Our country finds itself in a completely unprecedented situation as we struggle to figure out how to best respond to the spread of COVID-19.
How we can keep our country, and our world, functioning while limiting human contact as much as possible?
Businesses have sent employees home in droves to work remotely, but in many cases, they are completely unprepared for the security implications of doing so.
As the keepers of sensitive intellectual property, data, employee and customer personally identifiable information (PII) and more, how can you navigate the tricky waters of securing both human and cyber health for your business?
We get questions like this all the time from our customers and partners, and in this article, I've attempted to answer the most common questions organizations have about shifting securely to remote work.
Important Coronavirus Cybersecurity Questions you’ll find in this article:
- How do I build my Coronavirus work from home policy?
- How can I maintain security when employees work remotely?
- What are the best remote work solutions for cybersecurity?
- What can government agencies and contractors do to support work from home due to coronavirus?
- Should this change my general remote working security policy?
Coronavirus Cybersecurity Question #1: How do I build my Coronavirus work from home policy?
Securing your organization, and updating your work from home policy, is not as simple as flipping a switch.
It's best to take a two-pronged approach to ensuring that your employees can work remotely without concern for security.
You’ll want to simultaneously start making changes to your technology while also educating your employees about what they need to be doing from their end. If you address one side without the other, you’ll be wasting your time. The technology you deploy is useless if your employees use it incorrectly or fail to use it.
The strategies you can employ as an organization include:
- Set up two-factor authentication: Requiring the use of two-factor authentication (2FA) involves adding an additional layer of security to login entry points.
- Use a VPN and encrypted communications: Anytime a device needs to transmit or communicate sensitive data, it should be done over a secure Virtual Private Network (VPN) connection.
- Use antivirus software: On any work-furnished device, make sure you are installing and regularly updating antivirus software. This may not be an aspect you have full control over if allowing your employees to use their personal computers or devices.
- Be careful with remote desktop tools: Depending upon how remote desktop services are set up, they may expose the endpoint computer to unnecessary risks.
- Data at rest encryption: Make sure all of your devices have encryption for the data physically stored on that endpoint device. Or, use a virtual desktop infrastructure (VDI) solution to remove the risks associated with data being stored on an end user device.
- Data loss prevention (DLP): Using DLP software can help to protect sensitive data by controlling what end users can share or do with that data.
Now that you’ve taken steps to secure your network and put in place the technology you need to do that, it is time to ensure that your employees are doing their part to keep your data safe.
This is where training comes in. It will ensure that employees know what is expected of them and how to maintain all of the security measures put in place.
Training should encompass:
- Training on the basics: Train your users on the basics that they need to know with regards to best practices including password strength, phishing emails (which have exploded in number since the start of the COVID pandemic) and sites, physical use of devices, etc.
- Instructions for connecting: Provide your employees with clear instructions for how they should connect to the corporate network, what requirements you have for their home router, and what types of connections are safer than others (e.g. public Wi-Fi connections).
- Provide a solution that is fool-proof: While it should never replace training, providing users a solution that requires no specialized technical knowledge and will be secure over any connection can go a long way in reducing the problems that individual users can introduce.
What is incredibly important to remember as you embark upon this journey is that it does you no good to blame your employees or give up on their ability to help keep you secure. Instead, recognize that it is your responsibility to help find solutions that will be as simple and effective as possible for them to use with as little training as possible.
Looking for guidance on how to train your employees effectively, and quickly?
Moderated by Lauren Schwartz, CEO of Tech+Wise(Group) and featuring J. Peter Bruzzese, Co-Founder and Chief Content Officer of Clip Training, it provides helpful information that you can use to get your team up to speed right away.
Coronavirus Cybersecurity Question #2: How can I maintain security when employees work remotely?
Often viewed as “older” technology, hardware-based VPNs don’t get a lot of love. But if you are looking for a remote work solution that is highly secure, easy to use, with minimal set-up requirements, and cost-effective, you should absolutely consider implementing one.
In many cases, hardware-based VPNs actually provide better security, are easier to use, and require less maintenance than their software-based counterparts.
