Welcome to our latest FAQ Friday, where industry experts answer your burning technology and startup questions. We’ve gathered top Minnesota authorities on topics from software development to accounting to talent acquisition and everything in between. Check in each week, and submit your questions here.

This week’s FAQ Friday is sponsored by Coherent Solutions. Coherent Solutions is a software product development and consulting company that solves customer business problems by bringing together global expertise, innovation, and creativity. The business helps companies tap into the technology expertise and operational efficiencies made possible by their global delivery model.

Meet Our FAQ Expert

Max Belov, CTO of Coherent Solutions

Max Belov, CTO of Coherent SolutionsMax Belov has been with Coherent Solutions since 1998 and became CTO in 2001. He is an accomplished architect and an expert in distributed systems design and implementation. He’s responsible for guiding the strategic direction of the company’s technology services, which include custom software development, data services, DevOps & cloud, quality assurance, and Salesforce.

Max also heads innovation initiatives within Coherent’s R&D lab to develop emerging technology solutions. These initiatives provide customers with top notch technology solutions IoT, blockchain, and AI, among others. Find out more about these solutions and view client videos on the Coherent Solutions YouTube channel.

Max holds a master’s degree in Theoretical Computer Science from Moscow State University. When he isn’t working, he enjoys spending time with his family, on a racetrack, and playing competitive team handball.

This Week’s FAQ Topic – Security and Working Remotely

 

What security risks are our company facing by adding platforms and tools to accommodate a remote working environment? How can we mitigate these risks while blending the solutions with our current security plan?

From the security perspective, when switching to a remote working environment, your priorities remain similar to how your organization operated in the office.

  • Provide secure access to your business applications.
  • Protect your employees from malicious web content.
  • Prevent sensitive data from leaving your organization.
  • Secure your sensitive data in the cloud.

When you look at how to secure your organization with various new platforms and tools it now uses in the remote working environment, you can look at it from the same perspective. If you already had a work from home policy, it would cover many of the useful best practices.

  • Use VPN for any work-related communications and network access.
  • Implement 2-factor authentication for access to VPN and company cloud resources.
  • Identify access and authorization policies for accessing cloud resources.
  • Define and implement secure configuration for all devices used for remote work.
  • Perform OS and application security updates regularly for all devices used for remote work.
  • Promote safe behavior when it comes to web browsing and e-mails.

Many of the tools your teams will use are going to be cloud-based, so the effort you have put into implementing cloud governance provides a lot of value. From there, specifics will depend on how exactly you have implemented remote access to the company environment for remote employees and what specific capabilities you are providing with any new solutions implemented.

First, you should start with examining your existing tools and infrastructure. Even though these applications are not new, how employees are going to be accessing applications now that they are working remotely will change, and you need to create an inventory of new risks that may be associated with remote work environment. This list would range from ensuring employees have a good security baseline in their home network (licensed and patched computers and tablets, patched Wi-Fi routers with default passwords changed) to implementing a basic device management to only allow corporate devices full access to your business network and data, and limiting access for personal devices and home computers.

Patterns of how employees utilize your corporate infrastructure will also change. Traffic and load may increase for some use cases and drop significantly for others. For example, if your organization uses a cloud storage solution and you decide that for security purposes you are going to continue to only allow access to that storage service from your corporate network, everyone will need to use VPN to access it and that will essentially double your bandwidth requirements as well as put significant load on your company’s VPN gateway.

Typically, new tools added to support a remote working environment will center around sharing information and collaboration. Any time you introduce these types of tools into your environment you must:

  • Secure access and use of these tools. You need to make sure that only authorized people can run and join web and video conferences.
  • Decide which information and documents you will allow within these platforms. Is it ok for people to share confidential documents on web calls or upload to the cloud? Will you allow recording of conferences and where can these recording be stored; how will people access these recordings?
  • Perform access audits. Monitor and regularly review access and usage logs to ensure you are identifying and flagging risky behavior.

What steps does our company need to take to build or update our current security plan? What is the best way to audit our security needs?

If you did not have your security plan before, I would certainly recommend starting from basics. The project of creating you company information security policy from scratch is probably outside of what we can discuss here, but feel free to use industry standards, such as ISO 27001, as a general guideline.

Fundamentally, understand what positive behaviors among your employees you want to promote and which risky behaviors to reduce. From there, decide which ones you want to enforce and restrict and which to simply monitor.

You can follow a simple lifecycle that will help your organization to create or make initial changes to your security plan and then continue evolving it:

Learn -> Design -> Operate -> Audit

If you are working on updating your existing security plan, from practical standpoint, monitoring and event management is where to start. Regularly review access, activity and communication logs to be able to flag risky behaviors early on. A security plan is never static – keep updating it as you learn more in this new environment. Identify priorities and proceed with addressing the next set of important concerns.

If you are working on updating your existing security plan, from practical standpoint, monitoring and event management is where to start.

You can certainly reach out to security service providers to help you validate and audit your plan. You can also lean on them to temporarily raise your security organization profile by hiring a part-time Chief Security Officer that can help you drive the process.

What steps should we take to smoothly roll out a security plan to employees? What kind of trainings are effective? How do we communicate risks to our employees?

The best way to ensure everyone is on board is to help employees understand that the new security plan is good for the entire company as it helps business to continue operating in this new environment and it is everyone’s responsibility to understand and execute it.

When rolling out the plan to your team, conduct a virtual in-person initial training with your team using your preferred virtual communication tools (yes, Zoom, when properly used, is a secure communication tool). It gives your team the level of interactivity that helps them feel good about the program as something they all will benefit from and not something that is just being pushed on them. How exactly it is delivered depends of the size of your organizations. For smaller teams of 20 people or less, you can gather everyone on the same call. Larger teams may need to be broken down into smaller sub teams. Recorded and pre-recorded trainings may need to be used for larger organizations and accommodate for schedule conflicts, different time zones, and for recurring refresher trainings.

Repetition is the key to make sure everyone knows and understands the plan and their assigned responsibilities. One of the most critical parts of rolling out a security plan to your organization is repeating it multiple times. In this current environment, we are somewhat limited to the tools we can use – physical lunch and learns and office posters are out of the question for the time being – but you still can use multiple channels to promote important topics and continue educating your employees after the initial training. You do not want to overdo promotion. Focus on key tools like email, Slack and your corporate social network to engage and educate employees.

 

Looking for more? Learn about Coherent Solutions Security services.

Still have questions? Ask Max and the Coherent Solutions team questions on quality assurance and more on Twitter at @CoherentTweets.