The world has changed drastically as a result of the Covid pandemic and ensuing shutdown. School is remote, office workers are mobile, and IT security is being stretched in every direction to match this new demand.
As your company cautiously moves forward in this unprecedented environment, the last thing you need is for a poorly put-together IT security plan to trip you up.
Let’s be clear: you are missing out on opportunities in this new world when your IT security plan is strictly focused on tools and tactics. Here are some things to think about:
- How could your business benefit if you could hire expertise from anywhere in the country or world?
- Could ditching that large expensive office that no one comes to anymore help your company’s bottom line?
Even in this upside down world, opportunities are out there. In this article we are going to discuss how you can make sure your IT security strategy doesn’t limit these opportunities.
Good IT strategy requires layers. Let’s examine 3 that are absolutely critical to your organization moving forward.
The Human Firewall
Users represent the biggest and most unmanageable gap in IT security. While IT security tacticians are constantly attempting to head off the bad guys, many times the human element is overlooked. This can pose a large, unmitigated risk.
Consider a simple scenario:
The MFA/2FA “assisted” breach
If you’ve implemented two-factor authentication (2FA) or multi-factor authentication (MFA) on your email and maybe other important apps, that’s a great first step! But it’s important to know that these authentications are not foolproof. There are actually a number of ways that users can still be breached. Let’s focus on a very common one that’s not sophisticated but poses a huge risk.
The push notification.
Yes, this super convenient feature can also allow unauthorized access to your applications. How? Well, it’s pretty sneaky. The push notifications come to the user’s phone while they are in a meeting or engaged in some other task. They assume their laptop or home computer is attempting to re-authenticate so they press the authorize button. Or, they ignore the first one and get bombarded with more and more requests until they accidentally press yes. Either way, if the request was coming from a malicious user, this user is now inside the application and can wreak all kinds of havoc.
How can this hack be avoided? Simple: education. All users should understand they should never authorize push notifications unless they are actively attempting to access the application. Yes, browsers occasionally auto-refresh and may force a push notification. And while that’s legit, let’s keep it simple. Follow this rule and your users will be safe.
A Solid Process
Process sits somewhere in between users and technology. But make no mistake – just like user education, process can close the security gaps your users create. Let’s look at a few common scenarios where process can make all the difference.
Sharing company data
This is a critical part of today’s collaborative relationships between employees or clients. Sending attachments back and forth via email is cumbersome and time consuming. So, do your users have a process and preferred application for this? Can you audit your users following this process and who has access to your data? If the answer is no to either question, you are leaving your data at risk.
Authorizing wire transfers
The number of times we have seen or heard about folks accepting an email as authorization for wiring funds is staggering. That money is never coming back. But it doesn’t need to be that way. A simple second form of validation, such as a quick call or text to the person requesting the wire will avert this disaster.
Where do your users store their data? If they have to jump through hoops like using VPNs and file shares, you can be certain that much of the data is stored locally on their devices or a cloud file system like Dropbox. Is that data being protected? Say your users are using the file server, are the backups being validated, tested and sent off-site? Data protection is a key IT security strategy that will help you manage this risk.
As you can see, remote work has added the need for more processes to save your users from themselves. Process is an integral security layer that will shield your organization from all kinds of security threats.
Simple IT Security Tools
This section is where most IT companies spend their time. The latest firewall, host protection, security application… every IT company has their list of tools they like to work with. Without the human and process layers in place, these tools mean very little. But if you have those layers buttoned up, it’s important to have the right mix of tools in place to best secure your mobile workforce no matter where they are.
Some tools to consider include (but not an exhaustive list by any means):
Two-factor or multi-factor authentication – Should be enabled on at least your email to provide a baseline level of protection. Add MFA to other cloud applications you use to further enhance your level of security. If done well, a user should only have to manage a single MFA application or token to access their applications.
Zero-trust, always on VPN client – Allows your users to work from anywhere with the organizational security posture in place to protect them. The best part? It’s completely transparent and connects them automatically.
Endpoint detection and response – Next-gen user device protection that focuses on catching behaviors that could threaten your network. Think of it as a backstop solution that catches what AV misses. This application is lightweight and functions in the background with no user involvement.
DNS protection – Another background application primarily used to prevent users from accessing known bad sites. But it’s also useful to block/report access to non-business-related sites from business assets.
Web filtering/antivirus/IPS – IT word soup for protecting your users no matter where they are. Requires no user startup and protects your users as soon as they turn on their device.
Did you notice a pattern in the tools listed above? That’s right, simplicity. No user action required. Simplicity is critical when selecting tools that protect your users if you actually want your users to, you know, use them.
Does all this sound daunting? That’s completely understandable. This enormous shift brought on by the pandemic can be stressful, but it’s also an excellent opportunity if you do it right. Don’t leave that to chance. Find an IT partner that can help you get the most out of this new environment.