Before this pandemic, many employees seldom worked outside of the office environment. Therefore, the main focus of InfoSec and Cyber Security was on the organization’s on-site communication infrastructure. The majority of company policies on this subject were centered around internal conduct and practices. That begs the question of whether or not companies were prepared for this unforeseen transition. Chances are that many businesses were caught off-guard by this recent development, and that is why the Information Technology Laboratory released a special bulletin for March 2020 that addresses Security for Enterprise Telework, Remote Access, and Bring Your Own Device (BYOD) Solutions.
Working remotely can mean anything from accessing a secure email server by way of your browser and a webmail app, to being able to remotely access and control a desktop computer at the organization while off-site. There were many recommendations on how to better secure your organization’s assets and data while working remotely, but it all starts with having a solid foundation.
That foundation is built upon developing and enforcing a telework security policy for your organization. At the current moment many decisions on working remotely are outside of our control, but if this trend continues many organizations may want to look into having tiered levels of remote access for their employees. This allows an organization to limit the risk it incurs by permitting the most-controlled devices to have the most access and the least-controlled devices to have minimal access. According to the National Institute of Standards and Technology (NIST) guidelines, an organization should make its own risk-based decisions about what levels of remote access should be permitted from which types of telework client devices when creating a telework security policy. Your risks should be assessed and entered into a risk registry, so that they can be prioritized and mitigation plans can be built and put into place.
Another excellent point stated by the NIST guidelines concerns the assumptions an organization should make when creating a telework security policy.
- All telework-related security policies and controls should be based on the assumption that external environments contain hostile threats.
- Organizations should assume that external facilities, networks, and devices contain hostile threats that will attempt to gain access to the organization’s data and resources.
- Organizations should assume that malicious parties will gain control of telework client devices and attempt to recover sensitive data from them or leverage the devices to gain access to the enterprise network.
- Organizations should assume that communications on external networks, which are outside of the organization’s control, are susceptible to eavesdropping, interception, and modification.
- Organizations should assume that telework client devices will become infected with malware.
Yes, I understand how bleak that all sounds, but one must not forget Murphy’s Law when planning. It states, “Anything that can go wrong, will go wrong, and at the worst possible moment.” These assumptions will ensure that your organization is able to make the proper risk-based decisions to mitigate all potential threats and implement appropriate controls to protect your company’s assets and your customer’s data.
Working remotely does have a number of benefits for both the employees and their organization. However, this also increases security risks for an organization, as well as a higher level of accountability for employees. I am relatively new to the cyber security community, but the overall concept of security is something I am intimately familiar with. During my time in the Marine Corps, I learned that the fundamentals and foundation of a security-focused mindset doesn’t really change much. Assess your current situation. Identify risks and threats. Build a proper defense or plan of attack. Most Importantly, ensure that all details and commands are understood and will be obeyed. Then, you must hold everyone accountable. Including yourself.