Over the past several years, organizations have allocated considerable resources to protect their Information Technology environment. Historically, this meant securing the perimeter of the office(s) and everything inside. The COVID pandemic forced many organizations to quickly rollout remote work solutions which left unchecked, pose a significant risk to the business. It’s time that we all take a second look at our remote work environments to ensure our internal security controls extend beyond the 4 walls of our offices. We always recommend performing a risk assessment to identify specific risks to your organization, but I have provided a few universal controls below that will apply to most organizations.
Here are a few concepts to consider:
- It goes without saying that multifactor authentication (MFA) should be a cornerstone of all remote access authentication requirements. Unfortunately, some organizations are still reluctant to implement this control out of concern of inconveniencing users. Usernames and passwords alone are simply not enough to keep the bad guys at bay. I would much rather apologize for inconveniencing the occasional user than have to explain a major security breach.
- Up next, mobile device management (MDM). The definition of MDM varies based on who you talk to, which has led to some confusion. Years ago, the scope of MDM consisted primarily of cell phones but is now inclusive of all remote devices (personal and corporate-owned) that access corporate data. It is important to maintain an appropriate level of visibility, security, and administrative capabilities for all devices regardless of the physical location.
- Last but certainly not least, regular remote access reviews need to be incorporated into the organization’s governance and oversight program. This should be a collaborative effort between IT and business unit leaders to ensure that appropriate access is assigned based on users’ roles and responsibilities. As a best practice, access should be granted based on the concept of least privilege, which means assigning the least amount of access required to fulfill their duties.
This list is not meant to be all-encompassing of the controls required to secure remote work environments, but it does provide a good starting point. All organizations are unique and thus, require unique solutions to build and maintain strong security programs. If this is an area you struggle with or would like to discuss in further detail, email us at support@bedelsecurity.com for assistance.
Additional Resources
Remote Employee Access
https://www.bedelsecurity.com/blog/remote-employee-access
Remote Access Risk Assessment
https://www.bedelsecurity.com/lp-remoteriskassessment
Remote Work Security
https://www.bedelsecurity.com/blog/remote-work-security
Do you need a separate penetration test for remote access?
https://www.bedelsecurity.com/blog/do-you-need-a-separate-penetration-test-for-remote-access
Surviving the post-pandemic landscape: 12 Technologies That Every Community Financial Institution Should Be Thinking About
https://www.bedelsecurity.com/lp-surviving-the-post-pandemic-landscape