Remote Working: Technical, Procedural, and Physical Security Controls
Over the next few years, it’s predicted that around half the UK workforce will be working remotely, either fully or in a reduced capacity. These types of working arrangements can have significant benefits to an organisation, including reduced office costs, increased staff retention, and a wider talent pool.
On the other side of the coin, there are numerous cyber security implications that come with allowing employees to take their work devices outside of the office. In this article, we’ve sectioned our guidance around these implications into three categories; Technical controls, Physical controls, and Procedural controls.
Technical controls are those which use technology to control access, and the usage of data. This category covers a host of different aspects, many of which are covered in the NCSC guidance section on End User Device Security. If you are unfamiliar with any of the topics below, then we recommend referring to this guidance, or getting in touch with us for clarification. Technical solutions can include:
– Using Virtual Private Networks (VPNs) to encrypt data in transit. If using VPNs, enable Two-Factor Authentication (2FA), and consider adding a security policy to lock an account after a number of failed login attempts. Limiting access from specific IP addresses is also an option.
– Encrypting data at rest to prevent lost or stolen devices leaking sensitive data (e.g. using bitlocker for Windows, or FileVault for Mac)
– Ensuring that remote devices are updated and patched regularly
– Logging data from Remote devices (in the case study above, logs to monitor outbound traffic could have helped to determine whether any data was exfiltrated)
– Installing Anti-virus / anti-malware solutions, and keeping them updated
– Implementing Mobile Device Management software (if operating a Bring Your Own Device police, these solutions can help secure, manage and support personally owned devices)
– Application Control (whitelisting trusted applications, and reducing the number of applications to reduce the number of vulnerabilities)
[Note on 2FA/U2F: a new 2FA standard is going to be Universal 2nd Factor (U2F). As certain 2FA methods are not considered secure (SMS based 2FA), it is worth looking ahead and becoming familiar with solutions such as U2F that include hardware keys.]
Technical controls are all well and good, but if they aren’t supported by users and enforced by senior leadership, then they’re effectiveness against cyber threats is drastically reduced. This is why procedural controls are vital.
Controls that fall in this category clearly define how employees should act and what their responsibilities are. This naturally leads to incident prevention, but also significantly speeds up incident response and management. Procedural controls should include:
– Password/Passphrase policies (e.g. stipulating minimum length/special characters, using unique passwords for separate accounts, changing them at regular intervals)
– User Training and Awareness (new starters who will be remote working should receive training on good practice)
– Backups (e.g. an organisation ideally should have daily/weekly backups with a spread of internal/external/cloud storage)
– Auditing (keeping an audit of all devices, user logins, update cycles) will help to understand vulnerabilities, and aid investigations after an attack. In the case study above, one of the virtual machines running was Microsoft XP which didn’t appear to have been in use, and the OS no longer receives security updates from Microsoft – a machine like this connected to the Internet poses a risk.
– Hiring and Firing Policies (e.g. vetting, disabling user accounts before or on the day of firing an employee, changing login credentials associated with that fired employees)
– Communication (e.g. how are user credentials communicated to employees? Are they sent over the phone or via email?)
– Bring Your Own Device (BYOD) policies – does your organisation allow employees to use their own device? Are the legal issues around this understood? Are all files accessible by BYOD users or just certain ones? Are these devices included in your audit? There are many elements which need to be clarified by a BYOD policy.
Similar to Procedural controls, Physical controls are often overlooked and undervalued in their effectiveness/necessity. We often point to webcam covers as a great example of a simple solution for complex attacks. It is important to ensure that employees are aware of physical controls, such as:
– Physically securing devices (does your company lock away devices when not in use? Does this include company supplied USB drives? Are users storing credentials with their remote devices)
– Screen lock / timeout (this is a simple way of making devices harder to access)
– Shoulder surfing / line of sight rule (always check your surroundings when working in public areas, as attackers could be surveilling potential targets)
The South West Regional Cyber Crime Unit is comprised of dedicated individuals who investigate serious cybercrime, offer advice and guidance to small businesses, and work with a range of partners to prevent people from engaging in cybercrime. For more articles and case studies like this, sign up to our Regional Cyber Briefing/ Cyber Intelligence Report, and follow us on LinkedIn and on Twitter (@swrccu).
We also have a node on the Cyber Security Information Sharing Partnership (CiSP), and we strongly encourage organisations to sign up for real time cyber threat information in a secure, confidential and dynamic environment https://www.ncsc.gov.uk/cisp.