- May 18, 2021
- Catagory Security
The Zero Trust model for security isn’t new, but it’s getting more attention due to the massive shift to remote work.
Also known as the Zero Trust Network or Zero Trust Architecture, it’s a model that was first created more than 10 years ago by then Forrester Research analyst John Kindervag. It has since become more mainstream thanks in part due to the evolution of security technologies, but also because remote work has made it more challenging to secure enterprise networks.
The ABCs of Zero Trust
Zero Trust isn’t just a suite of technologies you buy. It’s a security model based on the foundational belief that organizations shouldn’t automatically trust anything inside or outside its perimeter—every connection must be verified, whether it’s an endpoint, switch or IP address if the organization is to prevent breaches.
Even before the massive uptick in remote work last year, the Zero Trust model recognized that organizations already have an increasingly porous network perimeter—it was no longer a castle surrounded by a moat. The old model assumed everything already inside was cleared for access. The Zero Trust model is a paradigm shift in that it assumes everything is a threat it until it’s certified safe. It also recognizes that once a hacker gains access via a single vulnerable spot, they can easily move around the enterprise network and attain increasing levels of access.
Zero Trust combines technologies with governance policies as to segment access at a granular level, taking into account the user, their location, and other information to decide whether to authorize any user, device or application. It’s not enough to authenticate the user, even if it is the CEO or CFO, but also the device they are using to gain access to the enterprise network, and where they are physically. Even if the user can be authenticated, policy may decide that the location—a coffee shop Wi-Fi hotspot, for example—isn’t secure enough. Or, it may decide that the user can’t access the network with a personal device, only one that was issued by the organization.
While technologies such as multifactor authentication, analytics, encryption, and file system permissions all play a role in a Zero Trust architecture, governance policies and good habits are just as critical to realizing its benefits, and that includes remote work environments.
Applying Zero Trust to Remote Work
For organizations to truly benefit from a Zero Trust model in the era of remote work, the same mindset must be brought into the home.
Whether they’re accessing the Internet for work or personal reasons, users need to apply a Zero Trust approach that keeps the wrong people out. And it’s more than just security awareness training or a strong password policy. Users at home should always be questioning every interaction online, including emails and texts with links, and communications that seem out of character by the sender, even if it appears to come from an official source. Phishing attempts and other attacks rely heavily on complacency, so a Zero Trust requires vigilance out of habit.
A common threat to enterprise network security in the remote work era is sharing passwords across work and personal devices and granting access to corporate devices to family members for personal use. The average person may think this is harmless, but a Zero Trust model requires that every employee think about their behaviour from a security perspective. Careless uses of a corporate device by a family member could compromise the enterprise network and lead to a data breach.
Zero Trust means password and device sharing a no-no. Every home user should have their own separate passwords and device as much as possible, and devices should either be for personal use or corporate use, not both.
These habits and overall mindset are essential to successfully applying a Zero Trust approach to security in the organization, regardless of where employees are doing their work. Having the right technology is a critical enabler, but you need the right governance policies and employee engagement if you’re to fully secure your business.
- April 29, 2021
- Catagory Security
If you’re looking for ways to secure remote work environments, there’s no shortage of dos and don’ts.
And while there’s always a danger of impeding employee productivity with cumbersome security, there are polices and procedures that balance threat protection with efficient business operations so that you can secure remote work environments without creating barriers to getting things done. Often, it’s just as much about how you implement security, not just what implement.
Encryption should be end to end
Security implementation should never be half-hearted, which is why bi-directional encryption of data and communications is an essential enabler of secure remote work environments. Ideally, you should embrace the cloud so you can leverage a web platform that is completely secure so it’s the primary means for remote employees to get their work done. You should also use strong VPN connections to secure remote work environments. All it takes is one vulnerable employee to be exploited by a threat actor to put your entire network at risk.
Secure all devices
Similarly, all workstations and devices accessing applications and data via your network must be fully secured without any workarounds—that includes the executive team. Giving one employee a pass to use a smartphone or laptop that doesn’t adhere to security policies and procedures is a data breach waiting to happen. Take advantage of tools that evaluate the vulnerability of all devices, and make sure all of them can be managed and updated from a central location by the IT team.
Contain any breaches
Because it only takes one device or one employee to open the door to the broader network, you need to secure remote work environments in such a way where access to a single workstation doesn’t lead to wider access to other systems. Your policies, procedures and chosen tools should mitigate against a domino effect where a single intrusion via one employee’s credentials or workstation can lead to threat actors taking down other systems or your entire network.
