- January 31, 2023
- Catagory remote work
Your IT People Are Worried About Remote Work Security
If you haven’t fully adjusted to the era of remote work, your IT team leader has something to say about security.
According to a new Cisco Systems survey, the increasing number of employees working remotely today – even as some employees head back to the office – is stressing out both business leaders and those responsible for security, and a big culprit is unregistered devices.
The Cisco survey found that 84% of 6,700 respondents, including 81% of the 300 Canadian respondents, found that working remotely has increased cybersecurity risks to their organization, and nearly a percentage of respondents cites unregistered devices used by employees in support of remote to be the likely cause of security incidents. Unregistered devices might include laptops, tablets, and smart phones, the survey said.
In general, Cisco found that in the early days of the pandemic when the sudden shift to remote work occurred, security became an afterthought, as noted by a Cisco exec interviewed by IT World Canada. The reason security tends to take a back seat when employees work from home is that they want a similar experience to working in the office, but they don’t want security controls that make it harder to do their jobs. In addition, remote work isn’t just about working from home – employees now want the option of working anywhere.
Meanwhile, the International Association of IT Asset Managers (IAITAM) has similar concerns about the impact of remote work on organizational security, echoing the Cisco survey’s observation that security wasn’t top of mind when the initial rush to remote work occurred in March 2020. Not only are personal devices being used by remote workers to access the corporate network contributing to security issues, but there’s also “low-tech breach” danger if organizations don’t have proper IT asset disposal procedures, IAITAM warns.
Not having a proper asset disposal program for computer hardware is just as important for remote work security as having a strategy for warding against employee errors, rogue employees, errant third party vendors, and outside hackers, advises IAITAM. Any asset disposal program should include certified data drive sanitation or destruction, and robust tracking of the disposal process so that data thieves aren’t gaining access to mission critical business information.
Monitoring the lifecycle of computer hardware used for remote work can be especially complex if they include personal devices, but asset management is critical to any organization’s security strategy. If you don’t a program in place, consider consulting your managed service provider for support.
- January 17, 2023
- Catagory remote work
Remember the basics of remote work security
At the risk of sounding like a broken record, remote work isn’t going away, so you need always be mindful of some core security measures that protects what looks to be a perpetual hybrid workplace.
These measures are both technical and cultural in nature – your people are just as critical as the security technology you deploy to accommodate remote work.
The most obvious step you can take on the technology front is to regularly update and monitor your network security. This includes applying the latest security patches and upgrades to all devices, including updates to operating systems as well as keeping your antivirus and antimalware programs current. Don’t forget hardware updates such as those for your routers and switches, either.
A strong technology foundation is critical to remote work security and should also include secure VPN access for any employee working outside the office, as well as multi-factor authentication (MFA), both of which lay the groundwork for creating a Zero Trust environment. Also essential are tools for monitoring your environment so you have a complete understanding of what’s connected to your infrastructure, whether it’s devices that support remote work or other devices and services, including internet of things (IoT) devices. You should be able to interrogate the network so you can know for certain how every connected device behaves at the packet level.
In the era of remote work, MFA is a must have, and illustrates how critical the intersection of technology and people is to security. Employing MFA recognizes that even the best passwords can be broken and that the users who select and use them make mistakes. This is where employee education comes into play so all users, remote or otherwise, understand good password etiquette and the benefits of adding another layer of security with MFA.
User education is also the best defence against phishing emails, which remain the most common threat to your sensitive data. The upheaval of the pandemic has made for good cover for threat actors who send convincing emails that open the door to malware and ransomware.
The culture of your organization has always been critical for maintaining robust security, and the sudden switch to remote work was a stark reminder of that. Even as many employees return to the office, it’s a great time to remind your entire team that remote work requires the same level of attention to best practices around storing and security mission critical data.
The return to the office should also be seen as an opportunity to take another look at your entire security strategy – consider tapping into the expertise of a managed service provider to help you re-evaluate and refresh your technology and best practices.
- September 15, 2022
- Catagory IT management
Are you ready to support the hybrid office?
