Cyber Risk Advisory
Remote Workforce is NOT the New Norm, but “Secure Work Anywhere” Should Be
This content is provided "as is" and is more than a year old. No representations are made that the content is up-to date or error-free. Please see the latest on this topic here.
Secure Work Anywhere (SWA) is a new term for an old idea that is quickly becoming an industry standard. The overall principles of SWA are not new, but the risks associated with increased rates of workers connecting from potentially unsecure networks highlight the importance of those principles now more than ever. Although your workers may not always be remote, they should always be secure.
The US Secret Service has warned that COVID-19 email scams are on the rise, Google has discovered dramatic increases in detected phishing sites, and stimulus package fraud emails and websites have been popping up like weeds. Cyber criminals are taking advantage of the COVID-19 crisis amid the public’s fear, panic, and uncertainty, inciting ‘Crimes of Opportunity’ by hosting and/or sending convincing-looking websites and emails with increased success rates.
Securing your workforce starts with treating users, laptops, and all other remote work hardware (desktops, cell phones, tablets, etc.) and software (applications, systems, programs, etc.) as potential vulnerabilities. Generally speaking, workers who are issued laptops are able to connect to an organization’s network and work remotely with little to no loss of functionality. However, few organizations have the necessary security controls in place to even minimally enforce the same security controls used on-site, and fewer still restrict user access while off-site or remote.
The 5 key tenets of SWA are :
- Secure the endpoint (laptop/phone/tablet/remote desktop)
- Identify and authorize all user access
- Secure connection to necessary and specific job-related data
- Restrict access until identity is confirmed, user authorized, and a secure connection is established
- Limit access and permissions using the Principle of Least Privilege
To ensure the same security controls are enforced whether on or off the corporate network. Organizations need to enforce endpoint-based security policies for malware and virus detection. Endpoint device virus and malware tools, detection patterns, and definitions should be automatically updated upon connection to a network and required to be up-to-date prior to connecting to the corporate network.
Organizations should identify employees (and their administrator accounts) by using unique usernames with complex passwords, along with multifactor authentication. Multifactor Authentication (MFA) should be required to establish a secure network connection, and is swiftly accomplished with easy-to-use, integrated applications. Additional MFA tools from separate providers/manufacturers should also be used to further secure and restrict access to an organization’s most critical data. A secure network connection can be established using a Virtual Private Network (VPN) in combination with role-based access controls (RBAC) and/or a software defined perimeter (SDP) that allows organizations to limit users’ access to data, applications, etc., based on “need to know” while preventing access and visibility to everything else.
Enforcing these foundational security principles for all workers with the ability to access the corporate network will ensure that the same (if not stricter) security controls are enforced whether a user is connected to the corporate network or their neighbor’s unprotected Wi-Fi, making Secure Work Anywhere a reality.