The Financial Services Information Sharing and Analysis Center, (FS-ISAC), a non-profit industry consortium focused on reducing cyber-risk in the global financial system, has issued a set of technology and security tips for teleworkers, work from home (WFO) staffers and businesses trying to successfully navigate the coronavirus (Covid-19) pandemic.
The suggestions spring from a webinar the association recently conducted for thousands of its members entitled Work From Home Security Tips, which homed in on "this new way of doing business,” the FS-ISAC said. Some 7,000 firms with users in more than 70 countries belong to the organization.
Of particular note, the FS-ISAC suggests businesses alert their MSPs and MSSPs of the shift in operating models so they can tune and tailor their notifications and adjust their monitoring activities. Here are 14 more recommendations, as segmented by technology and security, to help businesses traverse the hopefully temporary Covid-19 crisis.
On technology.
- Embed technology and security representatives in the various planning groups to ensure proper consideration of the technical aspects of a wide scale work from home (WFH) scenario and the security considerations that come along with working from home.
- Over-communicate with personnel. Make sure how-to documents and FAQs about WFH are readily available. Widely re-share IT, security, and HR contacts.
- Remind personnel of the technology and services that are allowed.
- Monitor performance, consumption and load for both internal technologies, such as VPN, and critical business tools, such as collaboration and communication platforms.
- Reiterate how to share documents and collaborate on information while working remotely.
- Explicitly block unsanctioned services. Consider what services you can exclude from your VPN tunnel to reduce the impact on your network while meeting your security requirements.
On security.
- With a distributed workforce, ensure that security tooling is going to work off the network and there is a requirement or security control in place to monitor all web traffic.
- Define the options for staff around the world to access your environment. Be sure to set proper user-level and admin-level accesses. Connectivity options include corporate devices with VPN, VDI, cloud workspaces, bastion hosts, and potentially personal devices with your corporate VPN and robust host checking.
- When evaluating policy security, privacy, risk and compliance exception requests, Ask: does this align with our risk appetite?
- Make sure the governance around the exception management process and decision criteria is well laid out and good tracking mechanisms are in place so you can revert back to business-as-usual operations at a future point.
- Monitor for unsanctioned data access and movement. Adapt your data loss prevention and user behavior monitoring rules to account for remote workers which may include but not be limited to concerns around printing at home, email forwarding, external storage drives, and alternate work schedules.
- Double down efforts on security patching and updates to remote access management solutions.
- Ensure security controls such as web filtering support a remote workforce.
- Review and update auto-routing of phones for call centers, help desks, operation centers.
“Many organizations are now a few weeks or even months into a wholesale shift in their business operations to a virtual model,” FS-ISAC said. “Doing this successfully requires new technology and security considerations to be embedded into operations. We believe many organizations will find value in this guidance.”