If you’ve got employees coming back to the office while still allowing staff to work from home, you’ve created a hybrid office environment that can create challenges when onboarding staff, providing ongoing support, and securing a vast array of endpoints.
In some ways, having everyone work remote is more straightforward – when you have employees coming and going from the office, the environment becomes even more dynamic because the definition of hybrid work can vary depending on how you manage it and company policy. Consider the different scenarios:
- The “at-will and remote-first” approach means employees are empowered to prioritize working remotely
- An “office-first” policy falls at the other end of the spectrum and resets the organization to pre-pandemic norms
- “Split weeks” mean days are assigned as either remote or office-based according to a schedule while certain employees might be assigned to be in the office on a week-by-week basis
- Some organizations are designating who must be in the office and who can work from home on a team-by-team basis
No matter what you choose, a hybrid work environment reinforces the need for a cloud-first approach for business applications and robust cybersecurity. You also need to support collaboration for remote workers and those who opt to be back in the office – and everything in between. A hybrid approach may also mean people no longer have assigned workspaces – hotdesking adds complexity to workstation support and endpoint security, which should always be a high priority. Employees who are on the move risk bringing threats to the office with them.
The emergence of the hybrid office comes at a time when threat actors are upping the ante and exploiting as many attack surfaces as they can – it’s can be difficult for your IT team to keep on top of everything and it takes time away from more strategic initiatives such as digital transformation.
Even before the pandemic and shift to remote work, your IT team was under a lot of pressure to secure infrastructure and protect customer data. If you haven’t already turned to your managed service provider (MSP) to help you bolster cybersecurity, a hybrid work environment should be your tipping point. They can take charge of many security tasks that can otherwise bog down your IT staff, such as overseeing antivirus software and firewalls, and even identity management for all workers, no matter where they decide to work.
If your MSP is helping you with a cloud-first approach, they’re able to monitor your end-to-end infrastructure, including every workstation in the office or at an employee’s home office. They can take charge of onboarding employees so they can access business applications from anywhere and deliver security training services.
Getting a handle on what the hybrid work environment means for your business and relevant IT requirements is an excellent opportunity to expand your relationship with your MSP. Not only can they securely provision and manage the services you need, but also help you better understand your workforce in this new, dynamic landscape so you can enhance service delivery to your customers and maximize employee productivity.
- July 14, 2022
- Catagory remote work
How SMBs can begin to implement zero trust
We’ve already talked a lot about the benefits of zero trust for securing your organization, but if you’re a small or medium-sized business looking at how to implement zero trust, it can be easy to get overwhelmed.
Your managed service provider (MSP) can be a great resource for implementing zero trust, and all things security, too. And while zero trust can greatly improve your security posture, it’s not the only thing you should be doing.
Implementing zero trust requires technical expertise and dedicated IT staff, and you’ll increase your odds of success if your break down your implementation in smaller, more manageable tasks. Different security vendors offer different frameworks, but regardless of the cybersecurity tools you deploy, implementing zero trust can be broken down into four elements:
- A system for tracking everyone on your network, their location and what applications and data they are accessing
- Selecting security tools, including next-generation firewalls, intrusion detection systems, and identity access management
- Comprehensive guidelines that outline who can access your network and resources, when and from where
- Network monitoring capabilities that track and log all traffic, both external and internal, that can establish a baseline to make it easy to spot suspicious activity and remediate it
A zero-trust model will greatly reduce your overall risk by limiting the impact and severity of a cyberattack. Even if you fall prey to an attack, implementing zero trust will reduce the cost to your business, including penalties related to regulatory compliance. Zero trust also increases visibility for your IT staff because it enables them to see who is on the network and granularly segment access – even employees are strictly managed to only access resources that are related to their responsibilities. In addition, what they are allowed to access requires multifactor authentication.
Implementing zero trust shouldn’t be your only strategy for securing your organization, but it has a high success rate of mitigating the damage caused by threat actors, especially social engineering attacks. A managed service provider can help you get started with the four key elements of zero trust as well as determine what other tools and polices can improve your security posture.
