Saturday, March 7, 2020

Secure Remote Work Considerations

An email sent today to all CISO friends, contacts, past and present clients,

With the increased attention on remote work due to current global health concerns, I want to outline cybersecurity practices that need to be considered.  While your IT goals will be to insure the connectivity and as close to full time capacity of your employees, there is a need to not introduce vulnerabilities by taking shortcuts.
  1. VPN - Continue to enable MFA as a requirement to connecting to your offices or SaaS applications.  Take the time to have your IT admin staff and help desks work through the issues and not just remove it for ease of access. Insure that proper training is available to employees on how to enroll and use MFA.
  2. Citrix or other remote desktop access - By now, your IT personnel have reviewed the capacity and potential demand that a 100% remote work force can have on any Citrix or similar remote desktop service.  Capacity planning should be targeting 80% utilization at any given time to allow for surges or demands.
  3. BYOD - Seriously consider not allowing employees to use personal devices to VPN onto your corporate networks.  If you did not provide company issued devices to employees that meet your security requirements, do not expect their personal computers do.  Move any access such as this to a Citrix or remote desktop access solution. In the event this is not possible, engage a solution provider to discuss these technologies or insure a properly segmented VLAN or network for these devices that come into your network.
  4. Shared access - Insure that each employee has their own account for your SaaS applications and other systems.
  5. Vendor access - Insure that 3rd party vendors follow security guidelines for accessing systems, notably MFA, unique username and password, and segmented network access to only the systems they need to work with.
Lastly, for those with board meetings coming, prepare to answer how you've made remote work both available and secure. I anticipate this question will start being asked in the next few quarters by informed directors or investors.

I want to assure you all that SideChannel is available for conituned support on these topics to our clients and know that we are built as a 100% remote capability.  We do not see an impact on our availablity.

Regards,

Brian Haugli
Partner, SideChannel Security LLC

www.sidechannel.com