- Technology and Cyber Risk
Center for Internet Security Control 3: Continuous Vulnerability Management
Connecting to random and potentially unsecured networks (Wi-Fi or wired) instead of the corporate network/VPN may mean that devices are not receiving prompters to patch and remediate vulnerabilities on their machines. If unresolved, these infected machines may infect other connected devices when finally connected to the corporate network as they return to office. There are many industry-recognised automated scanning tools (e.g. Qualys and CrowdStrike) which automatically scan and correct vulnerabilities. Using these may not only fix these vulnerabilities, but also free up some capacity within the IT team to focus on other return-to-work initiatives.
Center for Internet Security Control 6: Account Monitoring and Control
One of the harshest effects of COVID-19 has been the amount of suspensions and terminations of employment across all organisations. These include permanent staff as well as contractors. As businesses prepare to meet in-person again and resume work physically, it is an even more fitting time to ensure staff and contractor accounts are valid according to employment contracts, and that the access provisioned is restricted as much as their delegation requires. Performing ad-hoc user access reviews as part of return to office activities is a great way to identify inactive accounts and clean up access where needed. If time is scarce, prioritise high-risk applications and accounts first, and schedule for the remaining catalogue of applications. Make sure there is coverage of physical access to account for those no longer requiring building access as well as newer team members who do.
Center for Internet Security Control 5: Secure Configuration for Hardware and Software on Mobile Devices, Laptops, Workstations and Servers
Amidst the rush of deploying work-from-home (WFH) capabilities, it is likely that some IT organisations have prioritised procuring devices based on ease-of-deployment rather than security. This shortcutting can be translated to insecure configuration of open services and ports, default accounts and passwords, older unpatched protocols and failure to clean up default and insecure pre-installed applications. It is better than late than never to stocktake and locate newly procured peripherals and remedy these shortcuts.
Center for Internet Security Control 17: Implement a Security Awareness and Training Program
Without surveillance and in-person enforcement, potential high-risk or lax behaviours around security and use of IT assets may have developed among remote workers. As offices return to work, it is a great time to deploy security awareness training to standardise and re-educate employees on end-user security and good behaviours. Some ideas for training modules include a refresher on Acceptable Use of IT, awareness on why certain programs and websites are banned, and internet safety.