This article appeared in Cybersecurity Law & Strategy, an ALM publication for privacy and security professionals, Chief Information Security Officers, Chief Information Officers, Chief Technology Officers, Corporate Counsel, Internet and Tech Practitioners, In-House Counsel.
The COVID-19 pandemic has changed the conversation around remote work.
Today, the challenge is less about gaining flexibility and a competitive edge. Rather, the conversation has moved to social isolation, self-imposed and forced quarantines and sobering questions about business continuity. This is a real challenge in the face of a viral outbreak that is predicted to affect our communities on a level not seen in decades.
If there’s an upside to this unsettling period, it’s that the same cloud that irrevocably changed the way companies do business in recent years will now help them navigate through this pandemic. By enabling remote work in response to this crisis, companies will emerge nimbler, more technologically sound and more productive.
As more employees — or all employees in most organizations — work remotely, companies must employ security best practices to ensure that the extended reliance on the cloud doesn’t expose sensitive data or cripple daily operations.
Following is a practical checklist of systems, technologies and processes to consider when evolving your organization for remote work and selecting your cloud technology provider.
Securing your remote workforce
There are many remote work strategies and controls companies can implement in order to significantly reduce the likelihood of a data breach, limit exposure of sensitive information and maintain security in a virtual office scenario.
All businesses relying on a remote workforce should be implementing the following security measures in order to ensure the safest possible environment.
- Password requirements. Passwords are the first line of defense against unauthorized access to your systems and information. You should have strict requirements for employee passwords that ensure length, complexity and randomness. Changing passwords at frequent intervals and using a password manager are also recommended.
- Multifactor authentication policy. Multifactor authentication is one of the best ways to prevent unauthorized access to email accounts and systems. A multifactor authentication policy requires a user to have two pieces of information to gain access, not simply a password. This prevents attackers from gaining entry even if user passwords or credentials have been compromised.
- Role-based access control. Role-based access control is a neutral access policy that restricts every user’s access rights on the basis of the role played within the organization, with specific access granted to specific roles. Also known as a zero trust model, this approach restructures access within your firm’s systems based on a “never trust, always verify” philosophy targeted specifically at preventing improper access.
- Strong encryption at rest and in transit. Strong encryption is crucial to protecting your data from outside eyes, and you need to be sure that your data is secure at all times, regardless of where it is or how it’s being used. Strong encryption must be in place when data is at rest, or simply residing in your system, as well as when it’s in transit, or moving from one location to another. Equally important, you must know who has access to the encryption keys at all times.
- BYOD or company-supplied hardware. Many employees use their own devices to access firm data and track and manage time and communications, but the better practice is for the firm to supply hardware that is consistent, secure and managed as part of a best practices IT strategy. That way, remote workers will not require huge IT overhead to support their hardware or activity.
- Meeting recording and transcriptions. Virtual meetings offer convenience, but audio/video challenges and file-sharing can sometimes be complicated. We suggest an organization standardize on a widely used virtual meeting system with a robust mobile app. There are many inexpensive, accurate and fast services. Record the meetings and then store transcripts of what was discussed, thereby creating and preserving an official record and minutes of the meeting.
- Proactive security monitoring with AI behavior-based protection. Proactive security monitoring is crucial to detecting threats before they wreak havoc on your systems. Behavior-based security measures that incorporate advanced AI and machine learning are designed to proactively monitor all activities in order to identify anomalies and deviations from normal patterns. This monitoring then offers a protective response as soon as a threat is detected.
- Auditing, training and planning. Aside from the specific tools and measures outlined above, dedicate firm resources to the prevention of cybersecurity threats on all fronts. This includes performing regular cybersecurity audits of your own networks and systems, requiring employees to undergo regular training in security best practices and revising your overall incident response plan as the cybersecurity threat continues to evolve.
Business continuity and disaster recovery
The novel coronavirus is spreading quickly despite the best efforts of government, health care, private business and public organizations. That’s why it’s important for all organizations to include pandemic planning and remote work protocols in place that ensure the continuity of business and to allow organizations to adopt a WFH (work from home) model in the event of an infection or quarantine.
The following measures are key for business continuity and disaster recovery.
- Knowledge is power when it comes to bouncing back from a crisis. It’s crucial that the firm be transparent about the current health risks and emphasize every measure taken to protect employee health and job satisfaction.
- Communications to clients. Share the steps and technologies that the firm is using with your clients, so they understand your preparedness and the attorney/client trust relationship is protected.
- Data segmentation. Employing data segmentation practices in advance will help with continuity and recovery. Using a private cloud isolates your data from the data of other companies because you’re not sharing infrastructure when you are in a public multi-tenant cloud. Data mirroring, or the practice of maintaining exact, real-time copies of data in another location, eliminates single points of failure and ensures that you still have access to your data if one server is compromised.
- 999% uptime. Remote access depends on your systems being as available as possible. Some cloud service providers promise 99.9% uptime, which may sound great, but in reality, that translates to your systems being unavailable for hours at a time a few days each year. You want your providers to offer 99.999% uptime, often noted as “five nines,” which means you’ll have less than 10 minutes of total downtime in any given year.
- Round-the-clock support. A seamless remote work environment will require access to technical support for all of the systems, applications and products you use. Because you can never predict when a breach or disruption might happen, it’s critical that providers offer 24/7 support.
- Immediate failover capabilities. In computing, failover is a process for switching to a standby or redundant technology if a server, system, network or program is compromised or otherwise made unavailable. If you can’t afford any downtime, you need to make sure you have immediate failover capabilities in place across the board to ensure continuity.
- Having backups for networks, systems and other technology is critical to ensuring continuity and avoiding downtime, but they’re only useful if you know they work. You should not only be making a point of regularly backing up your data and systems; you should also regularly test and verify your backups to make sure they’ll function when you actually need them.
- If you need to terminate the use of a technology or a relationship with a provider due to a breach, you need to have clear processes in place. Among other things, they should guarantee a timeline for recovering any compromised data and make clear who owns that data after termination.
Remote access application due diligence
Ensuring secure remote access starts with choosing the right platforms and applications. A major factor that should play into any decision to use a particular application or provider is the security measures offered.
Proper due diligence requires consideration of the following features:
- Strong encryption at the database layer. Your applications should offer AES 256 encryption, which is the most secure encryption offered commercially today.
- Any technology you use must provide strong password protection. You should also look for single sign-on, which allows you to use one set of login credentials to access multiple applications.
- Role-based access. Your applications should allow you to restrict access to certain systems or data based on the role and responsibility level of each user.
- User activity log. All applications should automatically keep and provide access to a record of their operating trends, baseline metrics and any security incidents that might arise.
- User information. Technology is only helpful if your people know how to use it. Look for applications that offer educational reference materials like an indexed knowledge base, context-sensitive guidance and user communities.
- Client portals. Companies may want to look for tools that offer client portals, if relevant to their business, so clients can access basic information, check status and collaborate on documents.
- Mobile apps. Today’s workers are frequently mobile and their tools need to go wherever they go. Look for technologies that offer secure mobile apps for access from anywhere at any time.
The immediate need to support remote work has brought with it an increasingly complex and risky cybersecurity landscape. Thinking proactively about remote work strategy and controls, business continuity and disaster recovery and application management when choosing or monitoring a cloud provider is the best way to prevent cybersecurity breaches before they happen.
Tomas Suros is a technology advocate working at the intersection of IT and client consulting. With AbacusNext since 2004, he currently serves as global director of product marketing, guiding firms through the process of identifying forward-facing technology options and ensuring the successful implementation of a tailored solution. He can be reached at [email protected].