This week I am going to talk about secure and reliable communications.
The reality is that the number one threat to your network is your users clicking on attachments or web links that lead to bad places that can potentially launch an attack against the user and ultimately your physical and cloud network resources.
The traditional Google Apps and Microsoft Office spam filters are proving to be inadequate to completely defend against the evolving threats in today's remote user world. A number of the layers of defense you have in school simply are not there at home.
Therefore, it is time to improve those remote defenses.
One way is to supplement what Microsoft and Google provide with spam filtering with a cloud-based spam filter that not only does the traditional spam filtering, but also checks the safety of the web links and attachments contained in those emails. For instance we use the Barracuda Essentials Cloud Email Security service. It does all the great spam filtering that many have come to love over the years, but it uses artificial intelligence to launch those weblinks and attachments in a protected sandbox to validate whether there is anything malicious that it sees. It sometimes takes a few seconds, but to know that your users are only clicking on items that have been pre-screened - regardless of what device or location they are at - is really a game-changer.
The next concern with managing sensitive communications containing personally identifiable information (PII) or financial data with your remote users. There are a number of great encryption tools available to secure email communications. Depending on your email platform you may already own some form of email encryption. We use the encryption found in the Barracuda appliance. You need to have email encryption in place for this confidential data and train your users to use it.
For secure access you need to implement multi-factor authentication on all email access, remote network access such as VPN or VDI, and RDP. For email you can start in Google or Microsoft with the basics of texting a code. Or you can add a more secure and robust MFA solution such as Google or Microsoft Authenticator, or Cisco DUO. We recommend Cisco DUO as it is robust and easy to recover users who have messed up their authentication by losing their phone. Microsoft and the FBI state that 99% of the credential theft attacks can be defeated by simply implementing an MFA solution.
Finally, your remote users are clicking on web links from either the devices you have provided them or from their personal devices. Those links probably are not all coming from their school email account. At school we recommend that you point your network DNS to at least the free Cisco Umbrella to trap out the known malware links. However, your remote user sitting at their kitchen table is probably just using their Optimum, or Comcast, or Verizon.
If you have a Cisco Umbrella subscription for your district, you can extend that same level of protection and filtering to your remote end-users. There is a Google Chromebook Cisco Umbrella client that can be pushed to your Chromebooks from the Google Apps Admin Console. There are also Mac and Windows clients that can be installed. The Windows client can be pushed out automatically via GPO or SCCM if the Windows device is inside your network.
Remember with a Cisco Umbrella remote client you can set a policy on how aggressive your web filtering is. For people's personal devices, you can filter out just malware and for district devices you might choose to implement more aggressive filtering of inappropriate sites for students and staff.
There is a lot of items I have covered that we can talk about as the next steps. Everything that I discussed can be done independently. If you want to explore more about how to improve your remote user security, give us a call.
Next time I am going to discuss some steps you can right now to prevent your legitimate email correspondence getting stuck in your recipient's spam filter.