Introduction
I have been thinking for a couple weeks now on what I wanted to share, how it should be shared etc.. I am glad I thought instead of wrote and shared in haste.
As it relates to enabling knowledge workers to remain productive and secure while remote, It should have been a non-event.
What I’ve seen is propaganda by vendors, reaction and regression with clients. None of it was necessary. That said, we do have many clients who have done a world class job preparing and reacting. They knew enough to look for help ahead of time and that says a lot!
Clients have repeatedly asked me what does this mean for HyperProtect and how will it effect service. Even when the questions came to us early and a few details were still to be laid down internally, the answer was still quite simple because the answer is the same for us without the pandemic situation.
We have policy, we have controls, monitoring and an incident response plan in place for 365 days a year, not for a pandemic. We had to write a couple internal / external communication emails and deployed updated hardware to staff is really the net of the impact for us at least.
The Point
In the cyber security context, today’s “remote workforce” problem is not due to the Pandemic, it is due to an organisations collective failure to do the right things one day at a time over the last few years.
How do projects get years behind? One day at a time is the answer. To follow that up, there is a polish saying of “Sleep faster, we need the pillows”. Therefore, it cannot be expected to rush through what should have been years of planning and doing into a couple of days of scrambled activity.
Transitional Starter Kit
There is no silver bullet but here are things that just have to be done. It does not have to be hard or expensive either. For the resources responsible for IT and/or Security here is some straight talk guidance:
People and Process Items
All organisations have varying levels of maturity, compliance drivers, associated risks, personality, culture etc.. The reality of the list below is that you have done, will do or will not do them will certainly vary. That said, they simply all need to be done.
Determine but prioritise your organisations goals and fears
Identify what your organisation is trying to do, why and when
Take inventory of what your organisation fears as it relates to security, compromise, loss of data, systems etc…
Communicate and educate leadership
Ask leadership for decisions
Create / Update Info Security Policy and basic related procedures
Get informed about departments, roles, systems and needs
Helps identify least privilege strategy
Helps prioritise access and deployment
Security Control Related Items
Protect your accounts!
Enable MFA, like seriously, enable MFA
Monitor every system you care about for authentication & action activity
Know your accounts
Who does what, when, from where, to what,etc..
You need to know your baseline / normal otherwise you wont know the anomalous
Deploy Full Web Proxy – Cloud Based
Every connection to / from the internet must be fully inspected
Every machine, protected from anywhere, same policies, everything logged
Deploy Advanced Endpoint & EDR
Last line of defence – make it a great one
control USB & Bluetooth, enable firewall etc..
Ensure you have visibility to everything on the endpoint
Kill your end user VPN, There is a better way
Connect your people with apps intelligently and far more securely
Know your vulnerabilities
Scan your systems, get them patched / updated
This is inexpensive and easy to do
Start with public facing apps, machines, etc..
Monitor everything you decided you cared about (or feared)
Get in the knowing business, collect knowledge
Determine Metrics
Continuous Improvement
Take your knowledge and metrics and apply them back through the mentioned steps.
Current events are forcing a scramble to do what should have been done all along. A proactive cyber security program and vigilant execution of it is not optional. Several well known frameworks exist to highlights layers of detailed directives to address many other processes, activities and controls that can take you further.