Outfitting your remote work team with a hardware VPN is also the best choice to ensure that you maintain security when your employees work remotely, especially if they are using their personal devices to connect.
Benefits of a hardware-based VPN:
The benefits that set hardware-based VPNs such as Attila's GoSilent apart from software VPNs include:
- No software is required for end user devices. This makes it very simple to connect both employer-provided devices and personal devices alike.
- Centralized IT support, maintenance and management is much less involved. For the most part, once initial installation and setup of the server-side software is complete (usually in as little as 10 minutes), there isn’t much to worry about.
- No software compatibility concerns. No software to install means no concerns about device operating systems, patches, updates or application versions.
- Firewalling and isolation. End user devices that connect through our GoSilent Cube never actually touch the networks they connect to, and are completely protected (and hidden) from them.
- Smaller attack surface. Because the end user device is completely obfuscated from the network, the applications and operating system on that device no longer offer an attack surface.
- Lower risk of “VPN hijacking.” Because the end user device is completely obfuscated from the network, it is much more difficult to steal VPN credentials from the device.
- Greater control over where traffic is sent. A hardware-based VPN can be configured to only allow traffic to flow to a single endpoint.
- Potential to connect multiple devices. GoSilent can be used as a Wi-Fi hotspot to protect multiple end user devices (like a mobile phone, laptop and tablet) all at the same time.
- Reduced risk of misconfigurations and user error. Because there is nothing to configure on a GoSilent, there is nothing to misconfigure. It is as simple as plugging the GoSilent Cube into the end user device (or connecting the two over GoSilent Cube's LAN).
When to use hardware-based VPNs:
There are some very clear use cases where a hardware-based VPN is the right choice. Some of those situations, specific to remote work, include:
- Public Wi-Fi connections: Where end users need to connect over public Wi-Fi, or may encounter captive portals, a hardware-based solution is far superior to a software VPN due to its ability to completely obfuscate the IP address of the end user device, as well as its ability to isolate the captive portal within the GoSilent sandbox environment.
- Networks with untrusted devices: Where end user devices need to connect over networks that will likely have many other untrusted devices on them (think home Wi-Fi networks), the same benefits apply.
Coronavirus Cybersecurity Question #3: What are the best remote work solutions for cybersecurity?
There are quite a few categories of tools meant to support the security of end users.
In fact, you can look through a full list of cybersecurity providers offering discounts or promotions to help support companies working remotely during COVID-19.
Some of the most important tools that come to mind for remote work include:
- Password managers
- Antivirus software
- Data loss prevention tools
Securing communications between remote workers and the primary network:
If your organization is looking to implement a company-wide, secure solution for remote work that is not overly expensive, difficult to manage or maintain, and simple for end users, a combination of VDI and a hardware VPN may be the right fit.
Combining Virtual Desktop Infrastructure (VDI) with a secure hardware VPN allows your employees to securely connect to your internal network from their own devices.
A VDI allows you to work remotely through a virtualized environment that lives on your central server. End user devices connect via the VDI to virtual machines that you have set up on your server and users can execute work as if they are on your internal network.
With VDI, no data is stored on the end user device. Instead, the user simply sees what is on the screen of the virtual machine and can interact with it, but not store data from it. VDI supports a wide range of end user devices, from laptops and desktops to tablets or mobile devices.
Combining this environment with a secure hardware VPN, like the GoSilent Cube, protects all traffic and information flowing across the connection between the end user device and the central network.
The primary benefits of executing a solution like this are:
- Makes BYOD secure: Prior to this, Bring Your Own Device (BYOD) may have been allowed for your organization, but would have posed significant security concerns. An architecture like this allows for the use of personal devices with no risk to your data.
- Faster to implement: Getting a solution like this up and running can happen very quickly, and with little involved effort by your IT team required.
- Better technical investments: The combined VDI and VPN solution will be less expensive overall than providing laptops for your entire team. Reusing server space and device-agnostic VPNs is much easier, as each has far more applications, than reusing a laptop.
- No risk to your data: Because no data is ever stored on an end user device, and all of the changes or modifications to your data happen physically on your servers (inside your network, inside your data center facility), it is actually more secure than providing employer-issued devices (which can be lost or stolen) to your team.