Clearly define security policies and communicate goals
Secure remote work environments are more likely to stay secure if you clearly outline security objectives and make it easy for employees to comply. Otherwise, they will find workarounds to make their lives easier, thereby making any security policies and procedures ineffective.
Put someone in charge
Even smaller organizations should designate someone to act as their Chief Information Security Officer (CISO), even if it’s not their only duties on the IT team. The organization will benefit from someone taking point on all things security, including the selection and implementation of tools, the development of policies and procedures, and being the point of contact for both employees and the executive team.
Even if you do have an IT team member who takes on responsibility for security, you may find there’s value in getting external support to help secure remote work environments. A Managed Security Services Provider can help you evaluate your current security posture, make recommendations, and help deploy the right tools, either on a project-by-project basis or through an ongoing partnership.
- April 19, 2021
- Catagory Security
Securing remote workers is a never-ending job, regardless of how many there are at your organization, because there’s always new threats and new attack surfaces to protect.
After a while, it becomes clear to any cybersecurity expert that there are both do’s and don’ts when it comes to securing remote workers. These lessons are based on hard-won experience—in some cases because they’ve experienced a serious breach. However, there’s no reason that every organization needs to learn the hard way, so here’s some of the top mistakes your organization and your employees should avoid when securing remote workers, followed by do that are proven to work.
What not to do when securing remote workers
There’s many things employees shouldn’t do with their office computer and it’s important that you have policies in place to keep them from doing them.
- Don’t tolerate workarounds: Good security should never get in the way of employee productivity or impede business success, but it’s not uncommon for cybersecurity practices to constrain workers so that prompt them to find a way around a security policy. These workarounds might include employees using personal computers to access corporate networks and data without proper vetting of IT or exchanging documents using their personal email addresses saving passwords in the browsers. Employees need to understand the rules are there for reason.
- Do not ignoring warning signs: With more workers at home, it’s even harder to keep an eye on your fleet of workstations, so you need to make sure employees aren’t ignoring any hints their computer at home is under attack. Unexpected browser pop-ops or a sudden change in user settings are signs that unauthorized changes have been made and that the employee’s workstation has compromised. Ignoring these signs could lead to a much bigger problem that could impact the network security of the entire organization.
- Don’t let family use the company computer: With a corporate workstation at home during the pandemic, family members of remote workers may be tempted to use it for non-work-related activities that can lead to clicking on a link that infects the devices and compromises company data and applications.
- Don’t delay software updates and patches: When employees are in the middle of getting work done, they may be inclined to postpone much needed software updates and scheduled security scans when prompted. But the best way to keep workstations secure, no matter where they’re located, is by making sure they have the latest software updates, virus definitions, and other patches. Even in the era where many use Software-as-a-Service (SaaS) applications, operating system and application updates are still critical for robust security.
A few do’s that can go a long way
Some of the above don’ts suggest some do’s that should be happening instead, but here are few other key other do’s that go a long way to securing remote workers.
- Empower and train your workers: If employees understand why security measures are put in place and are given ways of getting things done quickly and efficiently without workarounds, they’re a great asset for protecting the organization. When you have the right people with the right training, it’s hard for a threat actor to gain a foothold within you network.
- Make the move to the cloud: If you haven’t already, migrate your data and applications to the cloud as much as possible. The fewer applications and data that reside on the workstation, the better. While SaaS security has its own set of challenges, a centralized cloud approach is easier to manage, especially in a pandemic, and easier anytime for SMBs with limited IT resources.
- Take a zero-trust approach: The cloud can be an effective security enabler for taking a Zero Trust Network Access (ZTNA) stance. It’s a mindset that’s becoming increasingly preferred because it assumes anything in a network can be a threat and separates remote workers from the network. User access is determined by third-party cloud provider to manage verifications and access to applications. If users don’t have the credentials, then they can’t access data and applications they’re not supposed, even they are legitimately employees of the company.
- Get second a opinion: When it comes to evaluating your security posture, it never hurts get an outside to take a look at what you’re doing and making sure it’s aligned with your goals. And if you’re new to securing remote workers, a Managed Security Services Provider can fill in the gaps, whether it’s just a risk assessment with recommendations or helping with ongoing management of your network security.
The security landscape dynamic even when you don’t have many employees working from home. Having clear policies and procedures in place is an important foundation for securing remote workers, but partnering with a managed services provider that can help you leverage the cloud, implement best practices and policies, and spot common pitfalls improve your overall security posture no matter how many remote workers you have.
