- May 31, 2021
- Catagory Security
After more than a year of focusing on securing remote workers, it’s time to prepare your office for a hybrid workforce and reinforce your wireless security.
The threats to your on-site wireless security haven’t gone away and having workers who are in and out of your office post-pandemic ends means the network security landscape is just as dynamic as ever. The hybrid workforce is a stark reminder that there is no network perimeter, and you must constantly review your network security checklist—Bring Your Own Device (BYOD), the Internet of Things (IoT), and ubiquitous connectivity remain important considerations.
Secure your office for a hybrid workforce
As people come back to office, the best practices for wireless security are more important than ever, especially as many employees may no longer have a permanent office or workspace as hot desking becomes more prevalent. In addition to guests, you’ll have employees connecting to your office network on-site in an inconsistent manner with devices that are connecting a variety of other networks, whether it’s the employee’s home network or a wi-fi hotspot as it becomes possible to work from coffee shops again.
Now is a great time to review your management policy for all IT endpoints and provide refresher courses on wireless security for your staff. For some organizations, a hybrid workforce was already familiar to them before the pandemic, but for others it will be just as jarring as going fully remote. Given that you’re about to experience another paradigm shift, it can’t hurt to bring an outside partner to evaluate your current wireless security posture.
What’s in a name
A good place to start is to review your inventory of wireless routers access points.
No matter how many you have or where they are located, you should review their service set identifiers (SSIDs) to make sure they are suitably named as to be found by authorized users, but not so easy for unwanted guests to connect to because the names are obvious or remain the factory default. Your network naming should be just as well thought out password selection—avoid creating one that’s likely to help a hacker guess the network password. Rotating passwords and SSIDs can also make it harder for devices and networks to be breached, and the more unique, the better.
With a hybrid workforce, you may want to segment your network so that transient employees have dedicated wireless access points to connect to that are separate from employees who are back on-site full time. Either way, you should hide your SSID so only users who know the actual wireless network name can search it out.
Apply access controls
Even before the advent of the hybrid workforce, there was never a need for every employee to access the same network resources or devices. Just as you segment wireless router access, consider giving specific users access to specific devices such as network printers depending on whether they’re occasionally on-site or in the office everyday.
No one needs to be connected to every device in the organization, so segmenting access will limit the impact of a breach should one endpoint be compromised. At the end of the day, not all employees are equal, including post-pandemic visitors, who wireless access for their mobile devices. Adopting a Zero Trust model for wireless security can go a long way because it’s based on the mindset that organizations shouldn’t automatically trust anything inside or outside its perimeter—every connection must be verified, whether it’s an endpoint, switch or IP address if the organization is to prevent breaches.
Secure and scan everything
Wireless security demands that all access points been encrypted, and yet surprisingly, many wireless networks are left wide open, making them easy avenues for threat actors to gather sensitive information, or as a means to gateway to hack more secure systems.
No matter how stringent your wireless security, it’s often just a of time before someone or something gets past the firewall because today’s cyber threats are so persistent. The trick is to balance security with productivity—you don’t want it to be a barrier to getting things done, otherwise employees will find shortcuts around it whether they’re working at home or in the office.
If you’re feeling rusty about in-office wireless security and would like a refresher to prepare your organization for the hybrid workforce, seek out the help of a managed security services provider.
- November 26, 2020
- Catagory Security
With security threats to organizations only increasing and privacy legislation continuing to evolve, penetration testing remains a critical tool for protecting sensitive data.
And as endpoints multiply thanks to an increase in remote work, there’s no airtight network perimeter, which makes it all the more difficult for organizations to safeguard sensitive data. For it to be effective, penetration testing must be done properly, and it’s more than evaluating network security. It must be viewed holistically as part of your broader information security program.
Most of all, penetration testing should be more than a box that gets ticked once or twice a year to meet compliance obligations, and it should tap the outside expertise of partner that can put your people, processes and technology through their paces.
Endpoints raise risk
With an exceptionally high number of employees working remotely, the threats posed by endpoints to sensitive data must not be underestimated, whether it’s smartphones, laptops and IoT devices, many of which reside outside the main firewall. One of the most common mistakes is assuming that spending a lot of money on software and hardware will automatically protect sensitive data, but you must also account for human behavior.
Having newer hardware with the latest operating system can mitigate risk, but even the latest greatest fleet of workstations will bring with them their own built-in vulnerabilities. These must be identified and managed based on how they are deployed and the cybersecurity awareness of the end user. This is especially true as more employees work from home—there are many ways to access data and applications that don’t involve hacking a network. All it takes is one poorly configured web portal to open access a domain to threat actors so they can take complete control infrastructure.
These same threat actors take advantage of human behavior as users fall for convincing phishing emails. They also exploit vulnerabilities in software and hardware that are often the result of a convenient feature by using botnets to scan for them even as most organizations are oblivious that they’re even at risk.
And if you think you’re not worth hacking because you’re a small organization, think again. Hackers see you as easy targets because they know you’re less likely to have the security technology, resources and best practices that larger organizations may have. The good news is that as a smaller organization you’re more nimble and agile so you can adapt and more quickly benefit from penetration testing.
Testing should be proactive
Not all penetration tests are equal, and ideally, they should be done before a breach, not after you’ve lost sensitive data.
Rather, you should identify milestones that would necessitate a test of your network security. A trigger might be a workstation refresh or major operating system update as they can often be configured in such a way that unwittingly opens door that can be entered by threat actors. And while compliance obligations should inspire penetration testing, it should be more often than an annual exercise to please regulatory bodies.
Because effective penetration testing takes a great deal of skill and expertise and can take time away from regular IT operations, tapping the expertise of an experienced service provider who can poke holes in your security and will find vulnerabilities goes a long way to protecting sensitive data. They’re up to speed on the misconfigurations and evolving threats that might let someone sneak in, as well as the common mistakes made when configuring enterprise networks and remote worker access.
If you want to truly protect sensitive data, take the results of any penetration testing seriously, even if it might reflect badly on your efforts today. You’ll be better off the in long run. Protecting sensitive data is an exercise in continuous learning that mitigates risk, and frequent penetration testing is a contributor to competitive advantage as it enables you to build trust and credibility with your customers while maintaining compliance.
Sanjeev Spolia is CEO of Supra ITS