Advice from Security Leaders for Security Leaders: How to Navigate New Remote-Working Challenges
As a part of our ongoing efforts to help security professionals around the world manage their new remote workforces, we’ve been holding virtual panel discussions and roundtables with ethical hackers and security and compliance leaders from some of the world’s leading institutions to discuss cybersecurity best practice while working from home.
Our panelists and speakers have included David Kennedy, Co-Founder and Chief Hacking Officer at TrustedSec, Jenna Franklin, Managing Counsel, Privacy & Data at Santander, Stacey Champagne, Head of Insider Threat at Blackstone, Ben Sadeghipour, Head of Hacker Education at HackerOne, Chris Turek, CIO at Evercore, Jon Washburn, CISO at Stoel Rives, Peter Keenan, CISO at Lazard, Gil Danieli, Director of Information security at Stroock, and Justin Daniels, General Counsel at Baker Donelson
We’ve compiled some of the key takeaways to help IT, privacy, and security professionals and employees stay secure wherever they’re working.
Interested in joining a future roundtable? You can register here.
How to defend against spear phishing (inbound threats)
Communicate new threats. Cybercriminals are carrying out opportunistic phishing attacks around COVID-19 and the mass transition from office-to-home. Keep employees in the loop by showing them examples of these threats. But, it’s important to not over-communicate. That means you should ensure there’s one point of contact (or source of truth) who shares updates at a regular, defined time and cadence as opposed to different people sharing updates as and when they happen.
Create policies and procedures around authenticating requests. Communicating new threats isn’t enough to stop them. To protect your employees and your data, you should also set up a system for verifying and authorizing requests via a known communication channel. For example, if an employee receives an email requesting an invoice be paid, they should contact the relevant department or individual via phone before making any payments.
Enable multi-factor authentication. This easy-to-implement security precaution helps prevent unauthorized individuals from accessing systems and data in the event a password is compromised.
Encourage reporting. Creating and maintaining a positive security culture is one of the best ways to help defend against phishing and spear phishing attacks. If employees make a habit of reporting new threats, security and IT teams have a better chance of remediating them and preventing future threats.
Update security awareness training. Remote-working brings with it a host of new security challenges. From the do’s and don’t of using personal devices to identifying new threat vectors for phishing, employees need to refresh their security know-how now more than ever.
How to defend against data exfiltration (outbounds threats)
Exercise strict control over your VPN. Whether it’s disabling split tunneling on your VPN or limiting local admin access, it’s absolutely vital that you minimize lateral movements within your network. This will not only help prevent insider threats from stealing data, but it will also prevent hackers from moving quickly from one device to another.
Block downloads of software and applications. This is one of the easiest ways to minimize the attack vectors within your network. By preventing downloads by individual users, you’ll be able to exercise more control over the software and applications your employees use. This way, only vetted tools and solutions will be available for use.
Secure your cloud services. As workforces around the world are suddenly remote, cloud services are more important than ever. But, it’s important to ensure the infrastructure is configured properly in order to reduce risk. We recommend limiting access whenever possible (without impeding productivity) and creating policies around how to safely share documents externally.
Create a system for onboarding and offboarding employees. Both negligent and malicious incidents of data exfiltration are on the rise. To prevent new starters or bad leavers from mishandling your data, make sure you create and communicate new policies for onboarding and offboarding employees. In order to be truly effective, this will need to be a joint effort between HR, IT and security teams.
Update security awareness training. Again, remote-working brings with it a host of new security challenges. Give your employees the best chance of preventing data loss by updating your security awareness training.
Bonus: Check your cybersecurity insurance. Organizations are now especially vulnerable to cyber attacks. While preventative measures like the above should be in place, if you have cybersecurity insurance, now is the time to review your policy to ensure you’re covered across both new and pre-existing threat vectors.
Our panelist cited two key points to review:
If you are allowing employees to use personal devices for anything work-related, check whether personal devices are included in your insurance policy.
Verify whether or not your policy places a cap on scams and social engineering attacks and scrutinize the language around both terms. In some instances, there may be different caps placed on these different types of attacks which means your policy may not be as comprehensive as you might have thought. For example, under your policy, what would a phishing attack fall under?
How to stay compliant
Share updated policies and detailed guides with employees. While employees may know and understand security policies in the context of an office environment, they may not understand how to apply them in the context of their homes. In order to prevent data loss (and fines), ensure your employees know exactly how to handle sensitive information. This could mean wearing a headset while on calls with clients or customers, avoiding any handwritten notes, and – in general – storing information electronically.
Update security awareness training. As we’ve mentioned, organizations around the world have seen a spike in inbound attacks like phishing. And, when you consider that 91% of data breaches start with a phishing attack, you can begin to understand why it’s absolutely essential that employees in every department know how to catch a phish and are especially cautious and vigilant when responding to emails.
Conduct a Data Protection Impact Assessment (DPIA). As employees have moved out of offices and into their homes, businesses need to ensure personal data about employees and customers is protected while the employees are accessing it and while it’s in transit, wherever that may be. That means compliance teams need to consider localized regulations and compliance standards and IT and security teams have to take necessary steps to secure devices with software, restricted access, and physical security. Note: personal devices will also have to be safeguarded if employees are using those devices to access work.
Remember that health data requires special care. In light of COVID-19, a lot of organizations are monitoring employee health. But, it’s important to remember that health data is a special category under GDPR and requires special care both in terms of obtaining consent and how it’s processed and stored. This is the case unless one of the exceptions apply. For example, processing is necessary for health and safety obligations under employment law. Likewise, processing is necessary for reasons of public interest in the area of public health. An important step here is to update employee privacy notices so that they know what information you’re collecting and how you’re using it, which meets the transparency requirement under GDPR.
Revise your Business Continuity Plan (BCP). For many organizations, recent events will have been the ultimate stress test for BCPs. With that said, though, these plans should continually be reviewed. For the best outcome, IT, security, legal, and compliance teams should work cross-functionally. Beyond that, you should stay in touch with suppliers to ensure service can be maintained, consistently review the risk profile of those suppliers, and scrutinize your own plans, bearing in mind redundancies and furloughs.
Stay up-to-date with regulatory authorities. Some regulators responsible for upholding data privacy have been releasing guidance around their attitude and approach to organizations meeting their regulatory obligations during this public health emergency. In some cases, fines may be reduced, there may be fewer investigations, they may stand down new audits, and – while they cannot alter statutory deadlines – there is an acknowledgment that there may be some delays in fulfilling certain requests such as Data Subject Access Requests (DSARs). The UK privacy regulator, the ICO, has said they will continue acting proportionately, taking into account the challenges organizations face at this time. But, regulators won’t accept excuses and they will take strong action against those who take advantage of the pandemic; this crisis should not be used as an artificial reason for not investing in security.
Looking for more advice around remote-working and the new world of work?
For more practical advice from security leaders for security leaders and privacy professionals, join us for our next virtual panel discussion on April 30.
We’ve also created a hub with curated content around remote working security which we’ll be updating regularly with more helpful guides and tips.