With the COVID-19 pandemic forcing the majority of the workforce to do their job remotely, employees are no longer protected behind office infrastructure. SMEs are being hit hard and the last thing they need is to find out they are falling out of scope of cybersecurity requirements and increasing their cyber-risk. Richard Hughes, Head of Technical Cyber Security at A&O IT Group, discusses whether SMEs are fighting a losing battle when it comes to cybersecurity certification and adequately securing their employees and business as a whole.
Where does the onus lie when it comes to protecting employees’ home networks?
While an organisation has no direct responsibility for the security of an employee’s home network, they can easily find themselves failing certification such as Cyber Essentials if the network and home router do not meet certain standards required.
Additionally, with employees working from home, their network forms part of a wider attack surface for the organisation and so it is certainly in the interests of the organisation to either ensure the network is secured or mitigate the risk by other means such as an always on corporate VPN keeping business data secured on the network.
What steps do SMEs need to take to ensure the security of their employees’ networks to protect their businesses as well as maintain compliance with industry certifications like Cyber Essentials?
In truth it would be almost impossible for an organisation to ensure that a home router is compliant. At the very least the router must still be in support and receiving security patches for any discovered vulnerabilities, and default passwords must be changed for strong passwords. Then it gets even more complex as any firewall rules should have a written business case which would be impossible to enforce.
Realistically you would need to take access away from the employees as after all you would not allow your employees to make changes to the corporate firewall configuration. Often with home routers, the ISP would also have full access to the configuration which again is outside of the control of the organisation.
One viable but fairly costly option is to provide employees with a corporate router/firewall which is centrally managed and then create a separate extension to the corporate network within the employees’ home. Another option would be to mitigate the risk by utilising an always on VPN that routes all traffic through the corporate network, but this would also require some central infrastructure as it must be a corporate VPN and not a commercial VPN which, if not trusted, could be worse than no VPN at all.
Why is there a greater need for security during this time?
We are seeing an unprecedented number of employees working from home and this is likely to continue for some time. As a result, we are seeing corporate data move from perhaps a single well-protected network to hundreds, if not thousands, of home networks that have little or no real protection.
To put it simply, the attack surface has grown exponentially during the COVID-19 pandemic and attackers will take any opportunity to gain a foothold into the corporate environment with the home network providing a real possibility for this. We also see that some organisations still have a tactical approach to deal with a home-based work force when in reality they need to be thinking far more strategically.
Even emergency changes to the environment need to be retrospectively assessed from a security perspective at the earliest opportunity. Hastily configured solutions tend to be those with the most vulnerabilities.
How are pen testers adapting their assessments for the current climate?
Some assessments that would have been conducted on a client site are now being conducted remotely and endpoints that would have been on a corporate network are now spread around the country or in some cases the world. In these cases, we are utilising VPN and software defined WAN to bring these devices back onto a virtualised network for assessment.
There is a little more time spent scoping the assessments with the client to ensure that we have sufficient coverage and perhaps a little more setup but otherwise the methodologies, tools and techniques remain largely the same. The threat landscape is always changing and a pen tester will consider this as business as usual.
What advice would you offer SMEs to ensure they are adequately protected?
While security assessments may seem like an expense that can be delayed until business picks up a bit, the cost of a breach can be far higher. I always say that while security hardly ever adds to the bottom line, it almost certainly protects it.
Organisations must not be complacent as with cybersecurity, past history certainly does not provide a guide to the future. Just because you have gone years without any known breach does not mean you will not have a major incident tomorrow.
SMEs should seek advice from security professionals to understand their attack surface and then take steps to discover and resolve or mitigate any vulnerabilities. Ensuring that operating systems and applications receive timely security patches is essential and remote working must not be an excuse to delay this. Where possible, multi-factor authentication should be used on all accounts and staff should be provided with training to help them avoid the more obvious phishing/social engineering attacks.
How should SMEs be planning for the year ahead?
We see all too often that SMEs do not have a dedicated budget for a security programme and this is a good time to change that for the year ahead. Whatever budget you can afford, an experienced security consultancy will help you prioritise and get the most benefit for the budget you have.
If you do not have an architecture diagram showing the relationship and data flows between your systems – whether they are owned by the organisation or a third party – then the creation of this should also be a priority.
It is very difficult to protect what you do not know and good documentation will not only help identify your attack surface but will also be invaluable in containing and recovering from an incident should the worst happen.
Plan for regular vulnerability assessments – once a year is simply not enough as new vulnerabilities are being discovered frequently. Having just one device on your network that does not get patched could be all an attacker requires.
Plan to replace any tactical solutions that were rushed in during the COVID-19 pandemic with strategic solutions that have been assessed from a security perspective.