Work remotely, stay secure—tips for CISOs
Due to the COVID-19 outbreak, many of us are making big changes to keep the people around us healthy and safe. Teams at every type of organization are adjusting to full-time remote collaboration. Teachers are connecting with students in online classrooms. And IT departments are finding new ways to help their coworkers stay productive while working from home. For the past two weeks, we’ve been posting ideas aimed at helping people navigate remote work during this challenging time. We shared tips for businesses on working remotely with Microsoft Teams. We turned to my Education colleague Barbara Holzapfel for remote learning tips. And we asked Nathalie D’Hers, an IT leader here at Microsoft, to tell us how her team enables remote work. Today, I’d like to share a piece by my colleague Ann Johnson, Corporate Vice President of our Cybersecurity Solutions Group. Johnson has excellent advice for CISOs on keeping organizations secure as they move to remote work. Here’s Ann.
With many employees suddenly working from home, there are things an organization and employees can do to help remain productive without increasing cybersecurity risk.
While employees in this new remote work situation will be thinking about how to stay in touch with colleagues and coworkers using chat applications, shared documents, and replacing planned meetings with conference calls, they may not be thinking about cyberattacks. CISOs and admins need to look urgently at new scenarios and new threat vectors as their organizations become a distributed organization overnight, with less time to make detailed plans or run pilots.
Based on our experiences working with customers who have had to pivot to new working environments quickly, I want to share some of those best practices that help ensure the best protection.
What to do in the short—and longer—term
Enabling official chat tools helps employees know where to congregate for work. If you’re taking advantage of the six months of free premium Microsoft Teams or the removed limits on how many users can join a team or schedule video calls using the “freemium” version, follow these steps for supporting remote work with Teams. The Open for Business Hub lists tools from various vendors that are free to small businesses during the outbreak. Whichever software you pick, provision it to users with Azure Active Directory (Azure AD) and set up single-sign-on, and you won’t have to worry about download links getting emailed around, which could lead to users falling for phishing emails.
You can secure access to cloud applications with Azure AD Conditional Access, protecting those sign-ins with security defaults. Remember to look at any policies you have set already, to make sure they don’t block access for users working from home. For secure collaboration with partners and suppliers, look at Azure AD B2B.
Azure AD Application Proxy publishes on-premises apps for remote availability, and if you use a managed gateway, today we support several partner solutions with secure hybrid access for Azure AD.
While many employees have work laptops they use at home, it’s likely organizations will see an increase in the use of personal devices accessing company data. Using Azure AD Conditional Access and Microsoft Intune app protection policies together helps manage and secure corporate data in approved apps on these personal devices, so employees can remain productive.
Intune automatically discovers new devices as users connect with them, prompting them to register the device and sign in with their company credentials. You could manage more device options, like turning on BitLocker or enforcing password length, without interfering with users’ personal data, like family photos; but be sensitive about these changes and make sure there’s a real risk you’re addressing rather than setting policies just because they’re available.
Read more in Tech Community on ways Azure AD can enable remote work.
You’ve heard me say it time and again when it comes to multi-factor authentication (MFA): 100 percent of your employees, 100 percent of the time. The single best thing you can do to improve security for employees working from home is to turn on MFA. If you don’t already have processes in place, treat this as an emergency pilot and make sure you have support folks ready to help employees who get stuck. As you probably can’t distribute hardware security devices, use Windows Hello biometrics and smartphone authentication apps like Microsoft Authenticator.
Longer term, I recommend security admins consider a program to find and label the most critical data, like Azure Information Protection, so you can track and audit usage when employees work from home. We must not assume that all networks are secure, or that all employees are in fact working from home when working remotely.
Track your Microsoft Secure Score to see how remote working affects your compliance and risk surface. Use Microsoft Defender Advanced Threat Protection (ATP) to look for attackers masquerading as employees working from home, but be aware that access policies looking for changes in user routines may flag legitimate logons from home and coffee shops.
How to help employees
As more organizations adapt to remote work options, supporting employees will require more than just providing tools and enforcing policies. It will be a combination of tools, transparency, and timeliness.
Remote workers have access to data, information, and your network. This increases the temptation for bad actors. Warn your employees to expect more phishing attempts, including targeted spear phishing aimed at high profile credentials. Now is a good time to be diligent, so watch out for urgent requests that break company policy, use emotive language and have details that are slightly wrong—and provide guidance on where to report those suspicious messages.
Establishing a clear communications policy helps employees recognize official messages. For example, video is harder to spoof than email: an official channel like Microsoft Stream could reduce the chance of phishing while making people feel connected. Streaming videos they can view at a convenient time will also help employees juggling personal responsibilities, like school closures or travel schedule changes.
Transparency is key. Some of our most successful customers are also some of our most transparent ones. Employee trust is built on transparency. By providing clear and basic information, including how to protect their devices, will help you and employees stay ahead of threats.
For example, help employees understand why downloading and using consumer or free VPNs is a bad idea. These connections can extract sensitive information from your network without employees realizing. Instead, offer guidance on how to leverage your VPN and how it’s routed through a secure VPN connection.
Employees need a basic understanding of conditional access policies and what their devices need to connect to the corporate network, like up-to-date anti-malware protection. This way employees understand if their access is blocked and how to get the support they need.
Working from home doesn’t mean being isolated. Reassure employees they can be social, stay in touch with colleagues, and still help keep the business secure. Read more about staying productive while working remotely on the Microsoft 365 blog.
You can also read Ann’s blog post on the Microsoft Security blog.