- January 28, 2021
- Catagory remote work
The move to remote work nearly a year ago accelerated cloud computing trends that were already in play. With no quick return to offices expected in 2021, businesses of all sizes should plan to prioritize further cloud and Software-as-a-Service (SaaS) investments to support distributed workforces, while being mindful six key trends.
Cloud is enabling new ways of doing business
Moving to cloud computing or SaaS offerings isn’t just about getting on the latest technology bandwagon or saving money on capital or operational expenses. The cloud enables organizations of all sizes to do business better to make employees more productive across many departments, including finance, human resources and marketing, no matter where they are located. Cloud computing and SaaS also level the playing field to allow smaller business to compete with large competitors.
Security is a critical differentiator
Even with all these productivity gains from cloud computing and SaaS, the move to remote work as heighted the need for robust security, so organizations need to set aside time, resources and attention on their security strategy as to prevent breaches and disruptions that might impede any newfound productivity or cost them revenue through lost customers who lose trust.
Not everything will be in the cloud
Even as cloud computing and SaaS continue to take off to support distributed remote workforces, hybrid environments that mix on-site computing, storage, and services with public cloud offerings from vendors such as Amazon Web Services (AWS) or Microsoft Azure will become the norm, and everything will need to work together in concert, securely. Different providers will need to work together to as they each get spooled up to meet the specific requirements of different lines of business within an organization.
A spring cleaning of all compute resources
Organizations will begin to realize not everything that got migrated to the cloud needed to be moved, so even as cloud computing adoption will continue to accelerate, it’s become clearer which workloads need to be in the cloud, and which ones should be winding down, including any outdated data that goes with them, to be even more efficient and get the best bang for the buck from their cloud spend.
Training across the board: Getting the most from cloud computing while keeping it secure will mean investments in training for IT staff as well as raising the cybersecurity awareness of workers across the board as to adequately safeguard organizations as the era of remote work continues. Both cloud providers and their customers will want to make sure they’re providing both entry level knowledge of the cloud as well as creating advanced experts as a means to enable the business.
Consolidation of cloud providers
While it’s unlikely that an organization will want to put all their eggs in one basket—not all service providers are great at everything—they will want to keep the number of cloud computing environments and SaaS applications manageable. While larger enterprises will likely give most of the budget to the big players, smaller ones will likely want work with a local managed services provider that will prioritize their business and help the navigate all the emerging cloud computing deployment options and guide them on the necessary governance and security.
If 2020 was all about a mad scramble to support a remote workforce and iron out the kinks, then 2021 will be about looking to the future with new investment in cloud computing and SaaS offerings while building on the foundation that was put in place.
- November 16, 2020
- Catagory remote work
If you’re still struggling to optimize remote collaboration across your now virtual organization, you’re not alone. However, it does look like it’s the new normal for the foreseeable future, so you should prioritize finding ways to improve how your team works together remotely.
There are several ways you can improve remote collaboration. Some of them involve leverage technology, but many of them also involve managing people and understanding what they need to be successful to work from home.
- Focus on results, not hours on a timecard: If you’re used to measuring how productive people are by seeing bums in chairs, moving to remote collaboration has probably been difficult for you. Rather than measure productivity by how many hours employees are clocking, start measuring performance based on output. If the work is getting done, you’re already closer to optimizing remote collaboration.
- Create a buddy system: Some employees adapt to remote work better than others, and struggle because no longer have their peers to support them in the office. Consider pairing people up with someone else in a different department with relatively the same seniority so they have someone else as a sounding board to bounce ideas, concerns and frustrations off of, and ultimately find solutions via the pairing.
- Be mindful of meetings: Most meetings could have been an email, and remote work doesn’t change that. Having virtual ones might look like a way to replicate the camaraderie of the office, but meetings should still be focused and organized with a clear agenda and purpose. If there’s multiple people involved, have a facilitator to keep things on track and be sure everyone comes away clear on the next steps.
- Check in daily: While full-blown meetings should be few and far between, take advantage of remote collaboration tools such as Microsoft Teams or Slack to let everyone know what you working on that day and your pressing priorities. This enables everyone to better understand everyone else’s pressures and even step up to help if they can. It’s also a good way to structure your day so you get what you need to get done without getting sidetracked, and it’s output focused.
