The CISO’s guide to preparing a Covid-19 exit strategy
Tue 28 Apr 2020 | Yotam Gutman
While governments and public healthcare specialists are looking into the timing and manner of reopening the economy, it is clear that at some point in the hopefully not-too-distant future restrictions will be eased and businesses will return to normal operations.
Returning to recently-vacated offices will certainly signify a return to normality, and for most, that will be a welcome relief after working from home for an extended period. However, just as the shift to working from home required organisations to adapt and act differently, so will the return to the office. In this post, we discuss the preparation CISOs should consider making to offset a number of security implications that arise from returning your workforce from home and back to the office.
Making sure returning devices are safe to use
When returning to the office, employees will haul back all the IT equipment they have used at home. Some of this is trivial office equipment like screens, docking stations and cables, but computing devices can be a security blindspot.
Rogue Devices: While unknown connected devices pose a security risk at all times, the return to the office represents an even bigger risk. People could have used all sorts of devices during their time at home, for leisure and convenience. While there, such devices may not pose a serious security risk, but if they are introduced to the corporate network, they could become one.
Do run a scan on your network to identify new, unknown devices.
Home laptops: Some employees working from home may have had to use their own laptops, either because in the rush to vacate offices the IT department might not have had sufficient inventory or just through personal preference. In such cases, they are likely to bring these laptops with them when they return to the office, plug them into the corporate network and continue to work as they had been doing at home. These devices could potentially be infected with malware if they have not been running updated, corporate-grade EDR solutions.
Do forbid work on personal laptops in the corporate environment whenever possible.
Employees should transfer their work to their company-issued laptop and take their personal laptop back home.
Do install NAC for employees who now find they must work with their own device, and ensure they use company-issued EDR.
USBs and NAS: Another practice employees may have adopted while working from home is the use of USB thumb drives and network storage devices. Personal storage devices should be prohibited in the corporate environment and not allowed to connect to company computers and networks.
Do enforce device control to block unauthorised USB and other peripheral devices.
Inventory: As many employees took equipment home, it is necessary to register and keep an up-to-date inventory of this equipment and its whereabouts. In the first instance, this makes sense to avoid wasting resources: ensure employees return cables and screens that they have borrowed from the workplace. It is possible that some staff took an extra laptop home and that the device is now stranded somewhere, perhaps even connected to the home network and exposed to the world.
Do keep an up-to-date inventory. It will also help in the event employees have to move back to working from home in the future.
Keeping insecure software off your network
Even if the devices used at home were company-issued, they can still be a threat if they are not installed with updated software and security systems.
Updated OS and software: Unpatched and outdated Operating Systems can facilitate data breaches. Some employees may have ignored the update prompt or rescheduled these indefinitely. In addition, some computers and servers left on-premise may have been shut down throughout this period. After restarting these, it is important to install all available software patches and updates.
Do make sure that all software is patched on all devices returning to the office as soon as practically possible.
Updated and active EDR: An updated EDR solution was vital to securing the laptop at home, and it is of course crucial in securing all devices in the work environment. It’s not unheard of for some employees to disable security software in order to perform certain actions on their devices.
Do ensure that all your endpoints have an active and up to date EDR Solution.
Unregistered software: It is possible that some employees have installed software for their own use, perhaps because they were unable to use company resources or simply because it was more convenient than asking for the approval of the IT department.
Do make sure your EDR solution can inventory software and can report on application risk levels.
Software license inventory: Working from home may have required certain software licenses that are no longer needed when working at the office. For instance, at SentinelOne we licensed Zoom Pro for all employees as part of the great transition to remote work. For any software that employees no longer need access to, it’s sensible to cancel these licenses to reduce costs. The same logic applies to cloud resource usage, which may have skyrocketed while people were working from home but which now may no longer be necessary.
Do revoke unnecessary software licenses and transition staff back to using resources provided on-site.
Preparing processes and procedures
In addition to inspecting devices and ensuring proper software is installed, certain processes and procedures must be implemented in order to facilitate security.
Password reset: It is possible that employees have shared their laptops and credentials with their family or friends. They may have re-used passwords on new services or devices at home, or lapsed into other insecure habits. It is advisable to reset credentials and ensure 2FA/ MFA for all company devices and software.
Do ensure that all your employees are aware of company password policy and enforce compliance.
New employees: Some companies have recruited new employees during the Covid-19 outbreak and have onboarded them remotely. Moving into the office will be a new experience for these new hires and they may need an early refresher on training that was not applicable while they were working from home.
Do ensure new hires are up to speed on additional company security policies that are pertinent to working in the office.
Maintain readiness for WFH: At some point in the future, it could be necessary to transition to work from home again, and there’s always the real possibility in the near-to-mid term future that individual employees could contract the virus and need to self-isolate again.
Therefore, it is prudent to use the lessons learned from the mass transition to work from home in early 2020 and be better prepared to do it again, whether on a small scale or throughout the company. This includes having an up-to-date inventory of all IT equipment, having all company laptops installed with a modern EDR and ensuring that employees have access to company assets via VPN protected by 2fA.
Do formalise the lessons learned from this unprecedented crisis so that they can be used to help your business manage future crises with less pain.
Returning to the office environment might come sooner or later, but come it surely will. In order to reduce the risk and facilitate a quick return to normal operations, CISOs should consider the possibility that employees may bring threats with them when they shift back to the office desk.
Unlike the rushed, unexpected manner in which many organisations sent their employees home with little opportunity for planning or preparation, the return to the office is something that can be planned for in a more organized and orderly fashion. Prepare now to ensure the necessary processes and tools are in place before this happens.