Many of us have adapted to new ways of working in recent months. For public sector organisations, this has meant supporting citizens whilst mobilising large remote workforces. How can organisations ensure they protect citizen data in this new remote working landscape?
The global coronavirus outbreak is having a profound effect on the way we work, travel and go about our daily lives. Public sector organisations have an obligation to deliver the highest possible quality of services to the citizens they support, and over the past few weeks many of them have implemented measures that enable them to fulfil this obligation in the most efficient way possible.
Many public sector organisations have focused on the logistics involved in ensuring people and departments can carry on functioning with minimal disruption to the citizens they support. Cyber security and data protection have been and will continue to be key considerations for these organisations, the majority of which hold and manage highly sensitive Personally Identifiable Information (PII).
Although the UK Government has announced its plans for easing the national lockdown, we expect the changes to working practices brought about in recent months to stay around for some time. Some organisations may elect to remain virtual, and we may see an acceleration in transitions to cloud technologies for public sector organisations that currently host their IT infrastructures at their operating locations.
In today’s increasingly hostile threat landscape, any public sector organisation reviewing its digital transformation and remote working strategies must ensure they minimise the risk of data breach at all times. This becomes harder as remote workers access data from multiple locations, potentially with multiple device types and outside the safety bubble of an organisation’s internal network.
In this article we will provide an overview of the remote working strategy decisions your public sector organisation should be making today in order to keep citizen data secure whilst managing a remote workforce.
Securing your remote workforce: best practice advice
As the UK entered lockdown in March 2020, organisations throughout the public sector moved quickly to enable their people to support citizens whilst working remotely. Remote working brings with it an increased risk of data breach, as staff access highly confidential citizen data from outside the internal network.
If your public sector organisation has mobilised a remote workforce and is considering the security and data protection implications of maintaining these working practices on a more permanent basis, here are six pieces of best practice advice you should follow in order to deliver secure remote access that keeps citizen data secure at all times.
1. Setup a Management Zone
If you need remote access to internal systems for management purposes, setup a management zone and block access from the internet. Limit access to a management VLAN which you can connect to via a jump box, a dedicated management VPN, or both. Avoid the temptation to expose RDP, Telnet, SSH, SNMP or any other remote management ports to the Internet or your ‘home’ IP addresses.
2. Review Your VPN Technology
If you have VPN technology that was rarely used and is now being accessed by a large number of users for the first time:
- Check you are running the most up-to-date versions of your soft/firmware.
- Check crypto settings are not running 64/128-bit ciphers – bump these all the way up to 256 and above where you can.
- Use certificates – don’t just rely on simple passwords and usernames.
- Use multi-factor authentication.
- Keep your network design simple. Many people over-complicate what should be a simple setup, and most vulnerabilities we find in VPN connections are simple oversights that result from complexity, usually around the scope of what connecting clients can and cannot connect to from the VPN connection versus the standard internal office network.
3. Always Use Multi-Factor Authentication
If you don’t already, ensure cloud-based solutions such as Office 365, AWS and Azure use strict multi-factor authentication. Multi-factor authentication is now the industry expected default configuration, and anything less should be seen as misconfiguration. Without it you run the ongoing risk of falling victim to simple brute force or credential stuffing attacks. Don’t give attackers the chance.
4. Ensure Users are Working from Approved Devices
If you are thinking about letting users use their own personal devices, don’t forget they won’t have your organisation’s standard antivirus software or group policies to help you control their devices. Provide them with a good sandboxing technology to access applications from – especially those that link to databases storing citizen data. This will protect your network from any home-brewed nasties their devices may be harbouring. Our cyber security professionals recommend only allowing access from corporate-approved devices that fall under your internal IT security policies.
5. Consider the Security Implications of Free Software
There’s some great free and freemium remote working technology that has enabled many public sector organisations to get on their feet when it comes to staying productive and communicative whilst away from the office. But is this fit for purpose in the long-term? You’ve probably read about the security issues users have experienced with the likes of Zoom and other teleconferencing solutions. Expanding your working environments increases the threat vectors cyber criminals can attack you through. Consider reviewing free software applications and replacing them with secure, feature-rich paid for versions.
6. Plan Users’ Return to the Office Carefully
Depending on your organisation’s operational requirements, you may now be looking at pathways to returning some users to your operating locations. Depending on your users’ remote device setups, there are a number of potential cyber security risks and controls you should consider implementing – including multi-factor authentication, the removal of admin rights and the reiteration of acceptable usage policies. As users return to the network, you should also consider implementing a remote device ‘car wash’ to ensure any malware accidentally picked up whilst working from home is not transferred to your internal network.
Adapting to the New Normal Together
In today’s fast-moving world, the ability to communicate, collaborate and work efficiently, anywhere is essential to delivering brilliant citizen services. However, public sector organisations should be wary of making rushed, poorly thought through decisions that increase the risk of data breach. By carrying out a comprehensive review of your remote workforce security you will put your organisation in the best position to maintain your security posture and protect citizen data as we transition towards the new normal together.
About the Author
Andy Swift is Head of Offensive Security at Six Degrees, a leading secure cloud-led managed service provider that works as a collaborative technology partner to organisations making a digital transition.
For more information, visit www.6dg.co.uk
To read more from #procuring4growth Campaign Week visit our landing page by clicking here.