Not too long ago Working from Home was considered a luxury or a privilege for those that got to enjoy it. Of those that were able to enjoy the privilege of working from home, it was typically a once or twice a week benefit. And while it feels like an eternity, this was the worked we lived (worked) in only a few short months ago.
COVID-19 has resulted in our governments suggesting that if we can work from home we should, or in some instances, must. This rapid scramble to have staff working from home was necessary to keep people and communities safe, however it has also presented a playground for nefarious hackers to exploit us from our home working environment, which is typically far less secure than the traditional corporate office.
Legacy management systems and processes typically don’t cater for managing and securing devices that are not on the corporate network, or don’t regularly “return” to the corporate environment. And while the acceleration of cloud adoption does present numerous innovation opportunities to accelerate your organisation’s pace and agility, if not managed correctly, it can also turn your security posture into veritable swiss cheese; ripe for the picking for the unscrupulous.
Therefore, if you’ve embraced Working from Home out of necessity to keep your business afloat and your people safe, it’s important to ensure you haven’t left the windows open at the same time.
Here’s 7 security recommendations to be considered while working from home.
Evaluate your risk exposure. Microsoft have a great little tool called the Microsoft Attack Simulator. This can simulate an attack on your environment and highlight the potential risk. Furthermore, explore the “risky sign-in” within your environment.
According to theregister-co-uk, 0.5% of Azure Active Directory accounts used by Office 365 are compromised every month. While that percentage might sound small, that’s approximately 1.2 Million accounts each and every month! The good news is that this is easily addressed. According to RSA, by activating Multi-Factor Authentication, 99.9% of attacks can be prevented.
Deploy the latest patches and updates when accessing your corporate data
Through the course of setting people up to work from home, there is a significant likelihood that you’ve created a blind spot in your security posture. If your staff are using their personal computers, how do you know those machines haven’t been compromised? If they’re using corporate devices, are those configured to rely upon an “Update Server” for patching and updates? If they’re not on the corporate network you may find they very quickly degrade from an acceptable corporate level of protection and patching, to an untrusted, insecure device.
With COVID-19 and it’s impacts on how we work here for the foreseeable future, it’s important that you take control of the devices within your organisation using a solution such as Microsoft Endpoint Manager. Additionally, if you have Mobile Devices or Apple Mac devices accessing corporate data, consider using Mobile Application Management to ensure your data is secure.
Passwords have become one of the least secure methods of protecting corporate data. Why? People typically use the same password, or a minor variation, for every account they access. Whether they’re accessing Facebook, Twitter, Gmail, their back account or your corporate environment chances are they’re using the same password across all services.
Super complex passwords are also not the answer as they generate high volumes of service desk tickets, user frustration, and worse engender the individual to write it down on a Post-It note.
If your staff are using Windows devices, start using Windows Hello for Business or Passwordless Authentication. Additionally, look to empower your people with the ability the unlock their own account using Self Service Password Management.
“We must build trust directly into our technology. We must infuse technology with
protections for privacy, transparency, and security”
– Satya Nadella –
Microsoft has invested heavily in their Advanced Threat Protection capabilities providing extensive insights into the risks that threaten your environment. This includes visibility over elements such as “risk users”, “risk sign-ins” and “risk detection”. By integrating your solution with Microsoft Defender ATP and Cloud App Security, these risk factors and more can be visualised centrally within the Microsoft cloud.
Antivirus and Advanced Threat Detection and Response
Years ago, it was considered enough to have antivirus deployed within your environment. However, as threats have become more sophisticated, so to have the measures necessary to put in place to protect your environment.
As a foundational step, ensure antivirus is deployed to all workstations accessing your corporate environment. Microsoft have significantly improved their Microsoft Defender ATP product over the years and it is a key element of the Microsoft security strategy. Enabling Endpoint Detection and Response will provide you with the benefit of being able to leverage Microsoft’s investment in Machine Learning which performs the majority of the investigation and response in an automated manner. This provides greater accuracy, faster responsiveness and less susceptibility to human error in analysing security threats.
Secure Mobile Devices
Mobile devices are often overlooked when it comes to securing how they access corporate data. With Mobile Application Management you can protect your corporate data even on personal owned devices or devices that are otherwise not owned by your company (such as 3rd party contractors). The great thing about mobile devices is they already have user-friendly security capabilities as part of their operating system. Therefore, leverage FaceID, fingerprint, or at worst, pin code in-app protection to protect your corporate data. One thing to bear in mind is that Microsoft Endpoint Manager is very capable of protecting Microsoft based data, however if you’re using non-Microsoft products for storing sensitive data (eg: Salesforce), it would be work exploring whether Microsoft Endpoint Manager is suitable, or whether a more feature rich mobile endpoint manager, such as VMware Workspace One or MobileIron would be more suitable.
Protect your Information
Your corporate information is your gold. Whether it’s internal Intellectual Property that provides competitive advantage, or customer sensitive information that could spell disaster if it were leaked, protecting your information is paramount. Ensuring that you have adequate information protection policies in place will enable you to mitigate many of the risks around data leakage.
Prioritising security initiatives can be difficult. There’s a common saying that you can’t manage what you can’t measure. Therefore, when it comes to prioritising activity, I recommend performing a Secure Score assessment first, and use that to guide your path forward. Additionally, if you don’t have MFA implemented, this is an excellent place to start, noting that there’s no point in securing your data using information protection, as a hacker who can access your identity will have free access to your corporate data.
Author: Jason Ferguson – 30th July 2020