With more than 70% of the global workforce (e.g., employees, contractors, and third-party vendors) working from home at least one day a week, and 53% working from home half the week, managing remote access has become a bigger challenge. Summarized below are 10 leading practices for effectively managing the risks associated with remote access.
1. Enforcement Remote Access Policies
The first step to effectively manage remote access risks begins with the creation, communication, and user awareness of the remote access policies defining Senior Management\’s expectations for the usage of all devices connected to the company network. Furthermore, the remote access policy should enforce the following control requirements to enable defense-in-depth.
2. Physical Device Security
All devices accessing the company network must be protected from theft by adequate physical security mechanics preventing those devices from being stolen from your home, restaurant, local coffee shop, vehicle, etc. All devices should be secured in the trunk of your vehicle anytime you leave the device in the vehicle. Laptops and tablets can be easily stolen from your backyard, living room, or the front seat of your vehicle. Keep your home workspace as secure as you keep your normal office.
3. Restrict Personal Devices
Some organizations choose to restrict the use of personal devices to be connected to the working network, which certainly avoids some of the remote access risks presented by those personal devices. This can help reduce the amount of sensitive data exposed, and it will be easier to enforce security on the company-owned device.
4. Secure the Home Network
Cybercriminals look to exploit default passwords on home routers because not many people bother to change it, leaving their home network vulnerable. Changing your router\’s password from the default to something unique is a simple step you can take to protect your home network from malicious actors who want access to your devices. This is a good first step, but there are additional actions you can take. For example, you should ensure firmware updates are installed as soon as possible so known vulnerabilities aren\’t exploitable.
5. Secure the Work Device
All devices connecting to the company network should require:
- Multi-factor authentication to strengthen the authentication process while attempting to log into the systems and critical business process transactions,
- A virtual private network to encrypt data being sent and received,
- Strong virus and malware protection software that automatically updates, when necessary,
- Prevent the loading of any non-approved software,
- Enforce automatic screen locking on work devices after 2 minutes of inactivity,
- Enforce strong passwords and password change management,
- Enable find my device and remote wipe should the device be lost or stolen,
- Restrict the use of non-company approved USB devices for copying data from one device to another
- Restrict the downloading of email attachment because this is a common way viruses and malware are spread.
6. Backup & Recovery
Enforce data backups and enable data recovery should the device be infected with ransomware.
Invest in cybersecurity awareness training for employees, contractors, and third-party vendors.
Invest in security software that can perform constant User Behavior Analysis at the transaction and data field level to detect and report anomalies and threats.
9. Security Model Upgrade
Gartner imperative # 1 from the Continuous Adaptive Risk and Trust Assessment (CARTA) approach recommends replacing the old and statice Role Based Access Control security model with the improved Attribute Base Access Control (ABAC) security model for your business applications to automate policy enforcement with adaptive access, transaction, and data level controls enabled by with contextual-attributes that can restrict access to critical transaction and data by start and end time ranges, dates, regions, business units, white list of authorized users, input controls limiting the maximum dollar amounts, processing control limiting the number of transactions authorized per day, output controls restricting data and reports exportation, etc. With the ABAC security model, you can implement zero trust security.
10. Continuous Risk Assessment
Gartner imperative # 2 from the CARTA approach recommends implementing continuous discovery, monitoring, and proactive risk assessment and risk prioritization.
- 10 Leading Practices for Managing the Risk of Remote Access - April 2, 2022