- May 12, 2022
- Catagory remote work
Disruption is an opportunity for improving security
The pandemic has been a challenge from security perspective, but it can also be viewed as an opportunity to review your best practices, your cybersecurity tools, and the role of a managed service provider.
The move to remote work two years ago was quite sudden, and left many organizations caught off-guard. If they were in the process to moving to more cloud-based services, the pandemic accelerated that migration. It also brough to light security challenges that could not be ignored because the number of endpoints suddenly grew exponentially with the bulk of their employees working from home.
As Dell’Oro Group Mauricio Sanchez recently pointed out in a blog post about the top five demands and challenges faced by CISOs, the massive disruption of pandemic compounded the rate of technology and threat change, and provided an impetus for looking at security problems in new ways and drove investment that would not have been possible in a non-pandemic environment.
While small and medium-sized businesses rarely have a C-level executive in charge of security or even a CIO, there are lessons they can take from observing the cybersecurity trends affecting large enterprises.
Sanchez notes that the security vendor landscape is highly fragmented, so if a CISO is trying to sort through many options, don’t feel bad as an SMB if you’re feeling a little lost about what to implement and who to work with.
It’s important not to be tempted by new and shiny security products simply because they are new and shiny. The products and services you choose should be guided by an understanding of what needs to be protected in your organization, both on-premises and through your distributed workforce. Vendors do have a role in helping you secure your organization by developing security controls and technologies that will benefit you, but bi-directional communication essential.
For smaller organizations, it’s often best to engage with a managed service provider who can keep abreast of the rapidly evolving landscape of threats and available cybersecurity products. They can help navigate the options, evaluate your current security posture, and implement and manage what works best depending on the nature of your business.
Consider Zero Trust, but remember it’s a strategy, not a product
The shift to remote work has given Zero Trust increased traction, but whether you’re a big enterprise with a CISO or a smaller organization with limited IT resources, don’t confuse tactics and strategy.
As Dell’Oro’s Sanchez notes, Zero Trust is a valuable strategy but it’s not a product you can buy. Having a coherent strategy and understanding what needs protected will help you avoid wasting your IT budget on products do very little to improve security. Simply buying “zero trust” product could create a false sense of security, he says, and ultimately lead to your business being compromised.
Even if you’re confident that they are the right fit for your organization, buying the latest and greatest security solutions only go so far if you don’t have a firm handle on the fundamentals. A managed service provider with security expertise can help you best understand how a Zero Trust strategy can be implemented, and what tools you need to support it.
- April 14, 2022
- Catagory Collaboration
Any business can benefit from a UCS
If you’re an SMB who thinks a unified communication system (UCS) is a luxury for large organizations, think again.
With remote work still the norm even as employees head back to the office, having the right tools for remote workers is essential for attracting and retaining talent by offering flexibility to your team, as well as maintaining competitive advantage in your industry through efficiency and productivity.
A UCS enables distributed employees to collaborate effectively by pulling together all the communications and file sharing tools they need into a single platform, including calendaring, video conferencing, voice calling, chat and email. Together, your staff can communicate, share information, and easily keep everyone in the loop through advanced project management capabilities and cloud-based storage.
The right UCS platform will work with multiple devices, too, with an emphasis on mobile device optimization to enable employees to connect from anywhere. Your chosen UCS should balance simplicity to ensure an intuitive experience for all users while also offering advanced functionality such as one-button push to join, in-meeting chat, call-in and callback, and whiteboard capabilities.
If you’re already invested in cloud-based business tools such as Microsoft Office 365, Google Docs, and popular customer relationship management (CRM) software, you can integrate them and other software with a UCS through application programming interfaces (APIs). Any UCS should readily integrate with your existing IP network or on-premises IP telephony network.
