How to leverage overdue security upgrades to stay cyber secure

By on
How to leverage overdue security upgrades to stay cyber secure
Remote workers who have gone the past year without corporate VPN access may have had to get by with personal clouds or removable media.
Photo by Philipp Katzenberger on Unsplash

Returning to the Office?

Since the COVID-19 pandemic hit early last year, Australians rapidly embraced working from home. With low levels of COVID-19 cases and the rollout of the vaccination program, many organisations have already shifted to either hybrid working or back to a fulltime working from the office model.  

Although remote working comes with many perks, the scale and speed of this transition last year was sudden and unexpected. Most companies didn’t have a pandemic contingency plan around widescale office shutdowns, thus, a lot of the IT and security infrastructure and policies to support this new way of working was put in place on the fly.

In fact, our recent study, ‘The Future of Cybersecurity in Asia Pacific and Japan’ showed that three-fifths (60%) of Australian organisations indicated they were unprepared for the cybersecurity requirements driven by the sudden need for secure remote working at the onset of the pandemic.

There are many questions that had never been asked before that have suddenly becomes critical business considerations. Is there enough VPN capacity to support all employees remotely? Can software updates be applied to work devices on home Wi-Fi networks? Does everyone have the necessary work equipment to bring home?

Although many organisations were able to develop a remote workforce IT strategy, few were actually able to pivot to the ideal approach, zero trust networking or secure access service edge for minimising security risks.

At the same time, the same study mentioned above found that COVID-19 had a positive impact on cybersecurity across Australia, with 70 per cent of Australian companies agreeing the outbreak of COVID-19 was the strongest catalyst for upgrading cybersecurity strategy and tools in the past 12 months. While COVID-19 compelled companies to refresh their cybersecurity strategies, the transformational shift to remote working also exposed additional weaknesses.

Here are a few measures that IT teams can adopt to ensure that a “return to normalcy” doesn’t also mean compromising on security – and to the contrary, how to leverage it for maximising some overdue security updates.

Deploy a quarantine local area network for updating and cleaning employee devices

Understandably, many businesses were unable to continue regular and mandatory updates for their employees’ work devices when working remotely. Hence why there may be a significant number of laptops and other connected devices that need to be re-added to the company network. Ironically, as we’ve emerged out of self-isolation, our devices need to be quarantined as a crucial measure.

It’s likely that employees may have shared their work devices with their children or families at some point, whether it was for personal use or virtual learning. However, this poses an issue as multiple users on a single device can open up the potential for vulnerability exposure, depending on what sites were visited or programs were downloaded. Many may have not been vigilant when updating the latest application or operating system updates, and these devices may be returning to the company network with significantly varied levels of inherent security risk.

Even out the playing field of protection by restricting devices to a specific local area network (LAN) or guest Wi-Fi network where they can be safely updated away from everyone else when devices are all joining the larger corporate network. Think of it like a vaccine rollout, but for your work computers.

Conduct an audit of the software your employees have been using

Employees have had to do what they can to get by, right down to the kind of software or tools they’ve installed themselves on their work devices to make their jobs easier in a time of crisis. However, company-owned devices coming back onto the corporate network loaded up with applications that had not been sanctioned by IT can open the door for security risk.

Rolling out an IT audit program as employees return to the office can help determine what tools employees used or downloaded on their own. This not only helps give IT better visibility into where to protect and control sensitive data on company devices, but also doubles as a useful learning opportunity for identifying gaps in your remote work strategy. You might discover the need for more efficient collaboration, instant messaging or file sharing tools.

Weed out personal cloud services and removable media

Remote workers who have gone the past year without corporate VPN access may have had to get by with personal clouds or removable media, like USB storage, for sharing company files. But as these devices become reintegrated into the corporate network, those practices need to be weeded out ASAP. Files shared over personal cloud services or removable media storage are difficult to encrypt, do not lend themselves to overall IT visibility, and, frankly, are just too easy to lose.

As part of the reintegration effort, companies need to make a concerted effort to raise awareness among employees about the organisation’s officially sanctioned tools and cloud services – e.g., corporate cloud logins and services that the company has accounts with. IT teams need to help migrate data and files from personal storage to corporate-owned storage and ensure along the way that employees have all the right access privileges to those services.

The process of returning employee devices to corporate networks create an opportunity for businesses and IT team leaders to roll out new policies that not just do a better job of securing and modernising employee devices, but make bigger changes to remote working strategies that can facilitate even greater levels of security and access. “Back to normal” doesn’t have to mean “business as usual”. This is a golden opportunity for organisations to reinforce their cybersecurity posture.

Chester Wisniewski is Principal Research Scientist at Sophos.

Copyright © BIT (Business IT). All rights reserved.
Tags:

Most Read Articles

Poll

What would you like to see more of on BiT?
News
Reviews
Features
How To's
Lollies
Photo Galleries
Videos
Opinion
View poll archive

Log In

Email:
Password:
  |  Forgot your password?