- Streamline communications channels: More isn’t better, and like an overflowing email inbox, having too many alerts and notifications in a remote collaboration tool is counter productive. Let employees set boundaries around how connected they want to be while they work so the can be productive, but also set up a single channel everyone must subscribe to so they get the company-wide information they need on a daily basis.
- Get things done and be accountable: Whether it’s a next step agreed upon in a meeting or regulator best practices, it’s important to follow through on things. Keep track of commitments in a transparent way so everyone can take responsibility for what they agree to do.
- When in doubt, over-communicate: As much as we don’t want employees to be overwhelmed notifications, alerts and messages in remote collaboration tools, don’t assume your colleagues know what they need to now. Use your daily check in and the channels at your disposal to communicate everything you think might be valuable, as things can fall through the cracks when you don’t have daily, in-person interactions.
Full-time remote collaboration is new for most people, so at the end of the day you need to have empathy and remember that their home office environment may be different than yours. While it’s important to focus on getting things done and accountability, it’s also helpful to cut everyone a little slack during these stressful times.
- October 29, 2020
- Catagory remote work
Improving security for remote workers will hopefully be an inevitable consequence of the Covid-19 pandemic, and despite the inherent challenges, it should be a priority for IT teams.
Recent reports by Cisco looking at the future of secure remote work and consumer privacy found that IT buyers had been caught off-guard by the sudden shift of employees working from home, but are now speeding up adoption of technologies to support remote work. A majority of the 3,000 IT decision makers surveyed by Cisco rate cybersecurity as extremely or more important than it had been before the beginning of pandemic.
Guaranteeing access, securely
The biggest challenge for all IT teams regardless of an organization’s size has been improving security for remote workers, although providing the necessary access to the applications and data they needed came first. It comes at a time when the average consumer also values security and privacy as a social and economic issue, according to Cisco.
However, the company’s own research found there was a lot of work to be done toward improving security for remote workers by IT teams as just over half were somewhat prepared for the accelerated transition earlier this year. Endpoints, including those owned by organization, were cited as being the most difficult to protect, according to the Cisco survey, followed by customer information and cloud systems with the ability to securely control access to the enterprise network being the biggest challenge.
Improving security for remote workers will no doubt continue to be an priority for IT teams, even post-pandemic, as some employees will continue to want the flexibility of working from home and organizations see continued benefits, including cost savings on office space, by not having everyone in a traditional office environment.
Digital transformation can lead to a more secure cloud infrastructure
While IT teams are likely to see some budget increases that will specifically support improving security for remote workers, there are many initiatives that can help improve overall cybersecurity posture for organizations that are already common steps in a digital transformation journey.
If you haven’t already, you should establish a cloud security strategy that’s part of a broader transition cloud infrastructure transition. This will indirectly go toward enhancing security for remote workers while allowing IT teams to have to worry less about on-premises systems that were unprepared for the sudden shift to remote work. While putting more applications and data the cloud come with their own cybersecurity challenges, they can scale better than on-premises solutions and provide the necessary flexibility for supporting a remote workforce.
The transition to the cloud should also include embracing new tools to stay secure, recognizing that IT teams still have some responsibility for securing cloud applications and data, even as the service provider has a role in securing systems, too. IT teams need visibility into cloud infrastructure as well as their on-premises deployments in a single interface.
At the same time, IT teams should consider what experts are calling “zero-trust security strategies.” A zero-trust approach assumes all users and endpoints could present a threat to the organization, so they must be able to prove they are trusted if they are to gain access to the enterprise network, applications and data.
You can be small and secure
For smaller organizations, improving security for remote workers is just as essential but can be challenge for their IT teams. A managed services provider with experience helping small and medium-sized business with their technology infrastructure can play a key role in accelerating their adoption of solutions that can support remote workers with robust security.
Sanjeev Spolia is CEO of Supra ITS
- October 15, 2020
- Catagory cybersecurity
The shift to remote work means cybersecurity awareness across your organization is more important than ever for maintaining ongoing business operations and regulatory compliance.
Even before the pandemic, most organizations had become rather porous in nature from a network security perspective thanks to the Bring Your Own Device (BYOD) movement, adoption of cloud computing, distributed locations, and an already increasingly mobile workforce. But while security technology has emerged to keep up with these trends, it’s not a silver bullet. Every employee needs a heighten level of cybersecurity awareness.
Remote work means that how an employee manages their device at their home office can have an impact on the organization’s entire network. Their cybersecurity awareness means understanding their workstation is an endpoint that must be configured properly as to contribute to the overall security posture of the organization.
