Blog

Dream Firms Talks 05/2023

Topic: Basics / Baseline Security – Remote/Hybrid Work

Basic Security

• 12 Character Minimum for all passwords
  • Anything 8 characters or less is vulnerable to immediate brute force attacks
  • Complexity – Must include: 
    • Upper Case Characters (ASDF…)
    • Lower Case Characters (asdf…)
    • Numbers (1234…)
    • Symbols (!#$%…)
  • Last Changed – Change at least Twice a Year best practice
• Businesses should use Premium Business versions of Anti-Malware software
  • Premium Version on every work system
  • BitDefender or Malwarebytes are both good options
  • Make sure it is updated regularly
• Don’t use Gmail as your business email. Businesses should have their own domain
• Employee training is a very important part of your Cyber Security plan. Frequency should be at least twice a year
• Monitor your internal networks and systems for alerts and changes.

Baseline Security for Businesses with Remote/Hybrid Workers

• Remote and Hybrid workers have become an increasingly common staffing structure that can be beneficial to both the worker and the business
• An attractive benefit to workers
• Makes businesses more competitive when searching for new talent
• Increases the pool of available talent when looking for the best candidate for your team
• Add scheduling flexibility and adaptability that rigid in-office hours do not
• Less corporate office space needed

Risks associated with Remote and Hybrid Work

• Security is inherently more difficult to set up and maintain
  • Individual systems are outside your safe office
  • Connections to your data from outside your firewall
  • Necessary Cloud Services can be difficult to evaluate and configure securely
• Standards may relax or blur between corporate and personal use
• File Exchange/Collaboration is more complicated
  • No data should be stored on remote systems
  • Cloud or Network Server for data storage – backups/one version/no data on lp to steal
• BYOD – Bring Your Own Device 
  • Very difficult to secure a BYOD environment – no control/visibility/not your hardware/support
  • Better approach – Supply all the devices employees need to do their job
  • Focus on how to secure corporate devices when employees take them home
• Public use adds risk – working in airports/coffee shop/café/etc
  • Shoulder surfing is possible – sightlines should be blocked from view!
  • Hacking is easier – use a hotspot AND a VPN
  • Public WIFI = NO
  • Private conversations and meetings in public are PUBLIC conversations for all to hear
• Remote support will be necessary
  • Your IT Provider (in house or contracted) needs to be able to connect to remote user’s device
    • System maintenance
    • Helpdesk Support
    • Application install
• Home Network 
  • No control of other systems on the network
    • Free to browse ‘dangerous’ sites
    • May not be protected with current anti-malware
    • May be infected with malware that is watching the network traffic
  • No guarantee the router and firewall are set up properly and are secure
• Physical Security – Cyber Security Audit
  • Can you prove your systems are physically secure?
  • Is PII stored on any remote device?
    • FL Law – Florida Information Protection Act – Security of confidential personal information
    • Proactive component (which specifies what organizations must do to protect all personally identifiable information they control)
    • Reactive component (which specifies what must be done after an organization experiences a successful breach)
    • Contains provisions that authorize Florida’s Legal Affairs Department to bring enforcement action against entities committing statutory violations
    • We can share a list of important laws if attendees email us and request it
  • According to a recent study – a laptop is stolen every 53 seconds in airports alone
  • Laptop should always be with you, never left unattended.. even in a locked car

Hardware best practice

• Should be company issued to maintain consistency and control
  • Laptop – should be of the same quality, type and configuration for consistency and supportability
  • Accessories – monitor, keyboard, webcam, docking station – should be of the same type, make and model for consistency and supportability
    • laptop mics are terrible – please provide a webcam with mic that has been well tested by you

Software best practice

• Should be preconfigured on company issued laptop or web based with logins tested and working
• Paid (not free) Business (not home) versions of software only
• All software that supports MFA should have it active for all employees
• Update frequently with all patches and version updates
• VPN – Virtual Private Network
  • Provides an encrypted, anonymous tunnel between your remote laptop and your companies’ network
  • We use HMA.    https://www.hidemyass.com/en-us/index
  • There are many options – You want military or bank grade encryption
    • AES256 – Advanced Encryption Standard and uses 14 rounds of encryption
• MFA – Multifactor Authentication
  • Additional layer of security adding two or more identity checking steps to user logins.
  • We use Duo.    https://duo.com/product/multi-factor-authentication-mfa
• Data Encryption – At Rest and In Transit
  • Especially important for PII!
  • 2BrightSparks has a Utility Package called OnClick Utilities
    • https://www.2brightsparks.com/onclick/index.html
    • Includes an easy to use and effective data encryption utility
  • HTTPS will encrypt in transit data but using an additional utility to encrypt the file prior to sending is better security
• Password Manager – Current PW complexity requirements make memorizing them nearly impossible
  • Management should have access to all employee passwords for employee software and hardware
  • Can be Cloud-Based or Network Server based
  • We use IronVest – https://ironvest.com/app/
  • Keepass – Prior company – Login restricts areas of company Passwords available
    • Admin managed
• Business Applications – Consistency is Key – same version for all employees
• Anti-Malware – Provide the same brand and version for all employees
• Browsers – This can be tricky. Some applications run better, or not at all, on certain browsers
  • Lock down an approved shortlist of accepted browsers 
  • Make sure they are updated regularly
  • Add-Ins – Anti-Malware (Malware Bytes, Bitdefender) additional security / PW Manager
  • Don’t Store Any Passwords In The Browser
• Remote Access/Support – Your IT/Helpdesk Support (in-house or contracted) should have this software so that they can connect any of your remote systems – Should be pre-installed and tested before issuing 
• Monitoring – Logs employee activity on computer (Manictime)
  • We use for Productivity and Billing
  • Tracks Apps used and for how long
  • Tracks sites visited
  • Tracks documents worked on
  • Data collected is stored on system – or your network server 
  • Works offline 
  • Easy timesheets
  • Can do company wide reporting
  • https://www.manictime.com/
• IDS/IPS – Intrusion Detection System / Intrusion Prevention System
  • Both analyze data traffic and compare to known threats
  • IDS – Monitoring device or service that Detects intrusions – Won’t take action on its own. 
  • IPS – Device or service that can take action to accept or reject data packets based on set rules. Needs to be updated to recognize latest threats.

Policies

• Remote Work Policy should detail clearly, your expectations. Including:
  • Work in Private – not public areas
  • Always use a VPN 
  • Always use a Hotspot instead of public WIFI
  • Company rules on double dipping
• Computer Use Policy should detail clearly
  • What is an acceptable use of company hardware and software
  • What is an unacceptable use of company hardware and software
  • Define acceptable web activity
  • Define acceptable social media activity
• Cyber Security Policy
  • Who to contact to report an attempt or breach
  • No circumventing anti-malware blocks
  • Defines the expected (mandatory) training frequency
  • 2FA Fatigue

Training – Important and frequently overlooked

• • How to identify phishing attempts
  • What to do when an attempt is found
  • What to do when the attack is successful

• MS Office Skills (and other applications) – don’t assume everyone is at the same skill level 

Resources We Use

• Encryption:
  • EncryptOnClick – https://www.2brightsparks.com/ 
• VPN:
  • HMA – https://www.hidemyass.com/en-us/index
• AntiMalware:
  • Malwarebytes – https://www.malwarebytes.com/
  • Bitdefender – https://www.bitdefender.com/
• MFA:
  • Duo – https://duo.com/product/multi-factor-authentication-mfa
• Employee Monitoring
  • https://www.manictime.com/