With COVID-19 requiring social distancing measures, metaphorical jet-boosters have been strapped to the back of many companies’ remote working policies.
In the scramble to get everyone efficiently working outside of the office environment, many will have overlooked the security challenges that come along with this new set up.
We reached out to cybersecurity leaders to discuss the scale of the challenge and what businesses can do to secure their remote teams.
This article is part of a two-part series where we talk to security leaders about securing a distributed team. Read part one here.
Michael Trevett is the Director for UK & Ireland at Mandiant. Michael has taken up a number of CISO and Director roles across a range of different industries, from Government to Finance and Consultancy.
He has seen the role of CISO evolve over the last 15 years and now, in his role at Mandiant (the consulting and services part of the FireEye business) has three main responsibilities: incident response and threat hunting, proactive services (threat intelligence-led Red Teaming and attack simulations) and strategic services (helping organisations build resilience and be prepared for attacks).
Working across those three pillars, Michael has seen the full spectrum of responses through his clients. For the most part, companies have needed to react very quickly to suddenly having a remote workforce and have, for the most part, been successful in doing so.
“Pre-Covid, individuals have tended to be clustered together into offices or common workspace, where they can join directly to the corporate backbone for the use of their technology. With the pandemic, businesses were forced to scale some of the solutions they already had, and in some cases, implement solutions that they didn’t have previously to allow their teams to work remotely and their businesses continue to operate. Generally, I think a lot of organisations did a really good job of that.”
Necessity, it would seem, is the mother of invention. With that in mind, there were always going to be some challenges because of how diverse our workforce is. Changes happened quickly, and at scale but more still needs to be done to ensure we remain safe while working from home.
Working from home comes with all sorts of benefits, the most important being the increased levels of flexibility afforded to the individuals.
While true remote working cuts out the commute, it doesn’t automatically mean that time becomes free. In fact, it requires high levels of discipline, usually developed over years of remote working, to stick to a routine and make that extra time work for you.
As a result, many of us will agree that we’re starting work earlier and finishing later during this time. This, for Michael, is an added complication for security teams everywhere.
“It’s too easy for everything to blend into one big blur. People are tired, and when people are tired, consciously or not, they look for shortcuts.”
Whereas before you might get up and go and talk to IT or Finance to find an answer to a particular problem, remote working can present barriers to some individuals that lead them to bend or break important processes.
“We’ve encouraged clients to put psychological ‘firebreaks’ in place to avoid the burnout that can have a big effect on security. These can be as simple as an informal team call at the end of the week to just touch base with people and separate the working week from the weekend.”
Moving to remote working at scale means a lot of data that would normally be protected by the ‘castle walls’ of your perimeter are now outside of your environment. This means that the way your team connects to core systems and networks has to be at least as secure, if not more secure, than when they were connecting while in the office.
For Michael, the best place to start is with VPNs and Two-Factor Authentication for devices.
“That stuff (remote working solutions) you might normally want to plan over 18 weeks or 18 months, you now need to stand up in 18 days.”
It’s also important that you’re aware of the divide in devices. Corporate devices, that have a connection to the network from the get-go, can be centrally managed and updated with minimal interaction needed from the user.
“If you can only apply patches when the devices are connected to the VPN, you need to make certain that your teams know that. And if all the patches come out on a Saturday, they need to leave the machines plugged in and switched on and connected to the VPN on Saturday, whatever it’s going to be, because otherwise, you risk creating a vulnerability.”
Companies that operate a bring your own device (BYOD) policy have a slightly different remit with devices that come with their whole own set of challenges.
“If there were an incident and you want to take someone’s BYOD device away and run a whole bunch of forensics – is someone going to let you have their personal iPad? It sounds like a trivial example. But it’s only trivial until you say, “I need you to give me your device for an investigation” and someone says “No”. Or if it’s stolen, and it contains corporate data, do you have the right to do a remote wipe? Have you got the capability and the right to do that? All of these kinds of things (and many more) need to be really thought through with bringing your own device. Yeah, it’s fine that there are ways to manage BYOD successfully. But it needs to be carefully considered.”
Rob Horne is a Principal Consultant at Commissum and leads the Advisory Service. After falling into computers and networks in the mid 90’s, Rob has worked a number of cybersecurity roles over his career from consultancy to IT security manager.
