Four tips for keeping security worries away this summer

As the summer weather heats up, so does the desire to cut out of the office early and finish the workday from the park, a local pub patio or maybe the family cottage.

Now is the time where many of us take advantage of the ability to work remotely – using portable devices and free Wi-Fi or mobile hotspots to stay connected. While many managers are fairly flexible on this type of ‘perk’ if the position allows, IT security experts understand that is comes with some risk. To offset this, steps should be taken to ensure data and access is secure while at work, home or on the go. 

Consider working remotely. Where do you start? The first thing you’re going to do is to sign into email or your white-listed business application of choice to access the files you need to do your job. Doing so in the office versus doing so on a busy summer patio poses different threats. Still, there are a couple of steps organizations can take to keep remote employees happy, while maintaining security. Here are four main ones to consider:

1. “Just enough” access

Whether it’s the summer vacation season or the middle of winter, this tip still applies. Limit the access entitlements that employees have to only what they need to do their jobs and nothing more. This sounds straightforward and simple, but it’s often a surprise at how much access employees can accumulate.

Often referred to as ‘access creep,’ the term refers to the additional access employees have received over time that was never turned off. This could be due to a previous role in another department or a special project the employee worked on. The idea here is that if employees only have the bare minimum of access and nothing more—should something happen and an employee’s access is compromised somehow—the risk to the company is lower than it would have been otherwise.

2. “Only when needed” access

There’s going to be roles that require elevated access to important data, as it’s the nature of business. But there are things organizations can do to limit that access with by putting extra protections in place so that the access is only granted when necessary.

A single sign-on solution is great for enabling employees to be able to access various applications from one simple location, but implementing a risk-based authentication that requires additional authentication if certain parameters are detected will help ensure additional safety measures are in place. For example, when the employee is detected in the office, they can click in without issue. When they are trying to access that application from elsewhere on their personal network though, additional authentication will be required to make certain they truly are who they say they are.

3. “Sorry, not now” access denial

In the same vain as the ‘only when needed’ access scenario, there may be situations or applications that organizations are going to decide they do not want to allow any access to outside of their strict controls. Through the use of an advanced authentication tool with Geo-Fencing included, organizations can configure a policy to limit access to only those users in the allowed location.

4. “I forgot my password” access

There’s nothing more frustrating than trying to get something done so you can sign off for the day and getting hit with password request. For example, consider trying to access a previous application you were working in to upload work (i.e. Box, Dropbox), and you are asked to enter a password you don’t remember.

In the case of remote working, due to some of the tips I described above, it’s not uncommon to be asked for that password once you’re out of your network. However, unless you’re used to working remotely and can recall it on the fly, it can be a real inhibitor of getting work done when you’re not at the office. This is where a self-service password reset tool is not only a godsend for the end user, but it also alleviates calls to the help desk and can increase security. The reason for this is that customized—or pre-written—challenge questions are more secure than verifying a user’s identity on the phone before resetting a password or unlocking an account.

We should all be allowed to enjoy some fun in the sun this vacation season. By incorporating some—or all—of these strategies, organizations can better prepare themselves for the inevitable summer ‘WFH’ requests and allow their employees to do just that. In doing so, companies will achieve a more secure environment for their employees who plan on sneaking in some much-needed family time.

It world Canada

UK minimum cyber security standard should be followed in Canada, says expert

There’s no shortage of advice to infosec leaders about what they ought to be doing to tighten the IT security of their organization, starting with the Center for Internet Security’s critical security controls . But what if the board and C-suite wants to tell departments what they must do?

The recently-issued minimum cyber security standard for U.K. government departments is a good place to start. In seven pages the government sets out what it expects departments to adhere to — and exceed wherever possible.

This concise document goes along with the more detailed best practices security policy framework for protecting government assets, first published in 2014, to comply with the U.K. national cyber security strategy.

Those two documents can be granular, and in some ways ‘here’s how you do it’. The minimum cyber security standard is ‘here’s what you better be doing.’

So, for example, one of the first standards is “Departments shall identify and manage the significant risks to sensitive information and key operational services.”

Here’s another notable must: “Access shall be removed when individuals leave their role or the organization. Periodic reviews should also take place to ensure appropriate access is maintained.”

And another: “Multi-factor authentication shall be used where technically possible, such as where administrative consoles provide access to manage cloud based infrastructure, platforms or services. Multi-factor authentication shall be used for access to enterprise level social media accounts.”

Four sections

The standard is broken down into four sections infosec pros will recognize for creating a strategy: Identify, Protect, Detect and Respond. Within each department heads are mandated to take certain action. This means if there is a failure the government can ask, ‘Why wasn’t this done?”

“This is a  useful starting point for Canadian authorities,” said David Swan, the Alberta-based director of cyber intelligence at the Centre for Strategic Cyberspace + Security Science, an international consultancy. “All levels of government can use it. The requirements of the standard can be integrated into any regulatory framework. The standard can be expanded or included in other guidance. In the corporate environment, this level of knowledge should be required by boards of directors, CEOs, CSOs and CISOs. Organizations that don’t require this level of knowledge are essentially ‘co-operative victims’, unaware of their risk, cyber threat and consequences.”

The standard does allow some implementation flexibility. So the definition of ‘sensitive’, ‘essential’, ‘important’ and ‘appropriate’ are left open. “However , the document adds, “departments are accountable for the effectiveness of these decisions.”

U.K. departments “shall understand and manage security issues that arise because of dependencies on external suppliers or through their supply chain,” the standard says. That includes ensuring that the standards are met by the suppliers of third party services, such as hardware, software, consulting or cloud providers  However, those third parties could meet compliance in one of several ways. One is if the supplier holds a valid Cyber Essentials2 certificate as a minimum.

The U.K. Cyber Essentials program has accredited bodies issue certificates to private sector companies attesting they have met certain minimum security standards. Last month, when it released the latest Canadian cyber security standard Ottawa said it is looking to set up a similar program here.

Related Articles

Ottawa vows to make Canada a global leader in cyber security

Ottawa has released its long-awaited update to its national cyber security strategy, promising to better protect Canadians from cyber crime,...

June 12th, 2018 Howard Solomon @howarditwc

However, the Canadian program may take some time. The government said it will first consult with the private sector and potential certification bodies.  At this point it isn’t known who those certification firms could be. In the U.K. they include many IT security consulting companies, who have expertise in the area. The department of Innovation, Science and Economic Development (ISED) will be responsible for approving the Canadian program. The Communications Security Establishment (CSE), which oversees security for federal systems, will define a basic set of measures SMEs would have to follow. And the Standards Council of Canada will approve certification bodies to assure evaluate SMEs have met the standard.

Note where the U.K. mimimum standard starts: “There shall be clear lines of responsibility and accountability to named individuals for the security of
sensitive information and key operational services.”