The National Cybersecurity Alliance says, “If you connect it, protect it.” Currently, two out of 10 people work remotely from home full time according to Owl Labs blurring the lines between business/personal environments. This can expose both teleworker and their business to unique cyber threats and attacks. That’s why creating cybersecurity policies and procedures to reflect this new normal is essential.
Here are the top five areas to consider when writing new cybersecurity remote workforce policies and procedures:
One: Asset Management
A secure, sustainable telework policy requires all employees to work from corporate-owned devices. However, even if an organization has such a policy in place – and many don’t – additional security considerations must be addressed.
Updates and Patches
One of these is how these remote devices will receive necessary updates and patches. Many on-site devices pull directly from the corporate intranet upon connecting to the network. On average, 48% of on-site systems receive patches within three days, but only 42% of remote devices are patched within the same window. While that difference may seem small, this raises the average patch time for vulnerabilities from around 7 days if everything were on-site to around 38 days to include off-site assets.
This means an organization is likely to have six accessible attack vectors for every 100 systems that can grant access to their network and data for 38 days, on average. This delay exposes these devices to exploitation and significantly increases an organization’s cyber risk.
Another potential issue is how to address the need to retrieve devices from laid-off employees. During COVID-19, many companies have reduced their workforce, yet may not be able to physically retrieve company-owned devices due to quarantine restrictions. If an employee refuses to voluntarily surrender a corporate device, an organization must have measures in place to ensure this cannot cause a data breach or other security incident.
Two: P&Ps to Address a Remote Environment
In addition to managing company assets outside of the organizations network, the environment that asset will be operating in is equally important. Working remotely, especially from home, it is easy to become lax with security practices that are routine in the workplace. Adhering to clean desk policies, and making sure to lock, log off or shut down computers are just a few tasks that employees do while in the office that they may not do at home.
It’s important to make sure documented policies and procedures lay out the specific requirements for working in the home environment. These should then be reinforced with technical controls like Active Directory Group Policies to ensure compliance.
Your new remote workforce policies and procedures should also cover home network security. This is an excellent opportunity to enhance employee knowledge, increase security awareness, get employee buy-in by helping them protect their home network and add further protection for remote work.
Ensure employees know how to:
- Change default ISP router passwords
- Ensure ISP/home router firewalls are active
- Get company-offered free or low-cost home network monitoring solutions
- Recognize signs of home network attack
- Employee Privacy and Consent
During telework, most organizations have required employees to use virtual private networks (VPNs) for network security. A full-tunnel VPN routes all traffic from the employee’s computer through the corporate network for security scanning before sending it on to its destination.
Due to the sudden need to transition to remote work, many companies lack sufficient numbers of company managed laptops to support a fully-remote workforce. As a result, many employees are working from personal devices instead.
This dual use of devices creates significant privacy concerns if all traffic from an employee-owned laptop is routed through the corporate VPN. A telework policy must contain an explicit “consent to monitor” clause explaining that traffic resulting from personal use of a laptop connected to a corporate VPN flows through the organization’s network and may be monitored.
Failure to receive explicit consent from employees may put an organization in breach of data privacy laws.
Three: Incident Response Policies and Procedures
Most organizations’ incident response plans are based on the assumption that incident response team (IRT) members will be able to respond in person to a potential incident. With a remote workforce, especially while COVID-19 “shelter in place” requirements in place, this may not be possible.
When responding to a cybersecurity incident involving a teleworker, an IRT may have to rely upon the remote worker, who may have limited technical knowledge, to respond to and recover from the incident. This will likely delay response times (potentially increasing the impact of the incident) and may make recovery activities, such as reimaging the machine, much more difficult to complete.
To prepare for this situation, organizations may wish to create “IR kits” containing automated scripts for common data collection and recovery activities.
Four: Regulatory and Contractual Compliance
Many organizations are governed by data protection regulations that apply to certain jurisdictions. Depending on the location where sensitive data is being processed and potentially breached, different regulations may apply.
Most organizations have strategies in place for ensuring compliance with data protection and contractual regulations. However, these strategies likely rely upon the assumption that all employees and data processing occur on-site. With a remote workforce, this may no longer be valid, potentially impacting an organization’s ability to secure sensitive data and maintain regulatory and contractual compliance.
Organizations with remote workforces must establish policies and security controls to ensure that sensitive data is protected in accordance with contractual and regulatory requirements. Additionally, an organization should investigate how telework expands and impacts their regulatory obligations and put in place any additional security controls required to achieve compliance with these new requirements.
Five: Developing Telework Security Policy and Procedures
Telework introduces a number of new security threats and considerations that must be incorporated into an organization’s security policies and procedures. As businesses contemplate a permanent or extended shift to telework in the wake of the COVID-19 pandemic, it is vital to update these policies and procedures and implement the security controls necessary to minimize the cyber risks associated with telework.
Corey McReynolds is Managing Consultant for Enterprise Solutions. Corey is the primary point of contact and consultant for Avertium’s largest enterprise security customers and he directs a team of highly skilled consultants providing a full stack of expertise to security and compliance projects.
Avertium brings enterprise-level security to mid-to-large organizations challenged by the cybersecurity talent shortage, rapidly evolving threat landscape and budgetary constraints. The company’s acclaimed show-no-weakness approach to extended detection and response (XDR), governance and compliance, and strategic advisory services is redefining the managed security services category. From financial services and manufacturing, to technology and healthcare, more than 2,500 companies rely on Avertium’s more rigorous, more relevant, and more responsive delivery of cybersecurity services. Backed by growth equity firm Sunstone Partners, Avertium operates CyberOps Centers of Excellence in Arizona, Colorado, and Tennessee.