On the 12th March, the UK Government announced that the UK moved into the ‘Delay’ phase of the current Pandemic outbreak. Much of this plan relies on the ability of organisations to allow its workforce to work remotely…
It’s worth remembering that when you allow people to work remotely, you’re allowing them to work from uncontrolled locations, and unregulated and (possibly) insecure networks. So you are introducing a whole range of risks into your business which were not there before, and need to be managed.
Below I’ve provided guidance on what you should be doing now, and in preparation for the next phases of this outbreak. There is so much I could say on this topic, but for now, I will focus on the security aspects of this new phase. So let’s get started…
Start planning without delay
If you have not started to plan for this ‘Delay’ phase, then you should begin without delay! This does NOT mean running round in circles panicking, and rushing out to buy loo roll!
What it does mean is that you need to instigate your Business Continuity Plans (BCP), which should have been in place for some time now. Remote working is nothing new to people in the UK, as we invoke these plans most winters, as commuters are forced to work from home due to inclement weather.
Your plans for working remotely are most likely already in place. However, these may need a re-think, because while you may have plans for some workers to work remotely, having almost 100% of your workforce at home will present challenges.
Knowing your risks
The increase in remote working undoubtedly increases the risk of a data breach or cyber incident occurring, due to the uncontrolled environments teams will be working in, and the bad guys know this.
Cybercriminals are already targeting countries with phishing campaigns, offering face masks offering “100% protection against COVID-19 infection”. They are also targeting people with emails that purport to be from official organisations like the World Health Organisation.
Malware infection is going to increase, as people use their own equipment, which may not be protected with the latest software patches and malware protection.
Cybercriminals have no problem profiteering from disasters, so we need to arm our teams with the tools and knowledge they need to prevent being the next ‘client’ of the cybercriminal.
So what can you do to allow your teams to work remotely but still ensure the security of your business. Firstly I would suggest you need to assess what equipment people need to work remotely.
Your shopping list should look something like this;
• Encrypted Laptops
• Malware protection software
• VPN software
• Privacy screens
• Mobile phones
• Encrypted USB devices
You may have some of the above, but pay close attention to things like encryption, printers and shredders. If people need a printer, buy them a shredder to dispose of any confidential waste they might have. Ensuring devices are encrypted is of vital importance, especially if you are increasing the use of USB devices to transfer/transmit data.
It’s all well-and-good telling staff to work remotely, but they then fail to log in to your systems due to a bottleneck in the system. If you have the ability to test this now, then you should do it without delay.
Your office is a secure environment that you control, with locked doors, cabinets, CCTV and alarms, but you have no way of knowing what security looks like in your teams remote working environment. Are they working on the kitchen table? Perhaps they’re going to the local café? (I hope not!).
So remind your teams about clear desk policies, and ask them to ensure they are locking away their devices each night, or securing confidential information/documents when not in use. Cats, Dogs, Children all present risks to your business that you may not have thought about before today.
People, People, People
As the saying goes; Your home is your castle. So security should never be far from our minds. But remember that during this time your workforce is most likely not thinking about you, or the business they work for.
I will not repeat Maslow’s ‘Hierarchy of needs’ here, but it’s right to say your workforce is concerned about their own wellbeing, and that of their families too before thinking too much about your business. So it’s no surprise that during times like this, the security of Data takes a back-seat.
Give your teams the tools they need to work remotely, but also arm them with the information they need to. Remind them of the importance of keeping data secure and protected. Give them advice on how they should do this when working remotely, and provide them with regular updates.
This last point is extremely important – keep staff updated…
We hear all the time how people are the most significant risk in business. This is not true.
The most significant risk in business is complacency. Your people are your greatest asset and need to be treated as such. Look after your team, and I promise you they will look after you.
Communicate with them often. But not just about how the business is getting through this ‘crisis’. Ask them how they are, how you can support them, is there is anything they need?
You’ll no doubt have someone monitoring the network for areas of stress and strain, so assign someone to monitor staff welfare for the same signals.
Of course this extends further, and communication to your suppliers and clients is also vitally important. They will want to know what the impact is on you, but mostly because they want to know what the impact is on them. Can you pay your bills? Will you supply your services on-time? If you don’t communicate to them and communicate in a pro-active way, they may come to their own conclusions.
There are many risks in business, and these are dispersed and amplified when people work remotely. Those organisations who have adopted the security standard ISO27001 already know there is a whole section focused on ‘Teleworking’, so it’s importance is undisputed.
If you are reading this and still confused, my advice would be this;
1. Invoke your CMT (Crisis Management Team) and assess the impact on your business
2. Equip people with the tools and knowledge they need to work remotely
3. Communicate, communicate, communicate
There are so many other things to consider, but there always will be. Don’t let a lack of information prevent you from taking action today.
If you’re still confused or need further advice, please reach out and ask for help. That’s what I’m here for. I’m Gary Hibberd aka ‘The Professor of Communicating Cyber’ at Cyberfort Group.