All these capabilities and integrations might suggest that adopting a UCS is an expensive, complicated proposition best left to a large organization with an in-house IT team, but because today’s UCS solutions are cloud-based, it’s feasible and relatively easy to adopt and scale up a UCS in line with the growth of your business and headcount. A cloud based UCS streamlines ongoing management, so it’s easy to add users, devices and locations and keep an eye on all of them through a centralized, holistic dashboard.
Adopting the right UCS sets your employees up for success in an era of hybrid work, no matter where they’re working, enabling them to connect and collaborate cohesively to keep your business competitive. If evaluating and deploying a UCS still seems overwhelming, you don’t have to go it alone. A managed service provider can help you select the best platform for your needs and integrate with your existing telephony and productivity apps, as well as understand how a UCS aligns with your broader business goals.
- August 18, 2021
- Catagory Culture
Success of the hybrid office hinges on a “remote first” approach
It’s time to formalize the hybrid office.
While remote work has been supported by many organizations long before the pandemic, many are still flying by the seat of the pants. Businesses must recognize that not all employees will be returning to the office full time and that many will continue to expect flexibility.
Remote work can no be longer reactive
After nearly 18 months, organizations can no longer view remote work as a short-term response—it now must be done with intention if the hybrid office is to effectively function. Remote work needs to be by design to ensure better collaboration and team building that creates a culture of success. Efforts to support remote work my be strategic and company wide, and it can’t be up to individual employees working offsite to figure out technology solutions, workflows, and processes.
The successful hybrid office requires structure and consistency. The C-suite must play a role in developing a culture as well as policies the foster a healthy work environment while thinking about how technology plays a role in the employee experience so they can work independently and collaboratively.
IT must collaborate with business leaders
The hybrid office means IT teams must adapt to best support remote workers, as well as workers who may straddle both home and office environments.
This includes providing the right equipment or onboarding personal devices to ensure they can be used securely with corporate IT infrastructure, as well as revamping and automating work processes. In addition to providing the necessary collaboration technology, IT must also collaborate with every line of business and the C-suite to create a successful hybrid office culture that’s both productive and secure.
Gone are the days where a handful of employees are working from home or on the road; IT teams must assume every employee may be working remotely sometimes and contribute to providing a level playing field for all staff. While company leadership is critical to setting the tone for a successful hybrid workplace, input from employees should be included when crafting new policies and guidelines, including employee performance metrics—it’s no longer about how many hours you’re in the office.
Technology is a critical collaboration enabler
When the office is no longer where everything happens, collaboration technology becomes even more essential.
If you only just began implementing collaboration tools company-wide because of the pandemic, now’s the time to formalize the platforms that allow remote workers to be productive and work together effectively. It’s not just about videoconferencing to replicate the in-person meeting experience; you need a robust digital collaboration environment that supports efficient workflows and recognizes that people will be working asynchronously because locations and schedules will be inherently more flexible.
The hybrid office is here to stay for the long haul. A “remote work first” approach is essential for any organizations that want to maintain competitive advantage and grow their bottom line.
- May 18, 2021
- Catagory remote work
Remote Work Drives Zero Trust Security Adoption
The Zero Trust model for security isn’t new, but it’s getting more attention due to the massive shift to remote work.
Also known as the Zero Trust Network or Zero Trust Architecture, it’s a model that was first created more than 10 years ago by then Forrester Research analyst John Kindervag. It has since become more mainstream thanks in part due to the evolution of security technologies, but also because remote work has made it more challenging to secure enterprise networks.
The ABCs of Zero Trust
Zero Trust isn’t just a suite of technologies you buy. It’s a security model based on the foundational belief that organizations shouldn’t automatically trust anything inside or outside its perimeter—every connection must be verified, whether it’s an endpoint, switch or IP address if the organization is to prevent breaches.
Even before the massive uptick in remote work last year, the Zero Trust model recognized that organizations already have an increasingly porous network perimeter—it was no longer a castle surrounded by a moat. The old model assumed everything already inside was cleared for access. The Zero Trust model is a paradigm shift in that it assumes everything is a threat it until it’s certified safe. It also recognizes that once a hacker gains access via a single vulnerable spot, they can easily move around the enterprise network and attain increasing levels of access.
