Cyber Risk and COVID-19: Practical Guidance on Securing Remote Work Environments
In Aon’s third risk alert on maintaining cyber resilience in the COVID-19 world, we turn our focus to the technology that is powering the “work-from-home” movement and learn from Eric Friedberg, co-founder of Stroz Friedberg, what companies should be doing to remain resilient during this period and to set the standard for secure remote work engagement in the future.
For millions of people around the world, working from home is no longer a novelty but a way of life. The relative ease of that transition for many organisations has been a rare silver lining of the COVID-19 crisis and is likely to pave the way for more flexible and remote working arrangements moving forward.
Already, the technology that has enabled remote work is under heavy scrutiny. Video conferencing software surged in popularity, but cracks have surfaced amid reports that conferences are being crashed by intruders posting offensive material and concerns around the security of platforms and their handling of data. Three class actions have been filed against a single video conferencing app provider in the last two weeks and it has now been banned from schools in Singapore.
In this environment, the integrity of systems has never been more crucial to companies and, concurrently, the pressure on those systems has never been more pronounced. To help our clients navigate this challenge, Eric Friedberg, the co-founder of Stroz Friedberg, a global leader in cybersecurity and specialised risk management, has provided practical guidance on how IT and security teams can work with remote employees to establish baseline security.
- Offer the Cyber Basics on Company-Issued Laptops: Where possible, IT staff should provide employees with company-issued laptops that are equipped with a VPN solution that uses multi-factor authentication, are fully patched, and have advanced endpoint protection tools installed.
- Deploy at Scale Anti-Phishing and Other Important Cyber Hygiene Trainings: Cyber hygiene’s never been more important, but with so many other professional and personal concerns currently top-of-mind, practicing good cyber hygiene can fall by the wayside. Trainings should feature anti-phishing education and offer other helpful reminders – from not plugging in USBs to avoiding untrusted websites and not giving laptop access to family members.
- Expand Virtual Help Desk Remits and Promote Constant Communication: Through support packages, trainings, Help Desk calls and other means, employees can be empowered to:
- Evaluate current anti-virus and anti-spyware software and easily download missing software.
- Escalate suspected phishing attacks and suspicious social-engineering calls to appropriate company personnel.
- Replace Wi-Fi router default passwords.
- Replace Wi-Fi router default passwords.
- Enable domain name service protection.
- Disable any and all browser plug-ins.
- Avoid untrusted cloud and web-based services.
- Elevate Cyber Secure Processes:
IT and security staff should consider:
- Boosting monitoring of anomalous data transfers and wire transfers and ensuring that all email-based wire transfer instructions are validated through phone calls.
- Restricting employees’ personal devices from accessing external file transfers and Outlook .pst downloads.
- Reviewing all configurable security options on VPN solutions and affirming that such solutions can validate the baseline security of remote nodes attempting to connect.
- Constantly assessing VPN solution performance based on the number of employees accessing it. Where possible, reducing the load on the VPN by allowing direct access to fully-patched common applications that are protected by MFA and enhanced logging.
- Revisiting Windows Active Directory security settings, GPOs, configurations and security groups as well as remote access network ACLs, segmentation and layer 2 and layer 3 security parameters.
- Implementing alternative backup solutions for remote workstations.
- Evaluating a broader group of cloud services to help ease the load of on-premise solutions.
- Blocking foreign-originating IPs where feasible.
Putting Systems to Test
Taking the steps outlined above will ensure that your organisation is well-placed to defend against the array of cyber threats that have already emerged during the COVID-19 crisis. But organisations must go further to understand whether they can withstand a sophisticated attack.
Increasingly, companies are turning to adversary simulation to test their ability to block malicious traffic but, more importantly, to assess their ability to detect and respond to intruders that inevitably make their way onto systems. The “red team” – ethical hackers who should be reputable and highly accredited – will simulate the likely attack paths used by state-sponsored hackers and organised crime groups, and then work with the “blue team” – an organisation's IT security team, to plug holes in the system and determine where improvements can be made.
The scope of these engagements should be flexible, allowing companies to test, for example, how the red team can penetrate a remote access environment or what they can achieve if posing as a malicious insider. Critically, these engagements are conducted remotely, just as an attack may be, and represent the ideal exercise for companies that seek continual improvement and assurance through this challenging period.
Contact Aon to find out more about how an adversarial simulation exercise can be tailored to your needs.
And, as always, stay safe and secure!