The Center for Internet Security recently released a guide for Cybersecurity during the COVID-19 Pandemic. Not surprisingly, it hones in on securing environments outside of the company firewall.
There's a saying in IT security: "it's not if it's when." Meaning, you may not have had a security breach yet, but chances are, you will be affected by this. And when it happens, it is costly and embarrassing. It is up to the leadership of an organization to plan ahead and prevent these situations to the best of his/her ability.
We developed a checklist based off of the CIS guide for you to use in order to align these recommendations with your environment and understand where you may have gaps in your remote security plan. The main areas highlighted are:
1. Phishing and malspam prevention
2. User passwords and account security
3. Malicious files and ransomware
4. Mac device security
5. Network security (home and office)
6. Use of personal devices (BYOD)
If you are missing one item from any of the categories, then you need to take a closer look and/or fix it.
Use the checklist to perform an audit with your IT team or IT provider. Then, take the missing areas and prioritize them based on importance (balancing risk, cost, complexity, etc...). Your organization's size, industry, IT complexity, compliance requirements and more will come into play for planning. If you need help to examine or fix these issues, you can lean on outside consultants to help.
Below is more information on the outlined Remote Security Best Practices you should be considering for a remote IT plan along with some ways to fix the gaps.
Social engineering and tricking people into sharing sensitive data can feel very difficult to prevent. The important thing is that when a phishing attempt slips through a spam filter, that your employees are educated to spot them. Education and testing is the best way to decrease the likelihood of a slip-up.
Email security tools and additional spam filters will help everything from getting through, but depending on the spam filter, it can sometimes catch "false positives." You may need someone managing the tool in order to whitelist false threats so people don't miss emails. If you are going that route, think about getting a tool that sandboxes and scans attachments/links upon open (as opposed to upon receiving).
Look into a “Phish Threat” tool that allows you to test your employee base by sending them a fake phishing email. If they fail, it will require them to do training. These tools will update their faux phishing emails to align with current scams and can be done as often as you like. Plus, they are not too complex to get up and running and are usually affordable for the value they provide in teaching your team. We recommend more frequent testing at first and then testing (randomly) at least bi-annually.
As with phishing, many users are not following recommended security precautions with passwords. This is because additional layers to security or complex passwords can often cause disruptions to people’s work. However, allowing people to avoid these recommendations creates huge security gaps that make accounts easier to compromise.
The simplest solution to start with will be to turn on multi-factor authentication for all available accounts. This is built into most modern SaaS applications and for anything that contains or has access to company data, you will want to turn on MFA. MFA will force the user to authenticate from another known device or account before logging into the account (usually through a text message code or authenticator application).
Users should have complex passwords that are unique to each account -- we all know and may have been guilty of breaking this rule (new password needed? Hmmm..."Spring2020!"). A great way to encourage this is by investing in a password management system. These systems can create new random passwords for users and securely store them and use them on approved devices and browsers.
Think about setting up a Single Sign On (SSO) solution for your organization. These solutions allow your users to authenticate into accounts using one master account that pulls from a universal (central) directory. Both Google and Microsoft have solutions that will allow you to leverage a user’s already existing account. Other solutions like Okta are third-party and offer custom integration solutions to get SSO working for almost all of your users’ accounts.
The benefits of SSO will lessen the number of passwords for them to manage. Additionally, when you cut access to the universal account, you will cut access to all the associated accounts from one action. This is fantastic for managing exiting users and account compromises as IT can take action swiftly to secure all the accounts.
Ransomware has haunted businesses and it’s sometimes the dirty secret that no one will admit to. Until this happens to you, you may feel a false sense of security, but it’s more common than you think. This is why precautions against ransomware are so important.
Endpoint protection tools that are actively ad continuously scanning for threats like viruses, malware and ransomware can assist in lessening your exposure. These should be running on all of your operating systems for all servers and devices (don’t forget to secure cloud assets).
Backups are huge for ransomware and often companies are not doing this. By backing up your users’ machines and your servers redundantly, you are at least not losing company data to ransomware attacks. Redundant backups should be secured and diversified. Backup and disaster recovery is a competitive industry, so there are many solutions for your organization to explore.
Apple products have built-in security and privacy tools that are free and great for businesses to leverage. You should put policies in place that require users to enable these settings at a minimum:
You can also check privacy settings to make sure that they align with your organization’s goals and that no unauthorized applications have access that shouldn’t.
The only way to ensure these settings are happening is through an MDM (mobile device management) tool. These tools allow you to enforce items and have the added benefit of automating IT tasks. Also it provides end user benefits usually by creating proactive maintenance so they aren't bothered as frequently with issues.
If you have users logging back into things that live in the office (servers, computers) and you do not have a VPN setup, you need to get one setup. Having unsecured open ports is leaving a huge opening for non authorized users to get access to whatever is accessible on the office network.
It is also important to make sure the VPN is not a personal, private VPN, but one that is set up and managed by the company. Some users will have "private VPNs," but they are not the business level solution needed to protect your company data.
For home networks, most users will not have a firewall, but there are ways for you to make them more secure. CIS has provided the below steps for users:
1. Practice smart password management and enable two-factor authentication (2FA) wherever possible.
2. Enable automatic updates for all routers and modems. If the equipment is outdated and can no longer be updated, it should be replaced.
3. Turn off WPS and UPnP.
4. Turn on WPA2 or WP3.
5. Configure the router or modem’s firewall with a unique password and enable the firewall." (CIS, Resource Guide for Cybersecurity During the COVID-19 Pandemic)
If you need to have firewall functions like content filtering, consider routing your remote users through a secure DNS host. Tools like Cisco Umbrella secure internet usage and can be used on computers and iOS devices so that content filtering, blacklisting and more can be extended beyond your office’s firewall (and you don’t have to overtax your VPN).
The use of personal devices to access company data needs to have a separate IT plan. If you allow/ed people to use personal computers and mobile devices to access company data, you need to be able to secure the company data on those devices as well.
However, since the devices are not owned by the company, it creates a complication for how to ensure they are adhering to the needed security policies. Many security tools approach personal devices differently since they are owned by your employee and data on them will contain personal data that the company has no rights over. The level of risk will depend on many factors in regard to personal devices such as the type of accounts, sensitivity of the information, the frequency, and the types of positions within the organization.
Very often you can put policies in place that allow you to wipe company data from a user’s device and limit which accounts they can access. If you need to go further, you can look at enforcing device compliance through a solution like InTune that will revoke access to company data for devices that do not meet your security requirements.
In conclusion, if any of these items are missing, you should make a plan to fix them or risk leaving security gaps you may have to answer for later. You'll also have the added benefit of looking more attractive to your client base with your seriousness around security. Some of these things may seem like foreign concepts, but you should be seeking help if you aren't sure where to start.
Springboard IT is your Apple Experts. We helped hundreds of organizations put in best practices and have these types of conversations regularly with our client. Let us help you secure your company.
Follow us on LinkedIn for more helpful posts and information like this!
References:
CIS, Resource Guide for Cybersecurity During the COVID-19 Pandemic
Credits:
Photo by Alessandro Bianchi on Unsplash