The precipitous introduction of teleworking has put many businesses at risk and some are still unaware of it. The emergency situation resulting from the health crisis has forced many companies to make this alternative the solution to be able to carry out their activity. While many were able to react quickly, others were caught off guard, without having thoroughly analyzed the privacy and cybersecurity controls required by remote work systems.
In order for employees to be able to perform their tasks from home, the company had to provide them with solutions to remotely access the company’s information systems and other resources, as well as tools to interact and coordinate. with each other and systems for sharing and / or modifying company information. collaborative way. This paradigm entails risks and exposures to the security of information and processed data.
Some of the main threats include the increase in exhibition space due to the need to allow remote connections, since the peripheral area of the corporate network extends to the homes of employees; so the principle of least privilege surely had to be changed to allow a type of access that was not previously necessary; Massive user competition can be exploited to steal credentials and perform elevation of privilege, as well as flexibility in the security screening framework allowing the employee to use owned unsupervised and often unsecured equipment. to connect to the corporate network.
The solution is to adapt to the challenges presented by the new way of working, by applying minimum security measures. First of all, it is necessary to have a culture of teleworking, that is to say to have rules and policies for the use of information systems. In this sense, the Spanish Data Protection Agency recommends defining a specific policy for mobility situations that takes into account the specific needs and particular risks introduced by access to company resources from spaces that are not under the control of the organization. In this sense, it also makes it possible to carry out actions to raise awareness and train employees in the secure use of information systems while on the move and in the use of collaborative tools.
BDO recommends reviewing the forms of remote access authorized, the type of devices valid for each form of access and the level of access authorized according to the defined mobility profiles, as well as applying authentication processes. and strong password policies for the internal network of group and business applications accessible from the Internet. The implementation of a coherent multi-factor authentication (MFA) or progressive authentication layer depending on the criticality of access requests could be valid control options.
It is also a good security measure to monitor access to the corporate network from outside: fine-tune the granularity of security monitoring and enrich monitoring in remote operation scenarios and ensure that the external connections are established securely via VPN. . Without forgetting to adopt controls against possible information leaks: DLP solution, limited access to cloud storage services, deactivation of USB ports, etc.
Regarding the security of professional and personal equipment, it is advisable to establish minimum security requirements and to enter into agreements with the employees that define the mutual responsibilities of the parties before connecting the devices belonging to the employees to the network and to the systems. of the company.
And regarding the use of collaboration tools, only reliable and guaranteed solutions should be selected and minimum security requirements established in the default configuration to interact, share and / or modify information collaboratively. In addition, it is necessary to train all employees in the specific steps they must take in the meeting software to ensure the security of their conferences.
In the opinion of Roger Prez, expert in the BDO Risk Advisory field, “ the authorized forms of remote access, the types of devices valid for each form of access and the level of access must be reviewed according to the defined mobility profiles. , as well as the application of robust authentication processes and password policies for access to the group’s internal network and to business applications accessible from the Internet. ”
Ultimately, organizations must adjust their current processes to be able to perform most of their operations remotely. In response to this model change, they must review information security controls and update the appropriate settings. It is essential if you do not want to be the victim of an incident that jeopardizes your continuity. In these times of change and uncertainty, business and professional activity must continue as long as a safe and efficient environment is ensured.