Security Think Tank: Anytime, anywhere access is achievable

Since the pandemic, remote working has become endemic!

It has its pros and cons for businesses and indeed their staff, but doesn’t seem have made the morning rush hour and traffic congestion any better, or increased the chances of getting a seat on the train in the morning. I cycle to work anyway, and it does seem a lot more are doing the same.

From a personal standpoint, remote working does appear to have empowered staff. If they can work from home a day a week, why not all week? Why not change their working patterns as well whilst on topic? Given businesses now save money on office space, why can’t we get paid more salary, etc?

Why do I have to use this rubbish work laptop? 

I know, I’ll just use my own.

…and it’s there that all the fun starts.

Businesses that are not prepared for this do expose themselves to greater cyber risk, and what I tell our clients is to secure their services and data, so it can be accessed from anywhere, on any device.

It’s a starting point and not the end game. But with a zero-trust, conditional access model, it’s achievable.

If staff can use the most obsolete and malware ridden laptop, that’s fine. But an organisation must prepare for this. Maybe they don’t want such laptops to connect to network shares. Fine. You can restrict that. Maybe they don’t want malware ridden laptops on their corporate network? Fine. You can restrict that.

But at the end of the day, and in most businesses, anyone can access services over the web, from anywhere. 

Ask your business if they feel this is ok, and what if this web access was from an infected machine?

Well, you can disable downloads for a start. And uploads. And file attachments on email. You can restrict email right down to a text based messaging service only if needed.

Ultra paranoid? Then just disable web access.

Point being, any condition for any scenario, is perfectly feasible.

This goes back to the saying, you should always operate as if you were already compromised. Trust no one and no thing. Only give people access if they meet a certain set of conditions, including identity verification, MFA, an up to date patched system, an active anti-malware deployment and a host firewall.

I hate to say it, but applying a standard like the National Cyber Security Centre's (NCSC's) Cyber Essentials will get you there, as would verifying the self-assessment was accurate, by applying Cyber Essentials Plus controls.

It’s really not difficult, but it still astounds me that business seem to ignore the basics. 

I’ve been to plenty of places, government included, that have invested in the latest and greatest Crowdtrace or Darkstrike solutions, thinking that will give them the protection they need, without having to worry about running Windows 2008 Servers.

Help.

Moving into 2024, and I was saying this back in 1994, get the basics right!