Training is critical to maximize cybersecurity awareness amongst your employees, especially remote workers. But it’s easy to lose their attention if training isn’t clear and engaging. If you’re doing regular phishing tests for your employees, try to have a sense of humour with the email content you’re creating as part of the test, for example, but also make sure employees understand the lesson without being made to feel stupid.
Cybersecurity awareness training should be done regularly as part of regular operations, and at least quarterly, rather than being big annual event, because threats to the organization are ongoing as hackers automate their processes to optimize their chance of success. You should also involve the executive team in your training, so everyone understands that cybersecurity awareness is critical to the success of the business. You might have the CEO do a short video, which is easy to share with remote workers.
The training shouldn’t be solely the responsibility of the security team, either. Lines of business leaders should help to spearhead cybersecurity awareness, and it should be a part of your remote work strategy.
It’s important to remember that cybersecurity awareness isn’t only about protecting against threat actors, malware and ransomware, and malicious data theft. Employees need to understand that good security also helps the organization stay compliant with government privacy legislation and meet regulatory obligations that apply to their industry. Data breaches not only have the potential to cripple business operations and negatively affect customers, but also lead to financial and legal penalties that can profoundly affect the long-term health of the organization.
Most people have adapted to remote work for the past seven months, but because organizations are more distributed than ever, there’s a potential for cybersecurity awareness efforts to lapse, even as be bad people around the world continue to take advantage of the new work-from-home reality. Those doing remote work as part of a connected organization must continue to be vigilant about security as part of their daily work habits.
Sanjeev Spolia is CEO of Supra ITS.
- September 29, 2020
- Catagory Security
Many people have hit the six-month mark of remote working, while most of us are fully adapted, there also continues to be bad people around the world taking advantage of the new work-from-home reality.
For remote workers, it means to continuing to be vigilant about security as part of their daily work habits, while organizations as a whole must do their part to protect their themselves by employing cybersecurity best practices to thwart persistent threat actors.
If you’ve also experienced a security-related issue, don’t take it personally. You’re not alone. Even the World Health Organization (WHO) released a special statement warning against scammers purporting to be “official” communications. Having helped our customers for several months to facilitate remote work, we have seen an increase in security issues targeting end-users and organizations since the transition.
As always, we’re available for our customers and are support team is ready to assist with specific issues or helping with proactive configurations to help you shore up your security and optimize the remote work experience for employees.
Personal device use precautions
Ideally, remote workers should be using a company-issued workstation, but if that isn’t possible, be sure they’re taking the following steps to secure their laptop or workstation:
Ensure the PC is patched: Work through the Windows update process and install anu patches, especially if it’s been more than a month since the last update was done.
Install an anti-virus solution: Supra’s service desk can assist you in identifying and installing a software package that will meet your needs.
Lock the PC when not in use: Ideally, the workstation should be turned off when not in use, but at least lock the screen and disconnect from any VPN sessions to the corporate when not working. If the PC is shared with family members, configure a private user account protected by a username and password so that any work sensitive materials will not be shared amongst the family.
If you must use a home computer, try to separate personal use from business use and limit access to personal emails, downloading content, social media and other avenues of malware that could spread while using a personal device work purposes.
Good advice regardless of device
Whenever possible, you should use the workstation supplied to you by your office if you have one because they are typically configured with usernames and passwords, as well business-class security protection tools such as anti-virus software. Supra customers will have installed agents to assist with technical support and security monitoring.
Remote access sessions, whether it’s through a VPN or a remote desktop tool, should only be active while you are using them. If you’re stepping away from your workspace for a bit or finished remote work for the day, disconnect those tools.
As always, be wary of unsolicited emails or attachments from anyone, even if it’s from a work colleague, business associate, customer, vendor or external contact. Verify the authenticity of the communication prior to clicking on any link or opening any attachment, as email remains a popular method compromising systems.
And now for good news
Even though we’ve seen an increase cyber threats, Supra hasn’t seen any targeted attack against our customers, or our company in general. Most attacks that do happen are opportunistic and take advantage of a trusting user accessing a site or clicking on an attachment that looks legitimate, which means following best practices can go a long way to ensuring security for your organization as remote work continues to be the norm.
If you would like to explore other ways Supra can increase overall corporate security or improve collaboration amongst remote workers, get in touch and we can speak to you about the various options available.
Justin Folkerts is Supra ITS’ Chief Technology Officer