Over the last year, security and compliance professionals have been removed from their familiar environment, joining millions of others in the new normal of remote work. It was a jarring transition for people usually tasked with office and data center-based security and regulatory compliance. As leaders, it’s our responsibility to inspire our teams and help them to stay productive while empowering our businesses to adapt as customer needs and markets evolve.
Fortunately, there are many security and compliance-related assignments suited to remote work. This article will look at six essential tasks to help your teams remain productive during mandatory work time.
Assessing Remote Access Security
Last year, businesses across the country were forced to implement remote access systems at short notice. Companies, including those with little experience of remote access technologies and BYOD security, had to rapidly roll out remote access to their secure internal networks so that employees could connect from insecure external locations with devices the business often had little control over.
Improperly implemented remote access exposes businesses to security risks that include network penetration, malware, and data leaks. Given the accelerated timeframes, organizations may not have followed best practices or implemented controls sufficient to mitigate risk.
Security and compliance professionals are working remotely too, but that doesn’t stop them from assessing remote access systems, implementing robust processes, and enforcing security policies. It’s unlikely that work patterns will return to their pre-2020 norms any time soon, so remote access security should be a core priority for all security professionals.
Testing Business Continuity
Over the last few months, many organizations have seen business continuity plans put to the test, revealing potential weaknesses and opportunities for improvement. Most organizations experienced changes in equipment, personnel, management, and processes over the last year. Existing business continuity plans are likely in need of revision to better account for current circumstances and risks.
Mandatory remote work time presents an opportunity to review business continuity plans, conduct formal testing, and draft new documentation. Testing can be carried out remotely, both by security and compliance teams and by third-party auditors. Internal teams could be:
- Gathering information to complete business impact analysis questionnaires.
- Identifying and testing communication and operational systems that may be vulnerable to disruption.
- Creating business impact analysis matrices and testing business continuity plans against potentially disruptive scenarios.
Most importantly, remote security and compliance teams can develop and document detailed business continuity procedures they might not otherwise have time to work on.
Documenting Disaster Recovery
Clients expect businesses to recover quickly from disruptions and disasters while maintaining data and service integrity. Disaster recovery plans document critical recovery tasks and tell employees how they should respond when disaster strikes. During a disruption, it’s impossible to predict which team members will be available, and documentation gives the people on the ground the information they need to access redundant systems, data backups, and contact details.
Effective disaster recovery relies on accurate, current, and comprehensive documentation. Plans should be revised and updated as the business and its processes evolve, something that is often postponed in the face of matters considered more pressing. At the beginning of 2021, the new normal is firmly established, making this the perfect time to reassess disaster recovery plans and update DR documentation.
Penetration testing—also known as pen testing—is the ideal task to keep security professionals productive while they are working from home. Pen testing is typically carried out remotely, and it allows businesses to verify security measures, identify risks, and discover opportunities for improvement.
Priority systems for penetration testing are:
- Communications, including email and instant chat, which can be vulnerable to phishing and executive fraud attacks.
- Employee devices, including laptops and mobile devices.
- Cloud services, including data storage and SaaS apps.
- Internal networks and APIs.
- Infrastructure hosted on third-party platforms and in the cloud.
Pen testing is particularly important following changes to the way employees interact with business networks and data. Because many more employees work remotely, security and privacy measures designed for in-office workers may no longer be effective. Rapidly implemented measures to protect data and networks while employees work remotely should be tested to verify they’re fit for purpose.
Assessing Cloud Security
A 2020 survey by Sophos revealed that 70 percent of organizations hosting data and workloads in the cloud experienced a recent security incident. Over two-thirds create backdoors into cloud systems through accidental misconfiguration. Cloud computing and data storage services are convenient, cost-effective, and flexible, especially when employees work remotely, but they are a frequent source of data leaks and network intrusion.
Businesses often misunderstand who is responsible for cloud security. Does the cloud vendor secure your data and infrastructure, or is it up to you to ensure that the tools they provide are used and configured correctly? All of the dominant cloud vendors operate a shared security model; the vendor and the user are responsible for different aspects of cloud security, and users must understand their role.
Businesses relying on AWS, Microsoft Azure, Google Cloud, and other cloud platforms should be proactive in assessing and mitigating cloud security risks. If your business migrated to the cloud some time ago, now is an opportune time to go back and verify that cloud security best practices were followed, that databases and storage services are correctly configured, and that employees follow security best practices when they access data and deploy cloud infrastructure.
Security Awareness Training
Human error is at the root of most security incidents, many of which could be avoided if employees and managers were trained to recognize and mitigate common security errors. To take just one example, phishing attacks are a vector in almost 80 percent of reported security incidents, and most malware is delivered via email.
Every employee has a role to play in keeping their business secure, but many lack the expertise, skills, and motivation to adhere to security best practices. Security awareness training aims to give employees the knowledge and tools they need to spot potential threats and react appropriately—something that’s even more important when working from home beyond the oversight of traditional security systems.
Security training can be carried out remotely, and periods of mandatory remote work present an excellent opportunity to examine training procedures, design and document new training processes and carry out online security awareness training.
Mandatory downtime may remove security and compliance professionals from their familiar office and data center environments, but that doesn’t mean they can’t be productive. Their work is even more critical in a world where employees work from home and depend on secure remote access to sensitive systems.
Joseph Kirkpatrick is the President of Kirkpatrick Price. Kirkpatrick Price is a licensed CPA firm, PCI QSA, and HITRUST CSF Assessor, and most commonly provides advice on SOC 1, SOC 2, HIPAA, HITRUST CSF, PCI DSS, GDPR, ISO 27001, FISMA, and penetration testing.