Have you considered the work from home risks?
Have you made the decision to allow employees to work from home or are you still contemplating the idea? If work from home is or will be the preferred method for the unforeseeable future, there are some things you should do to maintain your compliance and security posture.
Here are some risks you should be aware of:
- If two-factor authentication is not used a compromised set of credentials may result in bad actors gaining access into the internal corporate network.
- Consider you know nothing about the network at your user’s homes and treat it as a vulnerable point. You do not know if users have secure Wi-Fi at home, or if the router/firewall is configured properly as to not leave holes open in their network.
- If you are providing VPN as a remote access option:
- If VPN is not configured properly users may be able to connect personal devices resulting in potential data loss.
- If using split tunneling (corporate traffic is sent over VPN while all other traffic is sent over the user’s internet connection), it could become a proxy for bad traffic. A user browsing the internet could download malware which could infect the corporate network over the VPN.
- If using full tunneling of VPN traffic, bandwidth at the office can become a bottleneck since all traffic will be routed to and from the corporate office.
- If you are using some form of remote desktop or terminal services and they are not properly locked down, they can be used to leak data from the firm. e.g. Drives on a personal computer can be mounted to a corporate machine and files copied from it.
- Cloud-based applications if not configured properly could result in data loss. e.g. Users can use their personal devices to download files from Box or OneDrive.
- Remote control tools like GoToMyPC, TeamViewer, etc., can allow users to transfer files back and forth. This could result in data loss, or if files are being transferred back into the corporate network, malware.
- There may be an increase in phishing, vishing and smishing attacks.
- Users may be using personal devices to access business data and resources that may introduce unknown risks to the business network.
- Users may look to circumvent certain security controls if they are too restrictive.
- Users may unintentionally use unsanctioned tools and resources to make them more productive in a work from home environment.
- Configure VPN/remote access tools to use two-factor authentication.
- If this is not possible users should be encouraged to use long and strong passwords.
- If a user suspects a compromise, they should change their passwords immediately.
- Consider implementing a lockout policy to protect against brute force password attacks. While it could be an administrative nightmare to deal with, it could a protective measure that further secures your network. Remember this will only be temporary.
- If users have been provided hardware devices at home, make sure only authorized devices are allowed to connect. You can do this by using mac-based filtering to allow only trusted machines and devices. Shut down unused ports. If your VPN endpoints allow for detection based on device profile (attributes of the device: e.g. operating system, domain connected, anti-virus solutions, etc.), consider enabling it.
- If using SSL VPN clients, device profile authorization should also be used to prevent unauthorized devices from connecting.
- If using split tunneling limit the access users have. Only allow certain protocols such as RDP or access to certain applications. Block the ability to mount file shares such as blocking SMB, etc.
- If tunneling all VPN traffic and bandwidth is a concern, consider staggering user access or apply bandwidth throttling policies.
- If using remote desktop/terminal services, ensure windows group policies have been configured to prevent the mounting of local drives.
- If using desktop remote control tools, check to see if they provide ways to prevent users from having the ability to transfer files back and forth. This is generally not common or available in free solutions, so consider paying for an enterprise solution (after doing some research) to make sure these user access controls are available to you.
- Cloud and SaaS based solutions should be configured to only allow access to data from trusted devices and locations. Corporate owned devices that are used to access cloud and SaaS solutions can reduce risk if controls have been implemented on these devices to limit data loss.
- Continue to train your employees with phishing campaigns, email reminders and digital posters.
- Ensure you have a way to detect, prevent, and/or potentially control the personal devices users may be using to access business data and resources. Limit access to resources by using access controls on servers and applications, or implement firewall rules that can block traffic based on traffic-type and device type.
- Consider educating users about the need for certain restrictive controls and why they have been implemented. Providing transparency will allow your users to help you.
- Ensure users are aware that they are discouraged from using unsanctioned applications. Train them on the tools that can help them be more productive. Consider holding web-based conferences for users that need assistance in using new tools that may have been deployed for work from home situations.
Other items to consider:
- Ensure access logs on file servers, remote access solutions, etc., are reviewed to ensure there are no discrepancies in what you would expect to see.
- Monitor network and data center resources for availability, and to ensure they are sufficient for the demand of a remote work force.