Overview
Our client came to us for cybersecurity consultancy services knowing that they were dealing with sensitive data and that it was imperative to properly protect it. For them, a breach could have significant ramifications both in terms of financial penalties and in the reputational damage that could ensue. They were interested in IT security certification though our IASME Pathway, which is still an ongoing process.
The company is small, with just 8 people, but busy and growing exponentially. Two of the staff are employed through remote working 5-days a week. They are based in India full-time and had always used their own devices. The remaining staff were using a Regus serviced office, with a mixture of Macs and PCs.
Security Posture
The two users in India raised immediate alarm bells for us, as the lack of control over those devices could represent a significant threat. This is increasingly representative of so many users working from home, often operating with an unknown protection status, in an unknown environment, in an unknown patch state, using unknown communications methods. The increase in the number of home working employees during the Covd-19 pandemic has only exacerbated the problem.
People working from home, or remote workers such as our client’s in India, exist beyond the reach of the firewall, anti-virus, and other protections a business usually puts in place to minimise the possibility of data loss. This had to be addressed quickly.
The Solution
Within a very short time the staff in India had been configured to use a secure authentication service that adopts passwordless authentication and threat-weighting algorithms to determine whether the user should be allowed to log in. This service derives security posture from their geo-location, time of login, biometrics and other parameters that together form a weighting value. If the system considers the value to be within the bounds of safe operation then logon is allowed, however the login is not to their local machine but rather to a cloud-hosted, fully managed virtual workstation over which the company always has full control.
Like the other users of the central SaaS service around which the business is based, the focus then changed to who has access to the sensitive data, and what can they do with it. To prevent exfiltration, accidental deletion, encryption, modification, or corruption, strict rules were applied to the systems in question. Only those with a valid authorization AND need to know would be allowed access to the lower-level controls over the data. This was bolstered with a Data Loss Prevention system that prevented copying, saving, emailing, or downloading restricted content.
The company used Office 365 email, Teams and Sharepoint to manage internal data, on occasion sharing exported subsets of the central sensitive data. As is often the case they had not realized that this internal data is only subject to the Microsoft 30-day backup, which is completely useless for protecting against most of the major threats to information security. Microsoft do state that users should back up their own O365 data, but people rarely read the terms of service and it remains a consistent point of vulnerability. We implemented a very simple, but extremely flexible and effective backup service that reinforces the entire Office 365 suite and allows restore of anything from the entire organization, even down to a single email.
Moving forward we will progress with the client’s IT security certification process, and once fully audited will put together a comprehensive business continuity plan, disaster recovery plan and will look ahead to comprehensive website security testing.