Although Commission has traditionally been focused on pen testing, Rob, who joined Commissum in July 2018, has been growing the consultancy side of the business through the Advisory Service.
“We’re continually looking at ways we can improve the traditional approach to consultancy, We see our role very much as a partner; there to continuously help our clients deal with their problems and reduce their overall risk, not just produce one-off reports with long lists of recommendations.”
Having worked in security and dealt with numerous breaches for the best part of 15 years, Rob has seen it all when it comes to attacks;. nothing Rob is seeing now from his wide portfolio of clients is a surprise, but the new way of working means there are new factors to consider and new attack vectors.
A combination of high-profile breaches, like the recent cyber attack on Manchester United Football Club, and security now increasingly being seen as a board-level issue, has brought about a shift in perceptions. In many organisations, security is no longer being seen as an afterthought and is being addressed closer to the start of development lifecycles.
It’s that changing of perception and perspective that has led many organisations to change their practices; this is certainly a step in the right direction, but if it isn’t supported with revised policies that help people in the new normal – they will show diminishing returns.
“We’ve heard of people using the ironing board as a desk. This is an uncomfortable situation, you’re going to get distracted. And you’re going to take shortcuts. If we do carry on like this we will need to see formal recognition of these issues and the risks they introduce to better reflect the new working conditions.”
At the top of any security agenda for Rob is security awareness. So often overlooked, the education piece can be incredibly powerful when supported by a wider business model and commitment to security culture.
“Security is not throwing money at things, it’s behaving in a certain way. You can improve security by creating the right policies and procedures, and instilling a culture within the business that says we take this seriously.”
This can be a bit of a tough line to walk with many viewing the security department as corporate enforcers of the rules. Nine times out of ten, however, it’s simply down to a lack of awareness of what security does and how it enables the organisation to achieve better results.
“I’ve dealt with people who don’t see the value. Then you sit down with them and take them through it: ‘if we don’t do this, that could happen.’ You can see a light go on and they’ll then go on to convince their colleagues of the value.”
As far as actions businesses can take right now to make their teams more secure while working remotely, Rob recommends focusing on the basics that have been made even more important due to the change of environment.
“It comes down to what’s different in the home to the office. Don’t do anything you wouldn’t in the office. For example, think about your home network, who else is on that network? Have you given the Wi-Fi password to your next-door neighbours? It’s all about looking at what’s different, making people aware of what’s changed, and providing the support needed to ensure new risks are dealt with.”
Gavin Solomon is a Senior Consultant and Penetration Tester at Crossword Cybersecurity. Gavin entered Cybersecurity from a career in development after highlighting security risks in the systems he was working with. After learning the ropes of penetration testing himself and developing a passion for security in general, Gavin moved to Crossword in 2019 and hasn’t looked back.
“At Crossword I’ve got the support of other people who’ve worked in security for quite a long time. But also, I’m not just focusing on one technology. In my last firm, they just used a limited range of platforms. And obviously, I had the advantage of familiarity, having developed some of their apps myself or had a hand in them. At Crossword, we dip into and out of a whole wide range of different technologies from all our clients. So I get much more variety now than I ever had before.”
Crossword is divided into two parts, Crossword Cybersecurity itself and Crossword Consulting. Gavin works for the consulting division and perform IT security audits, penetration testing and more. Crossword also has a number of products that help organisations on their cybersecurity journey. One such product, Rizikon, looks at supplier assurance which is often one of the biggest weaknesses in organisations.
While Gavin hasn’t seen an increase in attacks that target technical vulnerabilities during the Covid period, he has seen an increase in social-engineering attacks that target people and the changes they are currently going through.
“I think it’s targeted more towards the way people work. You know, people receive emails on something that seems perfectly plausible in the current climate, and they’re persuaded to do various things. There have been attacks that have taken advantage of the way people think and the way they are having to work. Attackers have manipulated that.”
For Gavin, it is also crucial that security teams build robust processes for ensuring machines are kept up to date. Hard work done on ensuring the initial protection is in place can be undone by devices and networks that are not kept topped up with the latest patches.
“Make sure that employees who are using company equipment off-site are applying the latest patches, keeping their machines updated with the latest fixes, not just the operating system patches, but also keeping applications up to date.”
