The majority of us have found ways to adopt during the past year and some of us may even have been surprised about quite how successfully this has been achieved. This success, or otherwise, relies heavily on technology and our clients have been working hard to allow the flexibilities that are required within their established IT infrastructures to enable staff to work remotely, but in doing so, many organisations are needing to accept a higher level of risk.
The technological risk facing businesses depends on the weakest link in an organisation and the weakest link can so often be a business’ number one asset, its people. When based in the secure environment of your workplace, it is reasonable to feel comfortable that your IT team can deal with the risks facing them. Where staff are working at home, the situation is significantly different.
Data and information relating to customers, staff and the business are assets on which all organisations depend and during the past year the rules of the game have changed. The move to homeworking arrangements in rapid time during lockdowns has increased the vulnerability of organisations to cyber-attacks.
Staff have needed to access key systems and data through personal devices or open, internet- channels. Overnight, work laptops were sharing home WiFi networks, making an organisation’s vulnerability to attack less clearly defined.
Only the minority of business continuity plans will have accounted for such quick change and the services set up to monitor and analyse threats to the networks, servers and databases under normal circumstances have been impaired by detecting new behaviours in the changed IT environment.
IT Services have needed to ensure they are mitigating the risks of remote access to sensitive data by securing homeworking devices with patch updates and managing access rights to ensure an acceptable level of security.
The human behavioural element is critical to cyber and data security risk. With the dilution of personal interaction, staff can be more susceptible to phishing as they cannot immediately sense-check emails with colleagues. There is also greater potential for controls and safety measures not to be followed, as they are overlooked and ignored to save time and reduce stress.
There can be a perception from users that they can get away with poor practice when working from home, such as sharing confidential files via email whilst in some cases needing to use personal devices to conduct company business.
The need to secure the homeworking environment is not expected to be temporary. Companies whose staff have successfully adapted to working remotely may choose to dispose of office space permanently. This will require companies to maintaining high information security standards, both on business premises and in the home working environment.
The cyber threats facing all of us are multifaceted and on-going, with the current key risks relating to:-
- Unauthorised network access
- Denial-of-Service attacks
- Data breach
- Software weaknesses.
It is important to consider the extent to which any relaxing or changes in controls has increased the risk of data loss or security breaches by recognising what has changed. That applies externally (phishing attempts) and internally (staff cyber awareness training post crisis or security patching of homeworking devices not being managed as effectively as on-site).
Staff awareness and understanding of information security risk is essential. This applies to protocols around the use, management and storing of confidential data to prevent data loss, and applies to ensuring workers know how to spot cybercrime to avoid people succumbing to phishing attempts which can result in damaging malware and ransomware attacks.
Current thinking shows phishing attempts and malware infections are seen as the most likely threats to arise, highlighting the importance of staff behaviour, training and awareness in minimising cyber risk.
What questions could you ask yourselves?
- Do you know how the new working environment has affected the IT controls in different parts of the business and what risks these changes pose?
- Do you know if the business has performed a risk assessment to identify possible network weaknesses where their susceptibility to attack has increased in the last 12 months?
- Has staff awareness of key cyber threats been raised? Have they been told what they should look out for? Has there been testing of staff awareness with simulated phishing attempts?
- Are you assured that security patches on personal devices are being updated and managed to the same standard as on-premise devices?
- Have the right people ensured that the perimeter of the business is truly understood? Are absolutely all devices with connectivity and network access secure?
- Have new software applications (e.g. videoconferencing software) been adequately vetted for potential security flaws and vulnerabilities?
An independent health check review of your IT risks at this time can offer meaningful assurances to you and your business and we would be delighted to talk to you about this.