Written by Cyber Pop-up on behalf of Veriato
"Times they are a-changin" was a song performed by Bob Dylan many decades ago, but the words ring true now more than ever. The Covid-19 pandemic has had serious repercussions on the healthcare ecosystem and has shaken up the global economy. The pandemic has also forced millions to work remotely from their homes. According to analyst firm Gartner Inc., amid Covid-19, 88% of enterprises shifted to remote working for their employees. And, this Work From Home (WFH) isn't going away in the foreseeable future. With companies such as Deutsche Bank now offering long-term WFH to all employees until July 2021.
These WFH employees use remote access to transact, share, and collaborate on, often highly sensitive, data. An interview in May 2020 with a UK bank shows the volumes of remote access. During a single week, the bank handled over 52,000 remote access attempts to banking systems.
Remote access security concerns compounds as many workers use personal devices outside of the enterprise's protective remit. The end result is an intricate mesh of complex technologies and human touchpoints.
Add regulations to the mix, and you can visualize the storm coming. Compliance becomes much more difficult when remote working is added to the modern enterprise's mix of cloud services and a myriad of endpoints.
A new approach is needed to ensure that remote working does not become a 'remote' compliance gap.
The remote work security gap
The remote working gap exposes new vulnerabilities and new threat vectors to exploit an organization and misuse its data. Data risk levels increase with remote access, and in doing so, adherence to regulations is adversely affected. The evidence that these gaps impact security posture is demonstrated in some recent cybersecurity research:
People use their own (often insecure) devices: 56% of employees use personal computers when working remotely, and 25% of them don't know what security is in place on those devices. Remote workers may very well be sharing those devices with their kids, family members, or even housemates, putting sensitive data at risk and threatening compliance.
Data exposure is up: RiskBased Security keeps a record of data exposure across the globe. In the first half of 2020, 27 billion data records were exposed – this is more than double the numbers in the whole of 2019.
Phishing increased in 2020: Phishing is still the favorite game plan for many cybercriminals. Companies are being targeted, on average, by 1,185 attacks per month.
Insider threats are now a serious concern: A survey from the Wall Street Journal (WSJ) found that 70% of companies say they worry about malicious employees.
Cybercriminals are opportunists: As remote working increases, cybersecurity attacks follow this trend. But this isn't just a cybercrime issue. Remote working also means that accidents happen. If employees use insecure devices, they are more likely to have an accidental insider event.
The remote working gap presents challenges in meeting the myriad regulations on data security and privacy. The remote work environment, insecure personal devices, and remote access volumes all add to a compliance headache. While regulations are always playing catchup, an organization needs to take ownership of the security issues now.
Remote security gaps introduce compliance issues
As the digital enterprise became a reality, attacks against data soared significantly. Each year, the numbers of cyber-attacks, data breaches, and the various cyber threat vectors are continuously on the rise. The result has been a slew of data protection regulations. These regulations, which focus on the protection and sometimes the privacy of data, can be at the level of the industry, state, country, or even have wider cross-jurisdiction reach. This latter scope is a reflection of the global nature of work. Today, companies, employees, customers, partners, and vendors work together across countries and continents.
Regulation examples give a flavor of the areas covered, potential overlap, and divergence in requirements.
Payment Card Industry Data Security Standard (PCI-DSS) applies to organizations that handle financial transactions. These organizations include merchants, financial institutions, payment processors, etc. PCI_DSS is based on six security best practices covering secure networks, robust access control, monitoring, and security policies.
FedRAMP (Federal government)
The Federal Risk and Authorization Management Program (FedRAMP) offers a government-focused framework for multi-agency cloud security. FedRAMP provides a standardized process for security assessment, authorization, and continuous monitoring of cloud products and services.
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is a series of regulations to provide Protected Health Information (PHI) privacy and security. Specifically, the 'Security Rule' and 'Privacy Rule' requirements are used to protect the confidentiality and security of individuals' health information. The regulation is designed to allow covered entities to adopt new technologies to improve the quality and efficiency of patient care.
GDPR (EU and general)
The General Data Protection Regulation (GDPR) is perhaps the most well-known of data protection regulations. At just over 2-years old, this sweeping law affects any organization that handles and processes an EU citizen's personal data, no matter where the business is based. There are eight data subject rights, including the "Right to be forgotten." The remote era is an excellent example of how this right can become extremely difficult to achieve. If 1000 employees have downloaded data lists to a local device, making sure that the data has been deleted across every endpoint is much more challenging to achieve, and importantly, to prove.
IP protection policies (Internal compliance)
Regulators may not police internal policies, but non-compliance to those policies can have serious consequences. An example is in the internal regulation of third parties and partners. Consider the case of two banks, Bank-A and Bank-B. The two banks have made an internal agreement to allow the sharing of sensitive data. The agreement states it will be held on corporate devices and erased after completion of a project. Remote working makes the management and audit of this agreement complicated across all applicable remote and often personal devices.
