With more employees than ever working from home, it's important to examine your organization's remote network access policy to ensure that it's still meeting its goal of protecting the enterprise network from misuse and attacks.
The biggest mistake organizations make when creating or updating their remote access policy is not taking enough time to understand the current threat landscape, said Tim Singleton, president of Strive Technology Consulting, a Denver-area IT services provider. "Hacking techniques that are popular today weren't even a thought three years ago," he noted. "If the remote access policy isn’t updated according to the new threats ... it’s only protecting against outdated problems."
Pam Nigro, vice president and security officer for Home Access Health Corp., stressed the importance of ensuring that end-users understand their responsibilities in the areas of confidentiality, intellectual property, and information compliance, as well as the security protocols necessary to keep information systems secure. "This should be clearly outlined to compel compliance and the appropriate precautions for data use and access," said Nigro, who is also a board director for ISACA, an international professional association focused on IT governance.
If it isn't already a remote access policy stipulation, mandatory use of multi-factor authentication (MFA) should be added to the policy as soon as possible. "MFA is important to ensure that threat actors cannot use ... compromised credentials to log-in and obtain access to your network with impunity," explained Keith Mularski, managing director in EY's consulting practice, focusing on cybersecurity issues. "MFA enabled for remote work access will prevent this type of breach from happening, and it will also prevent brute force and password spraying techniques used by threat actors to breach a network from being effective," he added.
The remote access policy should also require all remote workers to use an approved password manager. "Everyone knows they're supposed to have unique and complicated passwords for every log-on account," Singleton said. With employees juggling dozens, perhaps even hundreds of different accounts, "people default to using the same password in a lot of places," he warned. An inexpensive software tool that automatically generates a unique, complex password for each account will allow employees to sign into the enterprise and other online resources in a highly convenient and secure manner.
Errors and omissions
Many remote access policies fail to address the important issue of vendor access to enterprise resources. "Vendor access should be restricted and segmented to the role or work they are performing," Mularski advised. "Often, we see them having the same access as an employee of the company."
With the number of remote workers growing rapidly, enterprises also need to periodically reexamine their remote access policy's privacy considerations. "To work effectively, employees will use tools that help them collaborate inside and outside their organization, conduct meetings remotely, and access and share potentially sensitive documents," observed Robert Waitman, Cisco Systems' director of data privacy. As home workers engage in such tasks, participants' names, account information, and even physical appearance could fall into the category of Personally Identifiable Information (PII) and may be subject to various global privacy regulations. "Many people have heard of the EU's General Data Protection Regulation (GDPR), which became enforceable about two years ago, but there are over 140 different privacy regulations in other jurisdictions around the world," Waitman explained. "Organizations that are now working to enable their employees to work remotely need to evaluate how PII is being handled to meet the requirements of these laws and regulations."
Another major oversight in many current remote access policies is failing to treat administrators at various levels separately from ordinary users. "Certain types of administrators shouldn't be allowed to log in with their elevated accounts," Mularski warned. "There should be restrictions as to where they land in the environment and what they have access to without going through a bastion host, for example."
Nigro noted that enterprises should be prepared to help home-based employees who appear to be struggling with detailed and complex remote access policy requirements. "Understand that your remote workers do not have a cybersecurity team at their location to assist them," she said. "Mandating a policy and expecting compliance without the appropriate training and assistance to ensure that their home network is safe would be counterproductive."
A recent ISACA study revealed that only 51% of respondents were highly confident in their security team's ability to detect and respond to cyberthreats during the pandemic. Even more troubling, 87% of respondents reported that with the rapid shift to work from home, there has been an increased risk in data privacy and protection issues, and 92% believed that threat actors will increase cyberattacks on individuals. "It's essential [for enterprises] to set the tone for cybersecurity at home," Nigro said. "Help everyone understand the need to stay safe online."