Since the World Health Organization officially declared COVID-19 a pandemic on March 11, 2020, an estimated 16 million United States-based workers shifted from in-office work to remote work, according to this Slack article.
“With this abrupt transition, many of the typical in-office security measures were overlooked,” said Brad Thies, founder and president of BARR. “People were just trying to get by one day at a time at first, creating remote working environments on dining room tables, in guest rooms, and any quiet place they could find.”
Threats to remote network security quickly began to creep into the headlines, including things like ‘Zoom-bombings,’ COVID-19-related phishing scams, and more. These threats are nothing new, but the mass migration to work from home has magnified the impact.
For this reason, the BARR Advisory team has created a list of top remote work security threats, along with recommended solutions for each. Download and share our corresponding remote work security infographic.
The team also mapped these threats to standards within a SOC (System and Organization Controls) report so that companies preparing for a cybersecurity audit can see how these remote work security threats are also a threat to achieving a number of SOC standards.
Threat #1: WiFi and Remote Access Vulnerabilities
- Issue: Home wireless networks are not as secure as most in-office networks, which means cybercriminals can more easily access company information if employees do not take measures to better protect their home WiFi.
- Solutions: Employees need to change the default password and enable encryption on their home wireless router. The company should provide guidance on remote working to its employees through mechanisms such as an Acceptable Use Policy and security awareness training. If practical, a VPN should be deployed to the workforce. To protect against stolen credentials, multi-factor authentication (MFA) should be enforced on all systems. Better yet, use this as an opportunity to accelerate the movement toward passwordless authentication. To protect against insecure transmissions, enforce strong connections to all corporate sites, such as the use of TLS 1.2 or higher.
- SOC Standards in Jeopardy: CC6.1, CC6.6, and CC6.7.
Threat #2: Personal Device Usage
- Issue: There are a number of short- and long-term issues with allowing employees to utilize personal devices for work-related purposes. For one, should an employee leave the company, they could continue to hold on to confidential information stored on their personal device. Personal device usage also opens up a number of security holes, from the assurance of regular software updating to loss of endpoint control.
- Solutions: Should employees need to use personal devices temporarily or on a permanent basis, be sure they enable a passcode, encrypt the device, and keep their devices updated and patched regularly. MFA should be enforced on all remote applications. More importantly, businesses need to develop and enforce a Mobile Device Management (MDM) strategy. This is a set of policies that include security management, device maintenance, software distribution, and mobile device provisioning. This strategy should include a Bring-Your-Own-Device (BYOD) Policy that fits your organization’s needs.
- SOC Standards in Jeopardy: CC6.1, CC6.5, CC6.6, CC6.7, and CC6.8.
Threat #3: Unsecured Video/Audio Conferencing Platforms
- Issue: There are a number of opportunities for cybercriminals to hack into video/audio conferencing platforms, AKA ‘Zoom-bombing,’ leaving your confidential meeting discussions and company information up for grabs.
- Solutions: Embrace a video conferencing solution so your employees have options and follow the platform’s security recommendations. Without this, you risk your employees using free or rogue versions that often do not adhere to the company’s security needs. Many platforms have recently implemented new security measures, but require updating to access those options. We also recommend employees generate a unique ID for their meetings instead of using a permanent access code, making it more difficult for hackers to gain access. Finally, add a password requirement when scheduling your meetings. Businesses need to educate their employees on the above to make sure everyone’s experience is as secure as possible.
- SOC Standard in Jeopardy: CC5.2 and CC9.2.
Threat #4: Data Security Risks
- Issue: Accessing company platforms, tools, and information from home is more risky because companies have less control over things like systems usage, endpoint security, and overall employee monitoring.
- Solutions: Employees should be trained to only input personal, company, and/or sensitive data into secure sites (look for HTTPS). Businesses need to create and enforce an Acceptable Use Policy to set clear expectations for remote equipment and systems usage. They also need to establish solid endpoint security solutions such as screen locks and password authentication to machines.
- SOC Standards in Jeopardy: CC4.1, CC5.3, CC6.1, CC6.6, and CC6.7.
Threat #5: Rogue Application Usage
- Issue: Newly remote employees may not think twice about downloading a different app or new tool to “help” them do their job. Without the security measures we’ve discussed above, businesses are less likely to know, much less monitor, these downloads and applications that could be acquiring sensitive company information.
- Solutions: Educate employees to only use or access information via approved tools, hardware, and software. And be sure your company maintains a complete and accurate inventory of each and every outside application so you are aware of all the places your company information could be living. Consider a cloud access security broker (CASB) and ensure your security monitoring teams and tools are in a position to monitor for abnormal system usage.
- SOC Standards in Jeopardy: CC6.8, CC7.1, CC7.2, CC7.3, and CC7.4.
Surviving new norms is a community effort. Share your experiences and learn from your peer groups. To learn more about SOC reporting, MDM strategy development, and other network security recommendations, contact us.