5-Best practices for managing compliance to improve security in the remote work era
The remote era of work forces organizations to raise the regulatory bar to meet the compliance gap and secure remote devices. To achieve this, a pragmatic approach that incorporates 5-key best practices provides the way forward:
Practice 1: Basic security hygiene
Security awareness is long known to be a must-have across an organization. Security training is commonly limited to employees. However, security awareness and training must be extended to third-party workers who access confidential data. Partners, business associates, consultants, and freelancers should all be incorporated into company-wide security hygiene training and policies. Being aware of basic security hygiene includes understanding the principles of robust password management, not sharing passwords, keeping company secrets as secret, and having an uncluttered desk within the home office, which is as essential as having it in the office.
Security hygiene training should be extended to include phishing simulation. During Covid-19, scammers have targeted home workers with sophisticated phishing campaigns. Phishers have taken advantage of the less secure conditions of home working. Ransomware is an example of a risk that significantly increased during the pandemic, where phishing tactics were used as the basis of an attack.
Healthcare institutions and business associates were targets of ransomware-attacks during the height of the pandemic as fraudsters saw that these organizations were under extreme pressure. In June 2020, the University of California at San Francisco became a ransomware victim during research into a COVID-19 vaccine. The university hired a professional negotiator but still ended up paying a 14 million ransom for the decryption key.
Practice 2: Compliance impact assessment
Impact assessments take several forms depending on the regulation. Typically, an impact assessment helps to detect areas in a system or process that puts data at risk of exposure or misuse. The assessment must take into account the severity of the risk as well as the likelihood it could occur. For example, the GDPR suggests a Data Protection Impact Assessment (DPIA) be carried out when data risks are high. The EU "Working Group 29" (WG29) industry body says that a DPIA is a
"… process for building and demonstrating compliance."
Risk assessments cover all aspects of data risk and can be mapped to the compliance requirements of a given regulation.
Practice 3: Zero Trust Architectures
Implementing a Zero Trust security approach places data as the central pivot to focus on security attention. The basis of a Zero Trust Architecture (ZTA) is to protect data by implementing data-centric security systems. Ultimately, Zero Trust is based on the concept of "Never Trust, Always Verify." This concept can be achieved in practice by applying continuous monitoring across the entire expanded IT system.
ZTA is particularly powerful in a remote work environment, where it can be used to determine risk at the points of access and use of resources. A new advisory from NIST explores the principles of a Zero Trust Architecture (ZTA). A NIST special publication, 800-207, states:
"When balanced with existing cybersecurity policies and guidance, identity and access management, continuous monitoring, and best practices, a ZTA can protect against common threats and improve an organization's security posture by using a managed risk approach."
UEBA (User and Entity Behavior Analytics) provides continuous monitoring within a Zero Trust Architecture. UEBA uses network events to spot anomalous behaviors. Using intelligent technologies, such as machine learning (ML), UEBA can recognize patterns of behavior as humans, devices, and networks interact. Any anomalies outside of a baseline are seen as a possible threat, and alerts and automated actions can be taken to reduce risk.
Practice 4: Security policies
Security policies must be extended to include security issues that are particularly applicable to remote work environments. A set of best practices designed around remote working accounts for the challenges associated with personal devices and shared computers. These include endpoint security policies, protection methods, etc. Other areas to include are the use of insecure Wi-Fi networks and insecure printing. Security policies must always map to compliance requirements.
It is worth noting that a security policy is of no use as a standalone document. The policy's tenets must be communicated with and be accessible to remote workers. Your remote staff needs to be aware of and understand the application and implementation of these policies. A general security awareness training for the remote workforce can help achieve the purpose.
Practice 5: Visibility and monitoring
Remote workers can be more challenging when attempting to adhere to regulatory requirements. For example, in the financial sector, a recent dictate on remote worker monitoring was issued by the Financial Conduct Authority (FCA). The FCA regulates the financial industry, and one of the remits is to prevent insider-trading abuses.
At a recent event, Julie Hoggett from the FCA said that financial firms need to recognize a need for "effective surveillance at all times"… "It is essential in changing times that firms identify the risks associated with the new environment in which we are all operating."
Remote employee visibility is an issue in any industry that deals with data and needs to meet regulatory controls. But employee monitoring can be seen as intrusive and complicated in remote settings. Tools designed for unobtrusive employee monitoring and compliance when deployed and managed centrally, either from the cloud or on-premise, can help alleviate these problems.
Despite the security and regulatory challenges, a BCG study found that 75% of executives believe that digital transformation is needed now more than ever. Digital tools gave us a way to weather the Covid-19 storm, and as such, 65% of organizations expect to increase investments in digital transformation. However, the remote era is adding a layer of complexity in meeting regulations. With the right policies and tools, organizations can achieve the security needed to maintain regulatory compliance, even during this era of remote work.
Data protection regulations can seem onerous, especially with disparate workers and third-parties to manage. However, compliance promotes security in the distributed workspaces. An organization needs to address the security gaps exposed by remote work to meet compliance, and in doing so, it benefits your company, customers, and remote workers.