Cybersecurity Recommendations in a Rapidly Emerging Telework Environment

Risk Advisory
Written By The Risk and Advisory Services Team

Here at Leviathan, we’ve seen a recent large shift among our clients to move most, or all, of their workforce to working remotely. Some companies, particularly those who work with sensitive health information, have traditionally relied extensively on physical security controls and enterprise firewalls in their office. With workforces scattered to their residences in recent days, many enterprise security controls are no longer operating in the same way. 

Business Continuity Processes are also at the forefront of concern for many businesses. Are your business processes distributed across groups of people who can ensure operations continue, or do you have potential chokepoints where losing a few critical people to illness for a week or two would potentially have a large impact on your operations?

The Risk Advisory Services team at Leviathan has gathered several tips and pointers for companies who now face moving a significant portion of their workforce to a remote work status. How do these companies protect their confidential information, while also protecting the health of safety of their workers by allowing them to work remotely during this period? Even if you have a small portion of your employees who regularly work from the road, it’s likely that moving to an almost entirely remote workforce, over a very short period of time, can cause disruption. We hope that these pointers help IT and Security teams make a smooth transition to remote work.

 

  1. Ensure that staff understand to keep work on a work computer. Do they go home with laptops? Or do they connect with RDP to a machine in the office? There can be a temptation to download documents to personal computers if you check email late at night and then forget about the document in your downloads folder.

  2. In an extended Work from Home situation, consider how to push updates to laptops and other devices who do not connect to a corporate network for extended periods of time. Can your VPN handle the traffic of pushing updates to remote machines that do connect?

  3. There can be physical security concerns if children, spouses, or roommates are around the employee. Not everyone will have a home office with a door that closes. Employees should be aware of the risk of shoulder surfing, just as in an airport or coffee shop. Remind employees that they shouldn’t leave computers unlocked and unattended on kitchen counters, the sofa, or even their desk.

  4. Make sure your helpdesk is aware that there might be a rise in social engineering attacks to get employee credentials. Do you have a good way to authenticate employees if you usually depend on authenticating them by having them walk up to a physical drop in site or call from an internal telephone exchange? Can you have them take a selfie with their ID card? 

  5. If you can't get company owned devices out to all of your employees, can you enroll employee owned devices into your MDM and/or VPN? If you take this route, consider restrictive policies to allow basic connectivity but not the potential for spread of sensitive company information onto the employee’s own devices. 

  6. Now is a good time to review your business continuity plans (BCP). Can you identify single points of failure in your work processes and cross train users? While it hopefully won’t happen, you may have employees who become ill and are unable to perform critical business functions for a time. Would your payroll be held up if a comptroller at your company was out ill? If your head of IT is out, could you still onboard or offboard employees? Cross training is always a good idea, but particularly now, ensure that you have a plan for all your critical business functions.

  7. Have you reviewed your VPN and RDP configurations to check for issues caused by scrambling to bring on new VPN concentrators or newly open remote connections? The shift in traffic adds considerations for large scale remote work:

    • Load balancing and/or rate limiting on connections: Can you support peak time VPN traffic? Do you have sufficient session licenses? Can you suggest staggering work activity, or at least VPN use? 

    • Set timeouts shorter: particularly if load and/or licenses are an issue, timeout those who leave connections up and have walked away from active work.

    • Consider prioritization: some workers like to stream audio or video while they work, and maybe your policies allow that. But forcing that traffic both in and out of your perimeter hogs bandwidth and VPN/Firewall cycles. Consider restricting or rate limiting streaming and other non-work destinations. This applies to your video conferencing service as well. If video or audio quality on a virtual meeting degrades, turn off the video unless it’s necessary; prioritize your conference service provider over other video streaming. Experience with one major VPN technology recently suggests filtering by application type rather than URI destination performs much better.

    • Monitor usage: Get feedback on the steps you have taken and whether they’re working. Look at load times, in case you need to suggest that workers adjust schedules for high-intensity tasks. 

  8. If you are using RDP for remote access, have you secured RDP in order to prevent illicit access and/or misuse? A good introductory guide to securing RDP is available from the Center for Internet Security here.

  9. Can you enable multifactor authentication (MFA) for access to email or shared drives? If you use GSuite or O365 and have not yet enabled this, now is a good time to consider enabling these options. While you will need to balance the risk of enrolling users unaccustomed to using authenticator applications during this already stressful time, the extra security offered can make this update worth the extra effort. We would recommend not making multifactor authentication mandatory for your users until you’ve ensured that they’re all comfortable using it. 

  10. Onboarding new employees: Positive identification of a new employee is usually handled in person. If you’re handing out credentials or shipping a laptop, work with your HR partners to firmly establish and verify contact before proceeding, and watch out for social engineering attempts. 

  11. Regular communications: consider one or more messaging channels for current status that workers can subscribe to on your messaging system (Slack, Teams, etc.). IT teams likely already have this for their work in keeping things running; open a channel to everyone so that they can know about performance issues, timelines for resolution of identified problems, physical access limitations, planned or unplanned downtime, and other events where broadcasting will help; most of these don’t depend on a VPN connection. 

  12. Encourage employees to review their home network security. If wired connections are possible, choose those. Ensure that wireless networks are secured by good passwords; reset the default manufacturers’ password, and don’t set it to something simple like “123456.” Consider making company IT staff available to consult with employees to update Wi-Fi passwords and configure networks.

  13. Do you have a regular videoconferencing solution in place already? Do employees have headphones, microphones, and video cameras to use when conducting meetings online? Some other video conferencing security tips that we have:

  • Consider limiting the use of long-lived meeting URLs for highly sensitive meetings and instead use one-off event URLs or meeting IDs. Otherwise, anyone with the meeting code of an earlier event can join later ones. Especially in larger events, you may not notice all the late joins.

  • Encourage employees to identify themselves when they join, especially for teleconferences or meetings conducted primarily through voice. If there is a “new attendee” beep but no one identifies themselves, pause the meeting and encourage the late joiner to announce their name.

  • For videoconferencing software that allows it, consider the use of waiting rooms or meeting passcodes, as a way to further protect the confidentiality of highly sensitive information being discussed.

  • When screensharing, share only application windows and not entire desktops. Similarly, suppress notifications on computers that can support that functionality, to protect against sensitive information being shown too widely to other attendees. 

                                               i.     How to turn off notifications on a Macbook

                                              ii.     How to turn off notifications on Windows 10

This month’s current events require rapid responses, flexibility and adaptability, including potential short term changes to policies. Think about consequences and risks as you try to keep working going; prioritize employee health and safety, and maintain your business operations, but stay aware of additional risks that you take on and document changes that you may wish to roll back later or increase monitoring around.

The confidentiality-integrity-availability triangle is a core information security concept, and the past week has required many teams to tweak the availability leg in new and unprecedented ways. This shouldn’t be at the expense of abandonment of confidentiality and integrity; where it is, think carefully about the new risks you take on and ensure that your business leadership stays informed.

The Risk and Advisory Services Team
Previous

Contingency Planning and Business Continuity

Next

Mining Technical Debt for Fun and Profit