InfoSec Insider

Defining Security Policies to Manage Remote Insider Threats

remote insider threats

Plixer’s Justin Jett on finding insider threats amidst the ever-increasing work-from-home population.

Even as state and local governments begin to relax COVID-19-related stay-at-home orders, many businesses have adapted to having more people work from home. This trend is likely to continue: Among the top 20 percent of earners, the number of people that work from home is close to 70 percent, according to Brookings.

The majority of these people have desk jobs and rely heavily on technology to complete their tasks. But as companies shift from pandemic-related policies to a new normal, there are some major security implications to consider.

In the past (2017-2018), when only 4 percent of the population worked from home full-time, corporations were largely protected from outside cyber-threats with corporate firewalls, intrusion-detection systems and a myriad of other tools. Insider threats from employees and others given access to the network were more easily monitored because they were always connected in some capacity, and so malicious activity could be easily detected.

Accessing Company Assets from Home

Even while employees continue to work from home, they still require access to corporate assets to do their jobs well. Without access, some employees can’t perform their duties at all. Organizations must define long-term policies for how employees access company-owned assets, especially if they intend to allow employees to work from home indefinitely. Such policies should include restricting access by role, as well as other security measures like requiring employees to be connected to the corporate VPN.

But these policies should be determined thoughtfully. For example, requiring everyone to connect to the VPN but not providing sufficient bandwidth across that VPN would only result in poor user experiences.

Not all companies will have the resources to increase bandwidth, so additional measures should be taken to reduce the load on VPNs. Split-tunnel connections (this is where only traffic to corporate assets goes through the corporate network, and all other traffic goes through the user’s ISP), for example, will provide users access to corporate assets without consuming excessive amounts of bandwidth when they, say, connect to a Zoom meeting over the VPN.

As companies fully transition to a work-from-home model, cloud resources are becoming more and more useful in granting access to corporate resources historically hidden behind corporate firewalls. Providers like Microsoft, Dropbox and others allow companies to share resources with others in the organization without the need for VPN access. Many of these solutions should be considered in the policymaking process for defining remote-employee access.

Monitoring Network Threats from Afar

Monitoring users on the network is a relatively trivial task for many organizations because all network traffic is ingested into third-party systems for analysis. But what happens when all of the users are remote? Organizations still must ensure that the corporate network and the resources attached to that network are protected. The best solution to maintaining the security of your corporate network when users are working from home is to have them connect to the VPN at all times. As mentioned above, though, this can put significant strain on bandwidth. So, what’s an organization to do?

First, employees should still connect to the VPN even if only as a split-tunnel connection. By monitoring the connection between the employee asset (phone, computer, tablet, etc.) and the network, organizations can easily detect when those systems may have become infected.

While full visibility may not be possible — because a split tunnel won’t show all traffic connections — it will still show malicious connections to the corporate network. The open connection to the corporate network means that when malware attempts to connect back to the organization, IT can quickly identify the employee’s machine and disable access to corporate assets. Additionally, the employee can be alerted to the malware and prepare their device for repair or replacement (depending on corporate policy).

Building a Lasting Policy

Regardless of the complexities that each organization faces, one thing is clear: Every company must have a robust security policy that considers remote employees. While some organizat ions will try to go back to the way things were before, cultural shifts and uncertainty mean that working from home will be the new normal for many. Without an official security policy in place, organizations will not have a way to identify new threats and properly attack them, and employees will be left in the dark about best practices for accessing and using corporate resources from home.

While the threat of pandemic will not last forever, companies should plan for long-term policies around working from home. If not already done, organizations should poll their employees now to understand how many would want to return to work. By doing so, organizations can prioritize policies around each group (those returning to the office and those staying at home).

Each company will be different, and the policy must be oriented around the employees. Once identified, decisions can be made to increase infrastructure, purchase new security tools or enhance existing systems to prevent the changes in the work environment from increasing the threat surface area.

This is the time to define the new normal; having well-defined policies in place will help businesses maintain its security posture while bolstering the security of the ever-increasing work-from-home population.

Justin Jett is director of audit and compliance for Plixer.

Enjoy additional insights from Threatpost’s InfoSec Insider community by visiting our microsite.

Suggested articles