Because of the coronavirus (COVID-19) pandemic, it is safe to assume that the vast majority of IT employers are instructing their workforce to operate from home. The sudden and immediate nature of the pandemic limited the capacity of companies to finalize their remote working arrangements, including logistics for data security.
While some establishments were able to easily adapt to remote working, many were not. As a result, fundamental cybersecurity practices like multifactor authentication (MFA), secure desktop backup, remote computer patching, secure file storing and transmission, and other requirements for working remotely in a safe manner were never adequately deployed. At the start of the pandemic, system integrators and IT companies were overwhelmed with cloud migration and system integration work. This means that other types of work have been severely delayed. It is clear that on a global scale, we did not have the preconditions for a seamless transition to remote working. Without ideal remote working environments, we have had to adapt what is available at this time. However, there is still a requirement to be compliant with data protection and other existing forms of compliance.
Ensuring that our customers’ data exists safely and securely on the systems we utilize remains our responsibility. This means we are still required to certify that only authorized users have access to the relevant data. Moreover, there should be reasonable technical controls placed on personal information. Just as before, this continues to be relevant. In fact, with the world operating from a higher number of devices and remote working tools, this may be more vital than ever before.
Working from home case study
To highlight the significance of safe remote working and data security is an example of the issues and solutions experienced by a real (but unnamed) company moving to remote working. Let’s take a deep dive into what this company faced — chances are your company is dealing with similar challenges.
In late February, following imminent pandemic-related restrictions, the company announced that all employees were to work from home without exception. The immediate challenge was the movement of equipment into the home, enabling those without access to work from a company-issued machine.
The company urgently sought more than 600 laptops from an online trader who sold refurbished machines. There were a variety of areas of concern.
Patching and maintenance
Primarily, the home computers are not protected by a rigorous patching schedule that maintains the software, keeping it up to date. This includes firmware applications, operating systems, and browsers. Ensuring that known vulnerabilities are not leveraged requires a level of diligence synonymous with enterprises. If a home computer is exploited, and data is exposed, the company could be liable for a breach.
However, as the company installed remote management software on both the home computers and the new machines, the computers were kept up to date. Notably, the IT department took over a month to achieve this, but it was carried out.
Secondly, 600 refurbished computers were issued immediately to maintain the operation of the workforce. Although this ensured that staff could continue their work, it provided the potential for a breach.
The company employed a team of four individuals to enact the remote management software, run subsequent anti-malware scans, and ensure that a full inventory of all the software on the computers was collated. The malware was then identified on 16 machines. As a result, they were reformatted, reinstalled, and reprovisioned to company standard remotely. This was executed without connecting the devices to the company’s VPN. Thus, the potential for the malware to spread to the company network was mitigated.
By introducing the company to the concept of Zero Trust (whereby companies do not trust any computer and ensure that everything is verified before access is granted), the integrity of the machines was ensured.
Two of the machines hosted ransomware that may have spread to the company’s network. However, through sanitizing the machines, this was avoided.
Corporate data on personal devices
Following these actions, the company was then expected to accelerate its cloud Office 365 migration. It was vital to leverage the cloud to enable users; however, this was expected to be completed over a weekend. During this time, all corporate data had to be migrated to the cloud with the relevant access granted. As well as this, the new working environments had to be communicated and the users trained in its operation. Considering the nature of the time constraint, the company was mostly successful, with more than 90 percent of users able to access the data they needed following the migration.
Many users were able to transfer the data to their home computers and upload it using various online storage applications. Following the deployment of a technical control, user behavior was monitored. This allowed the company to formulate, communicate, and process a plan that would inform users concerning actions that should be taken concerning corporate data. This could have been challenging as some users were being instructed about what could and could not be done on their own, personal machines. However, autonomy was not threatened as the communication and data were managed correctly. This meant that it was possible to keep the corporate data separate from personal data.
After 60 days, the company issued laptops to those who had been using their personal devices. Data was then sanitized from the personal machines, and the issues surrounding the use of personal devices were eradicated entirely.
Over half of the users at the company required VPNs to ensure access to resources on the network. Customer relationship management (CRM) and other applications specific to the company remained vital even when working from home.
VPNs are an effective solution if deployed correctly. If not, they can cause a variety of data security during remote working. For instance, when using a home device to connect to a company network, the VPN should terminate in a secure landing zone or DMZ that is suited to the purpose. This ensures that only the necessary services and protocols required are published to the user. The network should be completely segmented to ensure that the remote user only has access to what is required and cannot harm any other system through the VPN.
Here, the company worked with the networking team to ensure that the network was isolated and that the rule of least privilege was implemented. This ensured that the VPN was secured for those who had to utilize it.
During the cloud migration, it was highlighted that the company was required to deploy MFA. The company called the vendor to order more physical tokens. However, as the vendor had none in stock, they were unable to supply the tokens. The company had to take action to switch MFA suppliers and deploy new MFA tokens to all of the users’ mobile phones, SMS, and native applications. This all happened in a matter of days to ensure that a higher level of security was prioritized.
A vital element of the transition to working remotely remained communication, documentation, and guidance. To ensure operation, the company was required to support its staff, executives, and customers. Ultimately, it was clear that daily communication and written reinforcement resolved challenges.
Despite the vast change inspired by the pandemic, quick reactions and successful communication maintained the operation of the company.
Data security and remote working: Compliance is still crucial
This company was successful in its transformation to remote working while maintaining data security, and under very difficult conditions. Chances are your company is facing similar challenges. It is essential to ensure that while we are remote working, our computers and devices are protected to ensure data security. Compliance is still crucial, and everyone is entrusted to be good data custodians both in and outside of the workplace.
Featured image: Shutterstock