Zero Trust combines technologies with governance policies as to segment access at a granular level, taking into account the user, their location, and other information to decide whether to authorize any user, device or application. It’s not enough to authenticate the user, even if it is the CEO or CFO, but also the device they are using to gain access to the enterprise network, and where they are physically. Even if the user can be authenticated, policy may decide that the location—a coffee shop Wi-Fi hotspot, for example—isn’t secure enough. Or, it may decide that the user can’t access the network with a personal device, only one that was issued by the organization.
While technologies such as multifactor authentication, analytics, encryption, and file system permissions all play a role in a Zero Trust architecture, governance policies and good habits are just as critical to realizing its benefits, and that includes remote work environments.
Applying Zero Trust to Remote Work
For organizations to truly benefit from a Zero Trust model in the era of remote work, the same mindset must be brought into the home.
Whether they’re accessing the Internet for work or personal reasons, users need to apply a Zero Trust approach that keeps the wrong people out. And it’s more than just security awareness training or a strong password policy. Users at home should always be questioning every interaction online, including emails and texts with links, and communications that seem out of character by the sender, even if it appears to come from an official source. Phishing attempts and other attacks rely heavily on complacency, so a Zero Trust requires vigilance out of habit.
A common threat to enterprise network security in the remote work era is sharing passwords across work and personal devices and granting access to corporate devices to family members for personal use. The average person may think this is harmless, but a Zero Trust model requires that every employee think about their behaviour from a security perspective. Careless uses of a corporate device by a family member could compromise the enterprise network and lead to a data breach.
Zero Trust means password and device sharing a no-no. Every home user should have their own separate passwords and device as much as possible, and devices should either be for personal use or corporate use, not both.
These habits and overall mindset are essential to successfully applying a Zero Trust approach to security in the organization, regardless of where employees are doing their work. Having the right technology is a critical enabler, but you need the right governance policies and employee engagement if you’re to fully secure your business.
- April 29, 2021
- Catagory remote work
5 Things You Can Do to Secure Remote Work Environments
If you’re looking for ways to secure remote work environments, there’s no shortage of dos and don’ts.
And while there’s always a danger of impeding employee productivity with cumbersome security, there are polices and procedures that balance threat protection with efficient business operations so that you can secure remote work environments without creating barriers to getting things done. Often, it’s just as much about how you implement security, not just what implement.
Encryption should be end to end
Security implementation should never be half-hearted, which is why bi-directional encryption of data and communications is an essential enabler of secure remote work environments. Ideally, you should embrace the cloud so you can leverage a web platform that is completely secure so it’s the primary means for remote employees to get their work done. You should also use strong VPN connections to secure remote work environments. All it takes is one vulnerable employee to be exploited by a threat actor to put your entire network at risk.
Secure all devices
Similarly, all workstations and devices accessing applications and data via your network must be fully secured without any workarounds—that includes the executive team. Giving one employee a pass to use a smartphone or laptop that doesn’t adhere to security policies and procedures is a data breach waiting to happen. Take advantage of tools that evaluate the vulnerability of all devices, and make sure all of them can be managed and updated from a central location by the IT team.
Contain any breaches
Because it only takes one device or one employee to open the door to the broader network, you need to secure remote work environments in such a way where access to a single workstation doesn’t lead to wider access to other systems. Your policies, procedures and chosen tools should mitigate against a domino effect where a single intrusion via one employee’s credentials or workstation can lead to threat actors taking down other systems or your entire network.
Clearly define security policies and communicate goals
Secure remote work environments are more likely to stay secure if you clearly outline security objectives and make it easy for employees to comply. Otherwise, they will find workarounds to make their lives easier, thereby making any security policies and procedures ineffective.
Put someone in charge
Even smaller organizations should designate someone to act as their Chief Information Security Officer (CISO), even if it’s not their only duties on the IT team. The organization will benefit from someone taking point on all things security, including the selection and implementation of tools, the development of policies and procedures, and being the point of contact for both employees and the executive team.
