In 2020, nearly every organisation embraced remote working to some extent or another. For some, the transition was smooth and easy, as they already had a mobile workforce and were largely cloud-based.
However, for most organisations, the transition has been anything but smooth. Quick fixes were implemented in order to keep the show on the road. New equipment was purchased and shipped to employees, new procedures were documented, and in some cases, security controls were weakened to not interfere with the daily operations.
In one extreme example, I was told of an organisation that disabled multi-factor authentication (MFA) for remote users because they wouldn’t have been able to support the volume of calls that would have come in. I’m not saying that the organisation was wrong for doing so, after all, keeping the organisation running at a time where the future is ambiguous takes priority. However, as we reach the end of the year, it’s time to start looking at some of the tech debt that some of these decisions have accrued and work towards a plan of bringing back some security stability.
Here are five common pitfalls and tips to avoid as an organisation looking to build a resilient security for a remote or flexible working environment:
- Knowledge is Stored in Different People’s Brains
While this has always been true for any organisation and in particular for technical departments, this has become even more important during remote working where it’s not possible to tap a colleague on the shoulder and ask them how a particular app works. Not only do you often find that the information is stored by different people, but it is impossible to accurately know WHO has the relevant pieces of knowledge when needed.
Tip: Document, document, document. Ensure all processes and procedures are documented and kept up to date. - Don't Think Technology Will Solve Everything
Many organisations seem to hold onto the belief that there is no security problem that can’t be solved by throwing more technology at the problem. In the short term, it may seem like the easy option, rather than working on weaving security into the culture of an organisation. If mistakes are occurring, or data is being mishandled, it can pay dividends to understand why these things are happening. Many times, it’s not because the right technology isn’t in place; but because people aren’t aware of why they should be doing something.
Tip: Invest in a security culture program and encourage all employees to be part of the security process. Open communication channels so that any issues or queries can be raised quickly and easily. - Asset Inventory
How many assets does your organisation have? That includes software, hardware, laptops, webcams, servers, cloud licences, databases… the whole shebang. If you don’t know what assets are connecting or should be connecting to your network, or who has access to which applications, or where all your data is spread out, how will you be able to secure it? If an employee leaves, will you know if he/she has returned all corporate-owned assets and isn’t walking away with your intellectual property?
Tip: Build out an asset register, log everything that interacts with your organisation. Use a VPN and enable MFA for remote access. - Monitoring
With most of the workforce moving to remote work, it can be easy to fall into the trap of thinking that because you’ve deployed a VPN or that all the apps are hosted in the cloud, all things are secure as they should be. Unfortunately, that isn’t always the case; so gaining visibility into the highly disparate environment through good monitoring controls is essential. It’s upon these controls that threat detection can be built, so any potential breach can be quickly identified and investigated before it becomes an all out incident.
Tip: Set up monitoring and threat detection controls. Start at the most valuable assets and expand outwards. - Insufficient Change Management
Having a well-defined, mature, and effective change management system in place can help eliminate many of the challenges organisations find themselves facing during these turbulent times. It’s a good time to look back over the year and retrospectively document all changes and the reasoning behind them. From there, work out a rollback plan if needed, or ensure it is documented fully (as per point one).
Tip: Don’t just make changes to your production environment. Document everything, even if it means you’ll retrospectively have to assess the full impact or roll back.
While much has changed over the last year, it’s never too late to regain sight of your organisation’s risk posture. Four steps to bear in mind for this, and most transformation programs would be:
- Understand what the current state is
- Define what your target state is
- Implement the changes
- Assure the changes