The COVID-19 pandemic has forced internal and service provider employees to immediately work in new ways. Fundamental security controls are now essential to protect corporate assets and reduce threats to data and security.
With the lockdown of most of the world this week due to the spread of COVID-19, internal and service provider employees around the world are obligated to practice social distancing and work from home. Architectures designed to protect information from within the four walls of a delivery center rely on technologies that don’t always provide protections for remote workers, especially in global locations – and information security professionals are scrambling in search of solutions and funding to resolve the situation, so critical work can continue.
The immediate transition of tens of thousands of workers to a remote workforce is a real-time test of basic infrastructure components, including networks and conferencing systems that were not designed for full-scale remote workforces. This introduces a host of vulnerabilities into the workplace.
To protect their assets in the new age of remote work, enterprises should immediately address three areas: technical, human resources and legal.
Technical Security Checklist
As companies quickly assemble solutions to facilitate virtual working, there may be a tendency to embrace speed over security, in some cases bypassing significant investments in technology designed to safeguard the enterprise. Providers are providing work-from-home agreements now, which need careful reading for security factors. Providing access to networks and data for large numbers of remote workers will increase the complexity of monitoring and managing that access and will undoubtedly lead to a higher number of security incidents, both accidental and malicious. This is likely to stress an already-thin security organization. Hackers will be closely monitoring high-value targets for architectural flaws and vulnerabilities in systems as companies deploy new platforms to support remote workers. It is vital to ensure all employees understand their roles in securing corporate data and assets.
Enterprises should put in place the following basic security precautions for all remote workers:
- Ensure internal and external workers have virtual private network (VPN) access and use it for all connections to corporate networks.
- Require all employees to use endpoint protections (A/V, personal firewall, etc.). Increase the company’s security level to a higher-than-normal setting and turn on logging for employees in geographies with known security issues.
- Where supported, use network access controls (NAC) to validate users and acceptable device configurations during connectivity to enterprise networks. If a device cannot be secured, quarantine it until security issues can be remediated.
- Require employees to use company-provided assets whenever possible.
- For high-risk industries, implement data loss prevention (DLP) solutions for access to a broader-than-normal data range. At a minimum, implement DLP for the most sensitive data if not already in place. Use virtual desktops for sensitive applications to prevent the possibility of data exfiltration.
- Encrypt all sensitive data at rest and in transit. Many companies do the former; few do the latter. An increase in usage of insecure networks by some remote workers significantly increases the theft risk for data in motion.
- Encrypt emails when possible. Some technologies, such as Microsoft Office 365, have built-in encryption capability. Publish guidelines on the proper configuration and usage of these technologies for all employees and partners.
- Avoid public Wi-Fi. The local coffee shop network is at higher risk of being hacked or mimicked. Turn off the “auto connect” function for all Wi-Fi connections to avoid accidental connection to a rogue hotspot. If possible, use a company-provided hotspot or Mi-Fi device for basic connectivity.
- Educate employees about the importance of being aware of where they are and physically protecting company assets like laptops and hotspots.
- Instruct employees and provider employees to force the use of screen locks within a shorter-than-normal timeframe and avoid leaving a logged-in device unattended.
Human Resource Checklist
Employees who work on sensitive or secret programs, such as government contractors, are typically denied remote access to data due to confidentiality and/or intellectual property concerns. While this is generally a small subset of the overall employee population, these employees will become high-value targets if allowed to access information remotely. In the event COVID-19 impacts these individuals and remote work becomes a possibility, organizations should:
- Safeguard required data with special information security protections.
- Put in place physical security controls to ensure the overall safety of the employee.
Legal Protections Checklist
Most sourcing contracts contain legal protections written to support the risk associated with the use of dedicated equipment in an offshore delivery center. This relates directly to the client’s network and includes robust security monitoring and reporting capabilities to aid in detection of potential data theft. However, recent examples of data theft by partner employees in heavily monitored environments indicate that even the best systems can be circumvented.
As employees work from home in large numbers, the likelihood of an intentional breach increases significantly. In this type of breach, jurisdictional issues may prohibit recovery of damages due to differences in law and ability to prosecute. There is also the very real potential for destruction of evidence and corporate data if an employee’s personal networks and devices are used to provide services.
While most workers will play by the rules, the time is now for enterprises to review their sourcing contracts and follow these steps:
- Pay special attention to location provisions, data confidentiality, limitations of liability and indemnification provisions as they relate to remote workers.
- Review cyber insurance policies to determine if exclusions exist for remote workers or provider employees who are not using systems that comply with your corporate security policy.
ISG helps enterprises design and implement effective security protocols. Contact us to find out how we can help in this time of heightened uncertainty.
About the author
Doug currently leads the ISG Cybersecurity unit and offers expertise in cybersecurity strategy, large scale transformation projects, infrastructure, Digital enablement, relationship management, and service delivery. Clients benefit from Doug's expertise from years of working with global clients within the life sciences, automotive manufacturing, aerospace, banking, insurance, financial services, healthcare, utilities and retail industries, as well as his deep and current knowledge of the service provider market. Doug routinely performs Strategy and Assessment engagements to assist clients in understanding how to select the optimal organizational and operational models to meet their business needs while minimizing security exposure and risk of loss.