Securing Distributed Teams
With COVID-19 forcing social distancing measures, metaphorical jet-boosters have been strapped to the back of many companies’ remote working policies.
In the scramble to get everyone efficiently working outside of the office environment, many will have overlooked the security challenges that come along with this new set up.
We reached out to cyber security leaders to discuss the scale of the challenge and what businesses can do to secure their remote teams.
Benn Morris, Founding Director and Owner at 3B Data Security
Benn Morris is the Founding Director and Owner of 3B Data Security. Starting out in network engineering before joining the Police in their Hi-Tech Crime Unit and counter terrorism division, Benn has focused primarily on the payment card industry for the last 12 years as a PCI forensic investigator and qualified security assessor.
Now as Founding Director and Owner at 3B Data Security, Benn is working with global clients on incident management, PCI DSS, pen testing and other advisory services.
“Some of my Customers Didn’t Even Have Laptops”
Offering both consultative services and a managed service option, Benn has seen the full spectrum of response to the rush to get everyone set up remote.
“Some of our customers didn’t even have laptops. It was quite a shock for them.”
Doing a number of engagements to get things locked down for clients, like Microsoft 365 security and configuration hardening as well as penetration testing, Benn believes there are three main areas that his clients have needed the most support with over this period.
“The Behavioural side of working from home and helping people get into secure habits at home. Having the technology ready to take home, with the means to connect back into the business for continuity and finally the shifting of functionality on some systems to get them remote ready.”
“This Has Always Been An Issue, But Now It’s More Publicised”
Having been working in security and breaches for the best part of 15 years now, Benn has seen it all when it comes to attacks. With that in mind, nothing Benn is seeing now from his wide portfolio of clients necessarily surprises him.
“A lot of the stuff we’re seeing now isn’t new - it’s just being talked about a lot more now.”
A combination of high-profile breaches, like the recent cyber attack on Manchester United Football Club, and more security-minded professionals at a senior level, has brought about a shift in perceptions. Security is no longer seen as the after-thought and is brought closer to the start of a development lifecycle.
It’s that changing of perception and perspective that Benn is more concerned about as, in most cases, how you educate people on security can be just as, if not more, important than any one tool.
“Remote working security is more of a psychological problem than a technical one. If you’re sat at home and receive something you’re not sure about, you can’t just shout out: ‘did anyone else get this?’. This is key when it comes to things like phishing.”
While Benn isn’t seeing anything new, he is seeing different approaches that are particularly effective given the context of the pandemic.
A Freedom of Information request from the firm has revealed taxpayers reported 9,948 Covid-related scams to HMRC between January and June.
Activity peaked in May, with 5,048 incidents explicitly mentioning Covid, then proceeded to fall by over 55% to 2,495 in June.
The total number of all phishing scams reported to HMRC was 44,777 in January. This rose steadily month on month to a peak of 77,148 in June, an overall increase of 73%.
On average, two thirds (66%) of the scams reported to HMRC in the first half of 2020 offered the recipient some form of tax refund or rebate.
Some scams offer the recipient a tax refund to help manage the financial pressures of the coronavirus, while others take the form of a bogus fine levied on the recipient for repeatedly leaving the house during the lockdown.
“The pandemic has given phishing scammers the chance to use more authentic content given the context of the pandemic. We need to be vigilant.”
Security Awareness Training is Incredibly Important
At the top of any security agenda for Benn is security awareness. So often overlooked, the education piece can be incredibly powerful when supported by a wider business model.
“Security training can be as simple as communication training. We’re showing people what dangerous looks like and what steps people need to take. Nine times out of ten, the steps are no different to the ones they’d take if they were in an office environment.”
Outside of education, Benn advises organisations invest in VPNs and the systematic locking down of features and functions. To minimise risk.
“The idea is we don’t want people to have too many options. We want them to have what they need to do their job and that’s all.”
Holly Grace Williams, Managing Director at Secarma Ltd
Holly Grace WIlliams is the Managing Director at cybersecurity consultancy, Secarma Ltd. Ex military, Holly spent five and a half years in Secure Communication Systems before securing a masters degree in information security. With her master’s, Holly worked as a penetration tester for 5 years before taking the position at Secarma.
“The Attack Surface Has Changed, The Attacks Haven’t”
Covid-19 has brought about an unprecedented amount of change. One of the necessary changes has been around the removal of processes to allow for the swift continuation of critical work.
Although this has allowed for the quick deployment of security systems, it has left behind several key aspects of security testing which simply cannot keep up with the pace.
“Making changes can be done fairly quickly. With cloud providers, it’s almost instantaneous. But that’s the thing with security, you don’t want to just spin things up quickly. You want to be testing. But how quickly can they procure that test? Does their current supplier have capacity? You end up with companies operating at a risk to allow for these issues.”
Echoing similar sentiments to the rest of the professionals featured in this article, Holly believes the types of attacks happening right now are no different to the ones happening pre-pandemic. With that in mind, strong security habits will continue to prevail regardless of whether you’re at home or not.
“Your IT team may be used to operating in an office environment but the tools and technology we use is still the same for the most part. Communication is still email, and that’s still at risk of phishing attacks. So email hardening in response to that is still the same.”
Although the risks haven’t changed, the makeup of a network certainly has and, by extension, the levels of awareness training we need to provide for our employees.
“How do we protect data in transit? We typically use VPNs to add encryption to data in transit. These also affect behaviour, so we need to consider updating security awareness training in light of the pandemic.”
Furthermore, it’s important we consider the diverse range of working conditions now open to vulnerability.
“Some will have lovely home offices, others will be sitting on their sofa with a laptop on their knee. Things like confidential conversations and confidential email need to be addressed. Headsets and privacy filters as well as security awareness training.”
Revisit Changes Made At The Start Of The Pandemic
As far as actions businesses can take right now to make their teams more secure while working remote, Holly recommends a pragmatic approach that focuses on changes made in the past.
“All of those changes that you made under duress back in March - go back and validate that work with rigorous testing.”
Sean Tickle, Security Operations Centre Manager at CyberGuard Technologies Limited
Sean Tickle is the Security Operations Centre Manager at CyberGuard Technologies Limited, where he leads a specialist team of experienced, knowledgeable and accredited staff whose main responsibility is to review and investigate alerts generated by numerous sources. After completing an honours degree, Sean took the role of junior security analyst. Raising quickly into senior security analyst, it wasn’t long before Sean was running his own team, building out the CyberGuard services and plans.
Nobody Was Prepared
CyberGuard, and the wider security industry, saw a massive uplift in work from a managed service point of view. CyberGuard’s sister company, OGL Computer, experienced a huge surge in requests to get VPN connections in place and hardware to organisations.
“No one was prepared for this initiative, but they also didn’t have a choice. It was all about what we can do to make sure everyone is protected and business continuity is maintained.”
Currently, in the middle of a large incident response process for a big client, Sean is seeing perceptions around security changing because of more serious fines for breaches with COVID-19 just pushing people further towards the inevitable tightening and improving of security.
“It’s not just the attack itself, you have to think about the reputational damage and the fines you might face from other organisations because you have to report a data breach if you’ve had one. These have massive implications that people are starting to wise up to now.”
Be Diligent on Your Chosen Solutions
A common solution employed by many, the VPN, is a good option for securing organisations against ever-evolving threats. But, as mentioned by Holly earlier in the article, rushing to implement these solutions without proper support or testing will lead to it having the reverse effect.
“You need multi-factor authentication, you need audit logs. You need all these extra things because, in this climate, you run the risk of creating more security holes by not running due diligence on the ones already in place.”