Since the start of the COVID-19 pandemic a large majority of office workers have been working from home. This has meant organisations have had to adapt their ways of working and be aware of the new security challenges this brings. For those organisations where home working is relatively new, they need to put measures in place that cover the potential new threats which can emerge from their employees’ homes.
Principle of least privilege
The principle of least privilege is where user accounts only have the permissions required to carry out their role and nothing more. The benefits of least privilege practices include:
- Reducing the attack surface – It is harder for malware and attackers to spread within an organisation when accounts lack administrative permissions.
- Improve compliance and audits – Cyber Essentials and ISO 27001 controls require least privilege practices to be in operation.
- A better user experience – When users do not have administrative permissions, they will not be able to install their own software. This will mean less calls to your help desk when things go wrong in an unmanaged way.
Virtual Private Networks
Virtual Private Networks (VPN) allow remote workers to connect to the organisations internal systems and services in a secure manner. Communications between the worker’s devices and the organisation’s network are encrypted as they travel over the internet. This protects confidential and personal data from potential eves dropping as data is transmitted or received.
For the most user-friendly setup a seamless VPN that connects automatically when the device is connected to the internet can be used. An example of this includes how Microsoft configure their VPNs for remote access.
Password managers
Password managers are the digital equivalent of a physical safe. They allow you to store your all your passwords for the different services that you use so that you do not have to remember them. They can generate secure hard to guess passwords and let you know if your password has been found in a data breach so that you can change it. Most password managers such as 1Password are available on multiple platforms. Password managers keep your passwords safe by encrypting them and you will often have a ‘master’ password to unlock them. The best practice is to use four random words for this that you can remember from memory. 1Password for business and teams gives maximum benefits of sharing passwords securely within teams and gives business users free family accounts to employees to practice good security at home.
Multifactor and two-factor authentication
It is best practice to use 2FA (two-factor) or MFA (multi-factor) authentication. This can require users to enter a random temporary code in addition to their username/password, or require their device being pre-registered with the network.
Credential data breach checks
Troy Hunt, a well-known security expert, runs the HaveIBeenPwned website that allows users to sign up to free email notifications whenever their address has been found in data breaches. Workplaces or those who own their own domain name can also sign up to domain level notifications which include a list of all the compromised addresses.
HaveIBeenPwned Active Directory Integration
For those that use Active Directory for identity management, the kind people at Lithnet have released their plugin ‘Lithnet Password Protection for Active Directory (LLP)‘ for free that allows system administrators to import compromised password lists from HaveIBeenPwned. Active Directory users can then be configured to not be allowed to use these passwords and audits can be run using the tool to identify vulnerable accounts.
Firewalls, Malware and Viruses
It is best practice to scan your devices for malware and viruses often. Windows has a built in Antivirus and firewall that can be configured. There are also 3rd party solutions available depending on your needs. System administrators should also ensure the network boundary firewall (which is often built into a router in smaller networks) is configured correctly to prevent adversaries accessing your systems. Intrusion detection and prevention systems can also help protect your company by looking for the signatures of attacks and unusual network activity.
Further resources
The UK’s National Cyber Security Centre regularly promotes best practices and provides advice to individuals and companies on cybersecurity. There are various infographics available to help you get started on different cybersecurity topics. The ‘10 steps to cybersecurity’ is one of the wider known resources available for companies from the NCSC.
Lastly, it important that companies practice cybersecurity exercises so that in the event of an attack everybody knows what to do and what part they play in the response.
We are used to upgrading old systems or designing new systems to replace them. We follow the best security practices during development of your system to help keep you secure. If you have a system that you feel could benefit from being improved get in touch today.
