Security teams are key workers and need support
In the last article I wrote for the Security Think Tank, I looked at the impact of a pandemic on the security posture of an organisation. But at the time of writing that article, the UK lockdown because of the Covid19 coronavirus pandemic was not in place and wouldn’t be for a few weeks.
We now have a situation where in many organisations, the majority of staff are working from home, raising the issue of remote access to a company’s core IT systems and services. But at the same time, the mental and emotional health of all staff also needs to be addressed and in that, there needs to be a realisation within organisations that their IT and IT security staff are on the front line, they are key workers and, as such, they will need access to necessary and appropriate resources.
Some principles for working remotely during Covid-19, as stolen from social media, are:
- You are not “working from home”, you are “at your home during a crisis, trying to work”.
- Your personal physical, mental and emotional health is far more important than anything else right now.
- You should not try to compensate for lost productivity by working longer hours.
- Be kind to yourself and not judge how you are coping based on how you see others coping.
- Be kind to others and not judge how they are coping based on how you are coping.
- Your team’s success will not be measured the same way it was when things were normal.
I realise that many in IT and security will question these principles, because they probably get hit by panics and ad-hoc extended working hours on a fairly frequent basis, but we are currently living in strange times and totally uncharted waters.
While some companies will have secure remote access facilities in place, those facilities are likely to require augmenting. Careful planning, implementation, testing and documentation of any new or augmented remote access facilities will be required. Maintaining security is a must and hastily implemented temporary solutions must be avoided because they have a habit of becoming the accepted way, often with attendant ongoing maintenance difficulties.
Want security staff at their best? Give them the best tech
Any solution will need to allow staff to access IT facilities appropriate to their function and role, but this must also be dependent on the type of device being used to access, for example company-supplied IT could be given greater access than staff-owned IT. Getting the remote access right will go a long way to maintaining a company’s security stance and, in turn, should reduce IT and security staff stress levels.
A company-supplied laptop or PC with a company locked-down configuration, power-on PIN code requirement, an encrypted hard drive and a certificate-based mutually authenticated virtual private network (VPN) with no split-tunnelling and augmented with multi-factor user network log-in would typically be given full access to all the systems necessary for the person’s role and function.
This should be typical kit for IT and IT security staff, but note here that any supplied laptops should be capable of driving two or more screens and those extra screens will need to be provided, too. It may be that for some IT staff, there would be a need for two or possibly more PCs, which necessitates the extension of the company LAN into the staff member’s home, although do bear in mind that, even then, a staff member might not have the necessary space available.
A suggested minimum-level company-supplied laptop for an end-user should be configured with a VPN, no split-tunnelling, no local administrator access and a terminal server client requiring user network log-in. User applications such as Microsoft Outlook or Office can then run on the terminal server, not the laptop.
The aim in providing these configurations to staff is to reduce the level of support necessary for the remote devices while allowing the best use of existing IT and network security features. Meanwhile, staff-owned devices should probably be limited to email-only access. This has been the subject of quite a few articles in recent times covering the pros, cons and increased risks of allowing staff-owned devices access to company IT.
Ensuring that IT and security staff have access to all the tools that monitor and allow work to be carried out on the IT and security infrastructure of a company’s IT infrastructure can help to reduce stress, so that staff are not fretting about how to monitor or fix a problem, given an absence of tools that would otherwise be available.
Some key tools might not lend themselves directly to remote access, however. For example, in many security operations centres (SOCs), there are large, wall-mounted monitors showing a real-time view of alerts. Although these alerts could be sent to remote PCs, staff may not have the space at home to accommodate two or more PCs or PCs with two or more large-screen monitors.
Also consider that staff members may well have children at home and that environment will not always be conducive to incident investigation. A potential solution here might be to introduce staff rotation, with one person in the IT operations centre each week with a videoconferencing link to remote workers.
Help security teams by helping your end-users
During the pandemic, there will inevitably be an increase in tech support calls to the helpdesk, which will add pressure to IT staff. Here, a wiki-type Q&A self-help website, independently set up in the cloud, separate from the company’s own IT infrastructure, could be one route to ease pressure.
IT and security staff can use an external company to populate and run the content management system behind the wiki and, as it would be independent of the company infrastructure, it could be accessed by a remote employee using their own devices without compromising the IT security.
The wiki should cover general remote working issues as well as company-specific issues, such as home Wi-Fi issues (placement, Wi-Fi repeaters, signal being knocked out when a microwave oven is operating) or broadband outages.
Obviously, there will need to be some form of security in the form of an ID and password to limit wiki access to company staff, and care must be taken when creating the Q&As so as not to give valuable information away. An enquiry form would be a useful additional function.
The above thoughts should help to keep stress levels for IT and IT security staff at an acceptable level while the new normal beds in. Once things have stabilised, thoughts could then turn to investigating and possible implementation of additional automation of infrastructure and security monitoring. The caution here is that there should not be a rush to implement automation – there needs to be proper and considered review of the various tools that will be offered by suppliers.
Keep safe, maintain social distancing and maintain that team spirit.