- Recording: Cybersecurity during COVID-19
The global pandemic has forced organizations around the world to figure out how to work remotely. How do you effectively secure a telecommuting workforce? Our facilitator, CLA Principal Jennifer Rohen and panelist, CLA principal Randy Romes discussed:
- Remote Access Solutions
- Device Considerations
- Corporate Policy Recommendations
- COVID-19 Fraud Concerns
In case you missed it:
Questions and Answers:
Do you feel using Citrix receiver to login on from a home PC, then Remote Desktop Protocol (RDP) from that session to an office PC is a secure method?
We have seen clients deploy exactly that as their day-to-day remote access method. Depending on the applications needed, Citrix Receiver itself can also serve as your remote access system. How you manage authentication matters, as does how you manage the security of your PC used by an employee. There are some risks; a home computer may be compromised with some malware such as a key logger.
Is using two-factor authentication (2FA) an effective control?
2FA helps a lot, though you could still remain vulnerable to malware or keystroke logging. We look for defense in depth wherever possible — we want more than one control helping us restrict access. It's possible to carry out a man-in-the-middle attack (MITM) using 2FA, though it's much more difficult to do.
What is your opinion of using TeamViewer?
TeamViewer can be configured with strong authentication but the default is usually weak. Be sure to utilize multi-factor authentication and lockout policies when possible.
Can you share samples of acceptable use policies that fit today's circumstances? In addition to computer use and how I use my time, what about acceptable uses for confidential documents and other information?
Ideally, your acceptable use policies won't need to change, but this really depends on your situation and the change in your operational mode in this pandemic situation. Your policies may still need to be updated or expanded, especially if your staff will be using personal resources to conduct business, where this was not normal previously. This policy should focus on the different controls required to support remote work. You can add these changes to your acceptable use policy, but for many organizations, it’s easier to create a new policy than to update a pre-existing one.
What risk do companies face using SaaS products working from home?
It really depends on the products you're using, and whether you're using different or uncontrolled systems to access those platforms. But in general, the risks are the same as when your employees are working on-premise. The factors that differ in your risk assessment are the technology and controls in place to protect the systems used to access those SaaS products.
If at least one person is teleconferencing into a meeting, should all participants teleconference to equalize quality of participation?
Within CLA and other companies, remote participants are able to participate more effectively when all are in the teleconference. It prevents side-discussions from distracting others remotely or in the room, and it ensures all participants are more aware to check in with all remote participants — something often forgotten when most attendees are in the same room, with only a few people remotely connected.
What we talked about:
Note: This is a condensed bulleted list of major points addressed on this livestream. It is not a full transcript.
Rohen: Good afternoon and welcome to the CLA COVID-19 Livestream Series. We hope that you, your families, friends, and communities are staying safe and healthy. Our mission is to help educate you about the new programs and new world that we are adapting to as a result of the COVID-19 crisis.
We have covered many legislative changes and program updates as a result of the Families First Coronavirus Response Act and the CARES Act on past livestreams. We’ve talked through the tax credits, HR obligations, PPP program, and other lending and tax related updates. We will continue to navigate those programs and any future legislation later this week and into next. Today, we’re talking about a very important issue that impacts all areas of the personal and professional world — cybersecurity. We will discuss best practices for the changing workplace, protecting your information as you apply for lending options and receive the stimulus benefits, and raise awareness of the latest scams that might impact you or your employees.
In the face of COVID-19, employers around the world are being challenged to design new ways to allow their employees to remain productive while working from home. We have seen many examples of how organizations have struggled to implement widespread work from home initiatives.
As your organization adapts to the new normal, we recommend that you carefully consider the cybersecurity controls you have in place with regards to remote work.
Today’s conversation is with Randy Romes. Randy is the Managing Principal for CLA’s cybersecurity consulting team. Randy leads a team of technology and industry specialists providing IT audits and security assessments for clients in a wide range of industries and diverse operating environments, and has provided independent security assessments and IT audits for financial institution clients for over 21 years. He is responsible for the continuing development of the open-source, Unix, and Windows applications used in all of our security audits, and he leads the firm’s PCI-QSA audit practice. He is a Certified Information Systems Security Professional (CISSP), a Certified Risk and Information System Controls (CRISC) professional, a Certified Information Systems Auditor (CISA), a PCI-Qualified Security Assessor (PCI-QSA), and a Microsoft Certified Professional (MCP).
Welcome, Randy, and thank you for joining us. We have very quickly gone from “15% remote work force” to instances of “greater than 80% remote work force. What are the best ways a company can do this? As they implement this, what kind of remote access is acceptable and secure?
Romes: This will be a combination of technology already in place and NEW remote access:
- Already in place
- VPN, Remote email (Outlook Web Access or OWA), Remote desktop or portal
- Newly implemented
- All of the above PLUS things like: “Go to my PC” type options
- DEFINE the need
- How, Who, Where
- Applications, files and data
- Understand and apply the appropriate controls
- Everyone working remote…
- Challenges with communication…
- What, When
- Time of day, IP filtering and Geo-fencing
- Types of data
- How, Who, Where
What hardware, devices, and technology are OK to use?
Romes: This will be a combination of preferred methods and hardware followed by what your organization needs to do to keep the lights on.
- Currently in place
- Laptops, mobile devices (tablets), desktop PCs, bring your own devices (BYOD)
- Newly implemented
- All of the above plus corporate desktops
- Understand and apply the appropriate controls
- Mobile device management systems (e.g. InTune, JAMF)
- Up to date patching and running antivirus software
- Passwords and password management
- Monitoring, data loss prevention and alerting
- Your internal network may now have end points in your employees’ basement, bedroom, or home office
- Where possible you need visibility
- Help or service desk challenges with remote work force
- Challenges with communication
Rohen: All of this change has resulted in lots of different new normals. What should we consider in terms of new or updated policies and procedures?
Romes: This will be a combination of:
- New policies and procedures due to new or radically different operations
- Redefined/reinforced policies and procedures for ongoing or similar operations
- Relaxed policies and procedures due to new or radically different operations, or because of challenges due to significantly increased remote operations challenges (ie. keeping the lights on)
It is important to think about policies and procedures as they relate to:
- Acceptable Use
- Incident response
- Liability and litigation
Rohen: Have we seen any new types of cyber fraud as a result of the shift to remote work and the new financial assistance programs?
Romes: Yes. Some examples include phishing messages and text messages. I’d encourage people to make sure they know how to protect their personal financial information from being stolen.
Additionally, we recommend that to safely transmit the PPP, organizations contact their bank directly and do not respond to unsolicited offers. When it comes to stimulus checks, make sure to see FBI and IRS guidance and be wary of COVID-19 related scams.