Even if you do have an IT team member who takes on responsibility for security, you may find there’s value in getting external support to help secure remote work environments. A Managed Security Services Provider can help you evaluate your current security posture, make recommendations, and help deploy the right tools, either on a project-by-project basis or through an ongoing partnership.
- April 19, 2021
- Catagory remote work
Remember these do’s and don’ts for securing remote workers
Securing remote workers is a never-ending job, regardless of how many there are at your organization, because there’s always new threats and new attack surfaces to protect.
After a while, it becomes clear to any cybersecurity expert that there are both do’s and don’ts when it comes to securing remote workers. These lessons are based on hard-won experience—in some cases because they’ve experienced a serious breach. However, there’s no reason that every organization needs to learn the hard way, so here’s some of the top mistakes your organization and your employees should avoid when securing remote workers, followed by do that are proven to work.
What not to do when securing remote workers
There’s many things employees shouldn’t do with their office computer and it’s important that you have policies in place to keep them from doing them.
- Don’t tolerate workarounds: Good security should never get in the way of employee productivity or impede business success, but it’s not uncommon for cybersecurity practices to constrain workers so that prompt them to find a way around a security policy. These workarounds might include employees using personal computers to access corporate networks and data without proper vetting of IT or exchanging documents using their personal email addresses saving passwords in the browsers. Employees need to understand the rules are there for reason.
- Do not ignoring warning signs: With more workers at home, it’s even harder to keep an eye on your fleet of workstations, so you need to make sure employees aren’t ignoring any hints their computer at home is under attack. Unexpected browser pop-ops or a sudden change in user settings are signs that unauthorized changes have been made and that the employee’s workstation has compromised. Ignoring these signs could lead to a much bigger problem that could impact the network security of the entire organization.
- Don’t let family use the company computer: With a corporate workstation at home during the pandemic, family members of remote workers may be tempted to use it for non-work-related activities that can lead to clicking on a link that infects the devices and compromises company data and applications.
- Don’t delay software updates and patches: When employees are in the middle of getting work done, they may be inclined to postpone much needed software updates and scheduled security scans when prompted. But the best way to keep workstations secure, no matter where they’re located, is by making sure they have the latest software updates, virus definitions, and other patches. Even in the era where many use Software-as-a-Service (SaaS) applications, operating system and application updates are still critical for robust security.
A few do’s that can go a long way
Some of the above don’ts suggest some do’s that should be happening instead, but here are few other key other do’s that go a long way to securing remote workers.
- Empower and train your workers: If employees understand why security measures are put in place and are given ways of getting things done quickly and efficiently without workarounds, they’re a great asset for protecting the organization. When you have the right people with the right training, it’s hard for a threat actor to gain a foothold within you network.
- Make the move to the cloud: If you haven’t already, migrate your data and applications to the cloud as much as possible. The fewer applications and data that reside on the workstation, the better. While SaaS security has its own set of challenges, a centralized cloud approach is easier to manage, especially in a pandemic, and easier anytime for SMBs with limited IT resources.
- Take a zero-trust approach: The cloud can be an effective security enabler for taking a Zero Trust Network Access (ZTNA) stance. It’s a mindset that’s becoming increasingly preferred because it assumes anything in a network can be a threat and separates remote workers from the network. User access is determined by third-party cloud provider to manage verifications and access to applications. If users don’t have the credentials, then they can’t access data and applications they’re not supposed, even they are legitimately employees of the company.
- Get second a opinion: When it comes to evaluating your security posture, it never hurts get an outside to take a look at what you’re doing and making sure it’s aligned with your goals. And if you’re new to securing remote workers, a Managed Security Services Provider can fill in the gaps, whether it’s just a risk assessment with recommendations or helping with ongoing management of your network security.
The security landscape dynamic even when you don’t have many employees working from home. Having clear policies and procedures in place is an important foundation for securing remote workers, but partnering with a managed services provider that can help you leverage the cloud, implement best practices and policies, and spot common pitfalls improve your overall security posture no matter how many remote workers you have.