Over the past few weeks, businesses of all shapes, sizes, and descriptions have had their daily operations upended by the coronavirus. For some, it’s meant finding new ways to handle retail operations. Solutions have run the gamut from shifting to online-only sales to moving to curbside pickup and additional delivery options. For others, it has meant a mad scramble to set up employees to work from home.
It’s that second group of businesses that is – believe it or not – having the greatest difficulty in adjusting to their new, everyone-working-from-home reality. Part of the reason for that is the fact that remote workers weren’t the easiest group of people to support, to begin with. The other big part is the fact that most businesses simply weren’t set up to accommodate this number of remote workers, and have had to cobble together solutions on the fly to make it happen.
Now that the sudden shock of doing this has worn off, though, it’s time for IT admins to circle back and make sure they haven’t made any glaring mistakes in getting their emergency telework infrastructure off the ground. Here are the four areas of greatest concern they should be reviewing as soon as possible.
1. User Access Controls
As any IT administrator can tell you, managing a complex set of user access controls for business systems can be a challenge, even on a good day. There’s a constant battle between the need to maintain operational and data security and the employee’s desire for convenience and low barriers to the use of company data resources. It should go without saying that there’s a pretty good chance that businesses faced with the sudden need to provision remote access to large numbers of employees simultaneously may have left some giant holes in their access control safeguards.
To correct it, administrators should be instituting a top-to-bottom review of user credentials and permissions. They should apply the principle of least privilege (PLOP) wherever possible, both to employee user accounts themselves (for internal and cloud services) and for VPN access to company networks. On the VPN side, a good place to start is to create privilege groups that slice up subnet access into the smallest possible parts. That would help to contain any damage done if a user’s credentials were compromised.
2. Endpoint Protection
When employees are working within a company’s network, maintaining up-to-date and active endpoint protection is a must. It provides a critical backstop to protect the network in the event something gets past hardware-level perimeter defenses. Now that users are creating countless openings in those perimeter defenses due to remote access needs, every business’s endpoint protection solution is now on the front lines of their network’s defense against would-be attackers.
For starters, administrators should be examining management consoles to see that their security software is running and up to date on all protected systems. If any business machines lack the proper security measures, they should be applied immediately. For the duration of the current situation, any machines that aren’t protected due to software malfunctions or licensing issues should remain powered down until they can be addressed. In a security environment like today’s, all an attacker needs is a single vulnerable endpoint to wreak havoc on a business network.
3. BYOD Policy and Management
For several years now, enterprises of all sizes have had to contend with a growing contingent of workers eager to use their personal devices to access company systems and data. The response to that was to implement bring your own device (BYOD) policies that spelled out which devices were acceptable and how they could be used. In many cases, businesses turned to BYOD management platforms to handle access and security on smartphones and tablets.
In the current situation, businesses now must contend with a sudden influx of personal desktops and laptops – not mobile devices – connecting to their networks. In most cases, they’re not equipped to manage those kinds of devices and threat visibility is poor. As a result, it’s a good idea to refresh BYOD policies to reflect the shift. Items to include are:
- Making an active antivirus solution mandatory on user PCs and laptops
- Requiring that users check for software and security updates regularly
- Setting minimum system specifications to ensure usability
- Prohibiting the use of filesharing or other risky software
Also, users should be required to use WPA2-level or above encryption on any wireless networks that will be used to facilitate remote business network access. For users that will rely on cloud-based business solutions and not private business network resources, a high-quality commercial VPN for Windows or any other OS should be a base requirement, both to provide an extra layer of encryption as well as take some of the load off of company-owned VPN servers.
4. End-User Training
Since the average business never had to deal with so many employees working off-site, there’s a good chance they also never took the time to provide whole-workforce training on how to do so safely. Indeed, this is exactly what hackers everywhere seem to be counting on as they launch attacks against the scores of inexperienced remote workers around the globe. It’s up to business IT administrators to step in and provide the right training to prevent them from becoming victims.
A good place to start is with whatever end-user data security training already exists. From there, it’s a matter of adding situation-specific tips on things like spotting phishing scams and reporting suspicious emails and the like. Then, it’s necessary to find ways to scale that training up and making it mandatory for all employees to participate in it. For businesses with large workforces, a good solution is to set up an Open edX server and develop a MOOC that covers the necessary knowledge. That way, the coursework can be updated as the need arises and the situation continues to change.
Staying Safe and Secure
With plenty of effort and a little bit of good luck, IT admins can help the businesses they serve get through this unprecedented crisis without sacrificing data security or the employees’ ability to be productive. Paying careful attention in reviewing the points set forth here is a good place to start, but it’s not all that has to happen. With the situation still fluid and with so much unknown still ahead, there’s bound to be more challenges ahead for hard-pressed IT departments, managers, and staff. So wherever possible, handling the tasks above now will at least help to provide a solid foundation for future efforts – which should, at least, get them off to a safe and secure start.
Andrej Kovačević is a digital marketing expert, editor at TechLoot, and a contributing writer for a variety of other technology-focused online publications. He has covered the intersection of marketing and technology for several years and is pursuing an ongoing mission to share his expertise with business leaders and marketing professionals everywhere.