Post COVID-19 Pandemic – Reviewing your Network Security
The speed at which the COVID-19 pandemic has developed has meant that companies may have been forced to circumvent some of their security arrangements to provide capabilities for remote working. Companies have been scrambling to set up impromptu remote working facilities sometimes using insecure online services. IT departments will no doubt have been punching holes in their firewalls to enable temporary remote access to corporate systems and an army of virus ridden home PCs will suddenly have gained access to sensitive company data. The long-term implications of these actions have yet to unfold but with the constant upward trend in cyber attacks, it is not difficult to understand why businesses view cyber crime as one of the top risks they face particularly as breaches to GDPR regulations are attracting large penalties, the consequences could be extremely severe.
How to operate during a pandemic!
I imagine many CEOs will be scouring their business continuity plans (BCP) looking for the section that covers “how to operate during a pandemic”. Undoubtedly when the dust settles companies will want to revaluate their BCPs and implement changes to mitigate any future similar events. They will also hopefully be considering the positives that have materialised from these enforced new working arrangements. As an example, my local village stores did not take card payments before the pandemic however within a few days almost all had setup online stores providing home delivery services. This crisis has forced companies to rethink the way that they operate. Change can be a very good thing
In my 30 or so years dealing with network security, I have witnessed a lot of change. I came from an era before the internet, where keeping data secret meant locking it in a steel box and placing it in a locked room. From a modern day network security standpoint, many of the old disciplines remain largely the same.
Three key questions to consider are
what data you are storing
why you need it
and how sensitive is it?
Do you really need ten years of past quotes? If the answer is no or even maybe, dispose of it properly. To establish how sensitive your data is, consider what the impact would be to your organisation, your customers and suppliers if it was printed on the front page of a national newspaper.
Notwithstanding GDPR regulations you have a duty to protect the information you have been entrusted with so it is important that you consider carefully what the implications would be. Again, if you do not really need it, dispose of it properly.
Need to know
The old security saying “Need to know” comes next. Who needs access to what information? You should also ask yourself the “why” question particularly if the data is sensitive. John may need access to the CRM system but only to get customer address details so that he knows where to send the goods. Could his access be restricted, or a separate process be engineered to provide him with this information without him requiring to access to the entire database? By considering these questions you should now have a good understanding of what data you have, why you need it, who needs to access it and what data you need to protect.
Current data security methodology adopts a layered approach where security progressively gets stronger as you progress through each layer to the most sensitive data. By adopting this method, you enhance your ability to control access to the data and reduce the potential of data being compromised through a single point of failure.
For example, a single bad firewall statement could expose your entire network to a world of internet hackers. A layered approach reduces the potential of this happening. The layers may be in the form of physically separate LANs interconnected by firewalls or virtual layers with software access controls, but they are distinctly different in terms of security and accessibility.
Congratulations you have won £50
Another consideration is that your network is only as strong as its weakest link. If you were walking down a street and someone said “congratulations you have won £50, all you have to do is attend this presentation” etc, you would probably run a mile as usually nobody gives anything away for free without a catch. Yet I have witnessed countless networks that have free software performing key elements of its security. Security software needs to be the latest version, up to date and well supported. Good security costs money.
With minimalised data, a layered network in place, an up to date and well maintained software combined with in-depth understanding of who needs access to what and why, you can now turn your attention to the “how” part.
How will your staff access this data?
Again, through a layered security approach you can provision multi layered secure access. General low-level data could be accessed via a simple secure VPN. More sensitive data should only be accessed via more stringent means with multifactor authentication and a locked down Terminal Services emulator such as Citrix or Remote Desktop that prevents remote users from downloading data to their home workstations. The level and complexity of security employed will largely depend upon the sensitivity of the data that you are protecting, however you should always aim for the best security that can achieve a workable solution as opposed to employing the minimum acceptable security. The cost difference is often negligible.
Internet is not your friend
When it comes to security there are a plethora of private network solutions that offer versatile remote working access without exposing you to internet hazards. Adopting this approach can remove much of the complexity of implementing security. Whilst these platforms offer a higher degree of security, you should not be complacent when it comes to protecting your data and should continue to encrypt all transactions and verify user credentials to prevent unauthorised access.
Clearly remote workers should not be using their own IT equipment and should be furnished with a company IT environment that operates separately from any home or remote infrastructure. Tools such as Cisco AnyConnect provide a secure mobile access capability for mobile workers. The use of Dynamic Multipoint Virtual Private Networking (DMVPN) can provide a mechanism to set up remote access for personnel operating on basic broadband services. For organisations that have multiple remote workers, a Mobile Device Management platform would enhance the security and capabilities of mobile devices.
If you would like an informal discussion on the above or any aspect of Network Security, please contact Apella Solutions.
About the author
Paul Brown has worked for over 30 years designing and implementing secure IT networks for both commercial and Government customers.