Covid-19 has forced the issue of remote working en-masse for almost every office-based business, from financial firms to the healthcare industry. The need to move swiftly during the first lockdown in March meant that, understandably, business cybersecurity may not have been in front of mind during this workspace relocation process.

Now that the initial panic has subsided and many of us have adapted to having a more flexible workforce, it’s time to step back and assess the security impacts of any recent infrastructure or policy changes your firm may have made to ensure you’re not vulnerable to cybercriminals or accidental data breach.

Here are some key areas to check to ensure your firm’s IT is secured and still home-worker ready:

 

This is a common mistake we have seen a lot of recently, the Remote Desktop Protocol (RDP) port being open to everyone on the internet. Remote Desktop itself is a well established and incredibly useful way to access your servers, applications, or computers remotely. However, it should be protected either via a VPN connection or by using the Remote Desktop Gateway functionality provided by Windows Server.

A plain “port forward” to your server puts your firm at high risk of attack, as hackers target these RDP servers and will run continuous brute force attacks against your usernames and passwords to gain access.

 

Virtual Private Networks – VPN for short – are an easy way to connect your staff into the office network. They are also a security nightmare if not configured properly.

First, ensure you are using a secure VPN protocol or program. PPTP – the “go-to” Windows VPN option for many years has been long compromised by hackers and is considered insecure.

Consider using SSTP, or an SSL VPN provided by your firewall instead.

Second, make sure you have firewall rules in place to restrict the VPN traffic down to what is required for your remote workers to do their jobs and nothing more. Opening your firms’ network to your end user’s machines means you are opening your network to a higher risk of malware. This is less of a concern when employees are using corporate devices which adhere to IT policy, but a major issue when they are using their own personal machines.

 

Any cloud application containing sensitive, financial or client data should have 2FA or MFA enabled. This is two factor or multi-factor authentication and means you are prompted for another proof of entitlement to access the system other than just your password when logging in.

Any cloud application without 2FA/MFA support should be locked down to only allow access from your office IP addresses, and if this is not possible then you should seriously consider changing provider.

When accessing your client’s applications on the cloud, do not share their login details. Ask them to set you up with your own login to the system, and once again enable 2FA/MFA as your access level to their data will be at a high privilege level.

Your firewall is the security door restricting access to your data vault, but it is not infallible. There are often updates to the firmware, which is the programming logic that runs the device, released by the vendor to fix security problems with their products.

Many IT teams have found it hard to patch firewalls with so many people working remotely, as not only does it disrupt the ability to work during the update, but a failed update can be a serious problem. However, leaving security vulnerabilities unpatched is a bigger issue, so make sure you are up to date.

 

When everyone is working from company-owned devices, security is straightforward. Secure the endpoints with your chosen security solution, monitor them for issues and security vulnerabilities, and enforce your chosen firewall and security rules via a policy system such as Group Policy.

However, if you have allowed your staff to have access to your systems from their own personal devices then you should consider how to ensure they meet your IT security requirements.

Often the best way to do this is to roll out the same provisions you would for a corporate-owned device, but this may not sit well with your staff member who owns the computer. At a minimum, look to roll out your security solution to their device to ensure the system is virus-free and not a risk when it is connected to your network. 

If this is not agreeable, you should consider providing company-owned and managed devices to your staff to allow enforcement of security policies.

 

Many cries of “It’s not working” or “I can’t access those files” have been placated by uplifting file permissions or security rights for staff. Often these uplifts are only supposed to be temporary, while IT work out how to fix the issue.

Unfortunately, these temporary permission “fixes” often end up being forgotten and can leave large gaps in security. Either by inadvertently allowing staff to access files and data they should not or giving ransomware the ability to encrypt many more files on your systems than it would or should have been able to – if it had even been able to run at all.

Now is a great time to run an audit on file permissions, folder permissions and administrative rights and roles. Work to a system of least privilege – where people have just enough rights to do what they need to do, and ensure that none of your users has local administration rights on their computers as this is the common mistake that allows ransomware to run havoc in corporate networks.

 

As part of the government’s economic response to the Covid-19 pandemic, packages of grant funding are to be announced to help businesses make efficiency transitions. 

These grants of between £1000 – £5000 could help your business innovate and optimise its Cyber Security, to ensure data protection and compliance in relation to the points we’ve discussed above.

If you have any concerns, questions or simply want to explore how to better secure your business, please do get in touch with the team for a FREE demonstration, consultation to explore how exposed your business might be and identify actions to take. Contact us today.