With everyone now Working From Home, is your remote access secure?
Updated: Apr 6, 2020
No longer for just one employee with special dispensation or the occasional part timer or free-lance contractor who updates your website twice a year, Work From Home (WFH) is now the mainstay for an unprecedented majority of the workforce in this knowledge economy.
As we have already shifted to WFH, nearly overnight, we may be unknowingly increasing our cyber vulnerability by orders of magnitude.
Check your remote access security ASAP
In my years of experience assessing companies in multiple industries, technical and business leadership often assure me they have remote access controls in place. Then during my detailed assessment so often we find these controls are inconsistently and insufficiently implemented. This false sense of security is a hazard anytime employees or vendors connect to your data and systems remotely as it leaves you vulnerable, but worse, leaves you UNAWARE, since you THOUGHT there were sound protections in place.
Consider this. Would you connect your shared drive to the local coffee shop WIFI? Would you make your billing system accessible unencrypted from an employee’s home WIFI network? Of course not. But if your remote access is not configured correctly and consistently across all users and all systems you have, in effect, left the doors open.
Now is the time to review your controls, configurations and capacity.
Most companies have a Virtual Private Network (VPN) to support secure remote connections to company resources and more and more Multi-Factor Authentication (MFA) is in place to further ensure that only the intended user is connecting remotely. These are two of the most elemental measures to ensure remote work is secure.
But many times, these controls are inconsistently or insufficiently applied. Consider these questions:
Do you require multi-factor authentication for all your employees -- especially executives, finance personnel, and system administrators?
Is your VPN security software up to date?
Do your employees regularly change their passwords?
Have you cut off remote access to former employees?
Is your VPN easily bypassed?
These and many other conditions, that I have found lacking repeatedly in the wild, lead to gaps in your remote access controls that can be exploited by cybercriminals.
A thorough review of who requires remote access, to what specific systems and resources, is a good first step. Beyond that, ensure your VPN software is up to date, that you have sufficient capacity and licenses to support your increase in traffic, test your capacity and security settings, and monitor VPN activity. Additional recommendations can be found in a National Cyber Awareness Alert dated March 13th.
If you think you might need some help assessing your remote access controls, I'd be happy to help. Clarity Cyber Assurance specializes in helping small and medium-sized businesses reduce their cyber risk.