Can coronavirus COVID-19 impact your network? The short answer is “yes”, if your firm hastily adopts a remote work policy without considering some common sense security precautions.
1. No personal email. The only exception for this would be to contact helpdesk about being unable to access corporate email. Personal email is not typically set up to properly archive and retain messages that could later be subject to a legal hold. The very use of personal email for business purposes can potentially expose your firm to liability costs that would exceed the value of whatever business you planned to get done.
2. No personal file sharing. This is right up there with personal email. Personal anything is not allowed for business use, mmmkay?
3. No Remote Desktop Protocol (RDP) use over unsecured Internet. If I had a nickel for every person that told the network team to open up port 3389 on the firewall so that they could work from home, I’d be comfortably well off. Yes, RDP means you can access your desktop or server from home. It also opens up great work from home capabilities for attackers. They will guess your username and password. It’s only a matter of brute force time.
4. No low-security options on the VPN configuration. While I’ll allow you to use RDP through a VPN connection, I’ll only allow it if your VPN is not just secure, not just really secure, but only if it is really really secure. That means not just IKEv2 and the best AES that your system will support, but also secured authentication that uses more than a username/password combo. Let there be a certificate or software token as part of 2-factor authentication.
5. No split tunnels. It’s tempting to let a local ISP handle all the Facebook and YouTube traffic that users consume in between productivity spurts, but don’t. Either pass all that traffic through your own network, or block it with a message that VPN bandwidth is limited due to whatever reason you want to provide in order to justify blocking that traffic. My point being that a split tunnel approach allows for an attacker on the Internet to bridge their attack through your user’s PC.
Can there be more possible pitfalls? Sure. These are just the five biggest ones. If your firm is anticipating a stretch where a large percentage of employees must work remotely, then take the time to bake some security into that plan so that reducing health risk doesn’t increase IT risk.