- Significantly lower management and maintenance: Managing the updates, patches and setup of the combined VDI and VPN solution requires almost no support from your central IT team.
- Allows users to mask connection endpoints: If you have employees that regularly travel around the world, including to untrusted regions, it can be beneficial to your organization to mask the IP address from and to which your employees are connecting to prevent malicious actors from obtaining that information or taking action on it.
Coronavirus Cybersecurity Question #4: What can government agencies and contractors do to support work from home due to coronavirus?
The current approach to remote work in government agencies:
Prior to COVID-19, government agencies would typically identify a core group of individuals that needed remote work capabilities for continuity of operations. This group was primarily selected due to a role that required them to be connected whenever they work from home or on the road, in the course of normal life circumstances.
Another deciding factor in allowing remote work for specific government employees hinges on what kind of data they access in the execution of their job. The more sensitive the data, the less likely that they would be allowed to access it remotely.
Agencies might also have determined an additional percentage of staff that they want to have prepared to work remotely should the need arise. In this case, they would have procured the equipment for an additional, say, 10% of their team to be covered. They might not have deployed or set-up all of this equipment, but would have had it available in case the need arose.
In most cases, the combination of the two groups above would have allowed for a percentage of a particular agency’s staff to be up and running remotely. The remaining staff would then be placed on administrative leave and their work halted.
The problem with getting remote work off the ground quickly:
In all of the above cases, the amount of remote work that can be supported relies 100% on the ability to supply government-furnished devices to employees.
And therein lies the problem.
In general, the costs associated with having enough government-furnished devices ready for every employee of a government agency is simply not feasible.
More specifically, in the situation we've experience recently with the Coronavirus, where remote work needed to be ramped up very quickly, and with little involvement from central IT support staff, this approach is not only impractical, but completely impossible.
A secure, fast, and easy-to-implement solution:
As I mentioned previously, combining VDI with a secure hardware VPN can allow government employees to securely connect to the internal network from their own devices, at home, with very little hassle.
Because VDI does not allow the end user to download or store any of the data they are accessing, it is ideal for BYOD situations and environments with insecure Wi-Fi connections, especially when used in conjunction with a secure hardware VPN like our GoSilent Cube.
Coronavirus Cybersecurity Question #5: Should this change my general remote working security policy?
The events of the last few months have exposed some serious shortfalls in how businesses and government approach remote work.
As a result, I expect we'll see some widespread and lasting changes to address those issues in the months and years following COVID-19.
Some of these have already begun to happen.
For example, earlier this year, the US Department of Defense released its Cybersecurity Maturity Model Certification (CMMC) framework. CMMC is a set of cybersecurity requirements that private contractors must meet in order to be eligible to bid on defense contracts -- and their compliance must be audited and certified by an approved third party.
I predict that, similar to the expansion of worker health and safety requirements for private sector businesses with the establishment of OSHA in 1971, you’ll see the private sector roll out requirements similar to those detailed in the CMMC framework.
We will eventually see a centralized government body, like OSHA, that will manage and certify businesses to an expected level of cybersecurity, and that centralized body will require that supply chain partners adhere as well.
In the meantime, there will more than likely be an audit into the shortfalls and gaps amongst US Governmental agencies in meeting their missions and objectives during the COVID-19 pandemic.
A Government Accountability Office (GAO) Audit will likely be conducted to understand what our gaps were in dealing with remote work for such a large portion of government employees and provide recommendations to Congress to fix them. These recommendations will ultimately inform a plan, or policy, on how to approach a pandemic or similar experience in the future.
There will likely be new mandates that come out of this process that require government agencies to be set up to maintain a certain level of operability remotely in the event something like this happens again. Regardless of those requirements, I believe we will see a concerted effort across the board within the US Government to find a way to mobilize a much larger remote workforce quickly should the need arise.
Bottom line -- remote working security policy will never be the same after COVID-19 is over.
The organizations that will thrive in the future will be those that have a solid plan for allowing remote work at levels that could include the entire organization. That plan will require a combination of security tools, policies and practices, as well as a robust and ongoing employee training program.
In short, the time to begin is now.