Global pandemics have always been characterized by chaos – a factor that not threatens human wellness, but also the flow of commerce and economics. This is especially true of the Coronavirus outbreak – case in point, global markets have been thrown into disarray, with stocks taking plunges, indexes’ circuit breakers being forcibly broken, and millions of dollars worth of equity and shareholder wealth vanishing overnight. Interest rates are being slashed by massive margins for the first time since 2008 to ease cash flow, and labor market conditions continue to deteriorate.
Naturally, this means trouble for businesses. Revenue drops across the board will mean that customer/prospect spending is severely impacted, putting additional pressure on organizations to keep their revenue flowing. Several (questionable) travel bans have been imposed – most recently, the one placed by the US on 26 EU countries – a cause for concern, since business victories often rely on well-timed meetings.
Of course, operations departments have to protect their human capital, too. Most firms are instructing their employees to adopt Work from Home/remote working policies to restrict transmission. As cyber security professionals, this is exactly what we’re concerned for (and you should be too, for reasons cited below!)
Remote Working DOES come with security risks
During these turbulent times, working for the security of their homes is a great way to ensure non-exposure of the workforce to potential contagions. From a human wellness perspective, this is the way to go. However, a keen cybersec professional would be inclined to point out the obvious risk here.
When Employee A works from a location other than his office, a potential need to access the organization’s servers from an external network is created. This is an immediately identifiable risk with subtle weak links in security that could open up the organization to infiltration. Potential points of entry include Employee A’s device(s), the communication channel used, and the organizational server which communicates with the external device. When one or more of these entry points have weak (or undoable) security setups, any malicious entity could abuse it to force their way into the network and conduct espionage or data theft at an unprecedented scale
As a CIO/CISO, instructing your IT teams to fortify these weak links with powerful, foolproof security mechanisms would be your #1 priority. Ideally, a contingency strategy which accounts for emergencies such as this one, which requires handling high volumes of external access, should be implemented in line with the firm’s existing digital security architecture, as opposed to retrofitting it during a red-alert.
It’s time to take a stand against weak security mechanisms.
Whichever side of the field you’re on, it’s never too late to take a closer look at your infrastructure to ensure that you network is protected against security threats.
Here’s a short list of items you can go over with a fine-toothed comb to check (and double-check) on your security posture for remote working.
1. Protected Access:
The obvious first item on the list – a VPN helps ensure that remote workers can securely access organizational assets. Virtual Private Networks are relatively inexpensive measures that act as the first line of defence against potential attackers, while also acting as a conduit of entry into corporate networks from a registered external device.
2. Endpoint Authentication:
By ‘endpoints’, we mean the devices that communicate with each other – from a personal laptop, to an enterprise server. While ensuring that every asset is authenticated at all times is a given, the COVID-19 pandemic notwithstanding, CIOs have to pay special attention to this now. Why? This simple step can prevent a tonne of security weaknesses, which, in turn, could save you millions in fines, or lawsuits for exposure of data.
Speaking of network authentication, endpoints are usually authenticated with Digital Certificates – proofs of online identities and a virtual verification that the entity is who it says it is. You might have noticed that browsers often flag websites with expired certificates, disallowing users to access them (because they’re deemed insecure and open to phishing/man-in-the-middle attacks). For devices, it’s no different. CIOs must ensure their IT teams to ensure that every certificate they’ve ever issued is operational, and with organizations usually possessing an inventory of 100,000+ certificates on average, this is a task best left to automation.
3. Encryption of data in-transit:
Now that your network assets are (hopefully) secure, what about the channels they use to transmit that information? Lines of communications have to be secure, and cryptography is the only reliable way to do this.
Again, digital certificates are of utmost essence here, but so are cryptographic keys. These ‘keys’ are commonly used to encrypt information by one party, and (if the receiving party owns the corresponding key) to decrypt the transmitted message. While this is an oversimplified analogy, everything on the internet relies on this technique to provide security for consumers.
While we’re certain that your organization has encryption mechanisms in place, you might want to go over the way they’re managed. Why? Because aside from malicious attackers, the biggest enemy to your encryption goals might be mismanagement. Keys that are left lying around (read: stored in unprotected documents) can be swiped (read: misappropriated) and used to wreak havoc on security internals. As a CIO, it’s in your best interest to instruct your SecOps teams to follow industry best practices for private key storage, transmission, and use. Software exists that can manage keys for you, which we’ll speak about in a bit.
Bottom Line (TL;DR)
If you intend to follow through on the above recommendations, what you need is a fast, effective way to do so. Once you’re certain of your corporate VPN’s strength, move on to running checks on your public key infrastructure (PKI), encryption certificates, and keys. You need to scan the entire environment, locate weak/expired certificates, and insecure keys, and instruct the concerned teams to remedy them. Manually, this could take months to complete – you’re better off using a tool to automate the whole thing: from locating weak links, to quickly fixing them.
Give AppViewX a try – it’s a compact certificate management tool which also integrates key management into its functionality. By automatically identifying and fixing security loopholes within your org, it’s not only a great investment for the business slump, it’s also a wise long-term security investment.
We stand by all businesses during this trying time, and hope we come out of this stronger!