We are more than two weeks into the “new normal” created by COVID-19. An unprecedented number of employees have been sent home to work and the immediate goal has been enabling the workforce to be productive, responding to Human Resource challenges like paid time off and child care, and protecting revenue streams by adjusting operations. The seismic shift in such a short period of time in how we work and how businesses deliver goods and services is a testament to the ingenuity and flexibility of American business– a bright spot during these strange times.
Of course, rapid change increases risks to any organization so cybersecurity should not be ignored as businesses shift focus from in-office work to remote work. Save for a few “benevolent hackers”, the bad guys rarely let a good crises go to waste. We have seen an uptick in phishing attacks over the last month underscoring the need for businesses to remain focused to IT Security.
To aid the YHB community of clients and friends, we have compiled a list of risks to consider and resources to investigate as your businesses retool for remote work.
Remote Access for Employees
The first requirement for enabling remote work is ensuring employees can safely access the files and applications they require to perform their tasks. Often, that means establishing a Virtual Private Network (VPN), which encrypts all the traffic sent between an employee’s computer and the company’s internal network. A VPN requires technical acumen to configure the server side and the client side (end user’s computers), but it also could enable a strong control where users can only access company data on a company-provided laptop or computer. Most common enterprise firewalls (Cisco, Palo Alto, Sonicwall, WatchGuard) enable VPN capabilities and provide software for both sides of the VPN. In fact, even Windows 10 has VPN functionality built in that can be used to secure a connection to your corporate network.
One decision you need to make is whether to use “split tunnel VPN”—meaning when an employee accesses the company’s network, it does so using the encrypted VPN, but if that same employee on the same laptop accesses non-company network (like YouTube or any other internet site) the network traffic is routed to their local home network. You lose some of the network controls, but also reduce some of the network congestion.
Another consideration for remote access is GoToMyPC. This works well in environments that rely on desktop computers. Strong controls can be implemented to protect corporate data. It takes less technical know-how to set up and configure GoToMyPC than to establish a VPN, but one drawback is that someone needs to be at the destination computer when establishing the initial connection. In small environments with limited or no IT staff, this might be a viable option. Alternatives to GoToMyPC are LogMeIn and Remote PC.
If we make it to an in-person meeting, the handshake has been replaced with the elbow bump. When we can’t make it to the in-person meeting, video conferencing is the next best option. It has become one of the fastest ways for employees to stay connected to employers and continue meeting with clients and customers.
Businesses have several options for video conferencing. Zoom and Google Hangouts are some of the most popular right now. Ring Central—a phone system built on the Zoom platform—has proven invaluable for YHB since we deployed it in 2019. Microsoft Teams is already included with many Microsoft Office licenses and includes very capable video conferencing capabilities. For companies with more strict security requirements, TS Tru Time is a high-end managed service providing high-quality, low latency and completely encrypted lines over a private network, never touching the public internet.
When scheduling video calls, always evaluate the security options for the call. For example, avoid using a personal meeting ID which can be used over and over again. In the wrong hands, attackers can eavesdrop or break into the call itself. If the conversation is confidential, make the calendar request private and require a password to access the call.
Enable Local Firewalls and Intrusion Detection
What will keep the IT team awake at night during COVID-19 is the fact that employees are connecting to their home networks, and the IT Security team cannot review or control those home networks. Thus, the company’s computers now have risks associated with the smart-toaster your employee’s husband received for Christmas last year. If only we could include toaster-patch-management in our change management process…
One way mitigate unpatched-toaster risk is to enable a host-based firewall. Most commercial off the shelf computers, including Windows 10, includes a built-in firewall which can protect a computer from external connections to the computer. It would also mitigate some of the risk if you choose to use a split tunnel VPN (see above).
Remote Access for IT Support
It will also be imperative to give your IT staff the ability to support your remote team. They will need software to allow them to remotely access employee computers to troubleshoot and fix any issues. Some examples include Dameware, Team Viewer, or LogMeIn. Any time you give employees remote access to other employees’ computers, security capabilities should be considered. It’s always important that an employee know when the administrator is accessing their computer, for example the screen may provide some visual cue. It’s also best when the software tool logs when an administrator accesses an employee’s computer.
With Virginia Governor Northam’s March 30 stay-at-home order enacted through June 10, 2020, remote work now becomes a reality for all non-essential businesses. Enabling your remote teams will help many companies get through this time and find new ways to do business. Using the suggestions above will help management and the IT team provide secure communication channels, remain productive, and stay healthy.
Bryan is a Partner at YHB and serves on the Risk Advisory Services Team. Bryan focuses on assisting organizations in a variety of industries with internal audits and IT-related audit and consulting services.