Cyber hygiene is a lot like flossing. People know they should be doing it, but compliance isn’t great. Infosec professionals can feel like the dentists of an organization: poking employees in the mouth while they sheepishly admit that they “sometimes” follow your recommendations. Like oral hygiene, putting off cyber hygiene usually leads to painful and expensive problems down the road. How can we end 2020 with a healthy smile? A new whitepaper from BluVector offers tips on Ensuring Security in the New Networking Normal.
Remote is our new reality. Large tech companies like Twitter, Slack, and Facebook have made headlines for offering permanent work-from-home, and many others have moved back their targets for returning to offices to Summer 2021. It’s time for cybersecurity decision makers to embrace the New Networking Normal and make sure that WFH, in-office, and hybrid workers are part of your security strategy.
The BluVector white paper cites a Bitdefender study that found 50% of organizations didn’t have contingency plans for a situation like Covid-19. CISOs can be forgiven for not predicting a global pandemic, but they can use the experience gained in dealing with the aftermath. BluVector recommends crafting contingency plans and testing them through tabletop exercises to harden the plans and prepare crisis managers. Major vulnerability areas exposed in the shift to WFH include BYOD, VPNs, and Enterprise Hardware like mobile management devices and firewalls.
The report also highlights several novel situations that network administrators will find especially challenging. How do you limit the threat surface when employees return to work? They recommend setting up Network Access Control (NAC) to scan users’ machines and apply updates before granting access to the main corporate network. How do you monitor remote NOC and SOC teams? And how do you cope with a high rate of false positives from so many remote users accessing the network? Read the report for more.
Returning to the dentist analogy, you need to educate and encourage preventative measures from your users. A major part of the report covers training, patching, password, and MFA advice to secure your employees. During this stressful time, when they may have children accessing their devices for virtual learning and other challenges, cybersecurity leaders need to continue engaging and educating. A news event like the US Indictment of Sandworm or the Universal Health Services Ransomware Attack can be a jumping off point to explain common phishing techniques or the risks of reusing passwords. If your devices require users to initiate patches, you can encourage users to patch together at the end of a virtual teambuilding event or to take some time with their family while they run updates. You can empower users to feel like they are both securing the company and less vulnerable to cybercrime in their daily lives.