cyber Kill Chain|
|Cryptocurrency & Blockchain|
|Virtual Card Numbers|
|Investigator Operations Security (OPSEC)|
|Tor and Tor Hidden Services|
|Reverse Image Search|
|Cached and Archived Websites|
|Open Source Intelligence (OSINT): Deleted Tweet|
|Open Source Intelligence (OSINT): Boarding Pass|
|Analysing Sandbox Reports|
|Social Media and Privacy|
|What Is Risk?|
|How Is Risk Measured?|
|Quantitative Risk Measurement|
|Qualitative Risk Measurement|
|Asset Inventory and Valuation|
|Inherent vs Residual Risk|
|How to Mitigate Risk|
|Risk and Control Self-Assessment (RCSA)|
|Three Lines of Defence|
|NIST Cyber Security Framework|
|Compliance, Legislation, Regulation and Standards|
|Policy, Process and Procedure|
|GDPR Aware – Practice|
|NCSC 10 Steps to Cyber Security|
|Payment Card Industry Data Security Standard (PCI-DSS)|
|Payment Services Directive 2 (PSD2)|
|Health Insurance Portability and Accountability Act (HIPAA)|
|Information Technology Health Check (ITHC)|
|Cloud Security Alliance – Cloud Controls Matrix|
|What Is ISO 27001?|
|Software as a Service (SaaS)|
|Infrastructure as a Service (IaaS)|
|Infrastructure as Code (IaC)|
|Platform as a Service (PaaS)|
|Cyber For Executives|
|What is cyber?|
|Cyber For Board Members|
|Supply Chain Security|