Even during the best of times, employees, especially the geekier ones, will use their own geeky SaaS services – some of which the average cybersecurity bod has never heard of, let alone seen before. Since teams are mostly working at home, there is no physical visibility and a reduced virtual monitoring – some people may for instance be doing everything on Office365 email or OneDrive without using a VPN, which is still not ideal. Unregulated use of SaaS services can very quickly mean you lose 100% control of your data as well as storage judications.
What can happen to a file that leaves corporate kit or is unprotected?
Let’s use a file entering a non-corporate, personal Windows laptop or USB as an example:
- Disposal: The laptop owner sells the laptop on eBay and the new owner gets his/her personal plus corporate files.
- Loss: The laptop or USB is left on a train after coming home from a Friday night drinking session.
- Theft: The owner is targeted and due to working from home, the laptop is stolen to get corporate files.
- Hacked: The laptop owner emails the file to their personal email address or the file is uploaded to a personal SaaS storage service like Dropbox or OneDrive. Their account is hacked and data is no longer in Western Europe, or the device is compromised with malware and the remote attacker can exfil files.
- Leavers: Team member leaves the company and the corporate data cannot be accessed.
Thumb drives, external hard drives and camera-style memory cards have two problems:
- Purposeful or accidental loss or theft of data; and
- Infection of the PC or laptop.
To combat this risk, simply outright block ports, force encrypt USB devices, force encrypt files when written leaving the device, or whitelist known trusted and secure USB sticks, such as hardware encrypted sticks.
At work, the printer is in a secure working environment and may be protected by a company ID card so only the person who printed the document can collect it. At home there are no rules.
To remedy, remove admin rights from users’ laptops. If you cannot, then block printers from being added. This also saves paper which may not be disposed of correctly – and Miss Thunberg would be happy.
Storage of code
Stack Overflow and Github are great for storing internal or client’s code and getting help when your code will not run. That said, no-one wants their own code or, worse, client's code viewable by all.
Set strong permissions on code stored on external websites, and have a security bot check these permissions are working from time to time. Better still, store code on-premise.
You might have seen something like this: “At one place I worked, there used to be cakes and biscuits on certain days with me knowing about it. I asked a colleague and she said they are announced on Slack (erh).”
Slack, Discord and others are used for collab on projects, which may be helpful. The problem is the authentication and location of storage. When someone moves on, their account is often not disabled.
Have your cybersecurity bod ask your teams which collaboration tools they use, and review the products' security spiel plus privacy. If approved, set rules, enforced 2FA and add the service to the JML (joiners movers leavers) process.
With laptops now being at home and possibly off the network, files may not be saved centrally and if the laptop is lost, stolen or broken there might be no back-up options.
Advise your teams to save files on a central mapped drive, DMS (document management system) and roll out an automated back-up agent to upload files hourly.
Lastly: Do not use PBS (paper-based security) as an enforcement method
Let’s use a speed camera as a physical analogy. The speed limit is 70mph and the speed camera may flash you, you will receive a fine... but the car can still travel at 70MPH.
Do not just tell employees not to do something. Enforce it. Remove administrator rights, block USB ports, block printers from being installed, and set up DLP (data leak prevention) and web filtering.
Graeme joined QA in 2017 and has worked in security on and off for 15 years. His last role was as a Senior Technical Security consultant at Capgemini covering the public and private sector.
From the age of 17, he was running investigations into online scams and phishing. Today he teaches and/or has written: CEH, OSINT, CTF (conventional or OSINT), CyberFirst, practical encryption and Security+. Graeme is an avid writer with 130+ articles to his name and a chapter in a published book.
He loves thinking like a hacker to review and tweak settings with a fine-tooth comb.
More articles by Graeme
11 cybersecurity tips for more secure home-working during the Covid-19 outbreak
Hostile reconnaissance: What is it and how do we stay safe?
My partner is a landscape gardener – who would want to hack me?
7 cybersecurity tips for wedding photographers – or anyone, really
Cyber Security for everyone - what we all should know
Cyber Attacks - Most of them are not as high-tech as you'd think
Cyber risks are too often ignored by management
Rise and Fall of Bitcoin
Endpoint and network firewalling needs to change
The perils of single-factor authentication