The pandemic sent us home to set up improvised offices and pushed us to explore new software solutions, including video conferencing, cloud platforms and VPN.
But what was a temporary stopgap has changed into the reality of longer-term remote working, and this could put your business at risk if you don’t have the right processes in place.
COVID-19 cyber attacks
Cyber criminals have been exploiting the fear of the pandemic with repurposed attacks designed to trick recipients into believing there is a ‘cure’ for the virus or that they are looking for donations for a charitable cause.
These attacks have been widespread and numerous. For instance, Cybersecurity company Darktrace revealed that 60% of all advanced spear-phishing attacks blocked by their Antigena Email product were either linked to COVID-19 or were aimed to trick people by mentioning remote working.
Continued widespread remote working also means there are a greater number of targets for these criminals. Data supplied by Darktrace to The Guardian revealed that the proportion of attacks targeting home workers rose from 12% of malicious email traffic before lockdown in March to more than 60% six weeks after.
Home Wi-Fi doesn’t necessarily have the same defences as a network within your business and reliance on cloud applications and VPN can also leave gaps that could be exploited. This could include falsified requests to reset VPNs or accepting requests through supposedly corporate messaging systems.
The boom in video conferencing tools such as Zoom has put some businesses at risk too. Before end-to-end encryption was rolled out across all users, some Zoom meetings were infiltrated and hit with homophobic and racist imagery.
Many businesses feel unprepared to tackle these risks. In a recent survey by Centrify, 48% of respondents admitted that their cyber security policies are not fit for purpose in the new world of mass remote working. In the poll of senior decision-makers in large and medium-sized businesses, another 65% also said that they were anticipating an increase in phishing and breach attempts.
So, just what can businesses do to adapt to the new normal and keep their information secure?
Security in the new normal
Training and awareness
Training your team in new software and raising awareness of cyber threats is key to reducing the risk of a successful attack.
Circulate information on the latest threats and make sure staff know how to report anything suspicious. Encourage them to think twice about downloading attachments or software and emphasise that any suspected breaches must be reported immediately.
To reduce the pressure on your IT team, provide training on how to use new software and create troubleshooting guides that answer common questions.
To safeguard privacy, make sure you include training on the use of the webcam too and ensure that your team know when it is turned on.
Risk, access and control
If your company is using new software or applications, such as a video messaging service or cloud platform, you need to make sure a security risk assessment has been carried out.
Combine this risk assessment with the provider’s terms and conditions and privacy statement – this will show you what security controls are in place, where your data will be held and how it can be used. Cloud services in particular will often store and process data in centres across different countries, so make sure you are confident about where your data is being held and who can access it.
Many tools we now rely upon also offer file sharing, screen sharing, chat, call transcriptions and recording applications. Run checks to ensure that these are protected and that you are confident about the provider’s security.
Apps that need to be installed have additional risks as they may be able to access contact lists, location data, documents and photos stored on the device. Again, risk assessments need to be carried out to ensure that this is fully secure.
The lack of physical security of a home office can also make a business vulnerable. Equipment may be more likely to be stolen or damaged in the home, or sensitive information could be seen by other members of the household.
Encourage staff to lock their screens when away from their desk and to keep their passwords private. Set up regular back-ups of data, and if the worst happens, make use of tools to remotely access data, retrieve back-ups and erase information.
More offices are beginning to open on a part-time basis, which means your team may be carrying laptops or other equipment to and from home. Issue guidance on safe transportation and ensure that regular back-ups prevent the loss of information during the transition. Screens should also be locked when away from the desk, even if there is only a skeleton crew in the office.
Adapting to the new normal with ISO 27001
The pandemic has revealed that having the right cyber policies and information security processes in place can help your business to adapt and stay secure.
ISO 27001 (Information Security Management System) equips your business with a framework for maintaining the protection of information, no matter what the working situation is.
The Standard encourages a business to have best practice security, identifying threats and vulnerabilities and implementing effective malware for a more resilient business.
It also requires businesses to set out processes for change management, such as transitioning people back to the office, as well as setting out processes for business continuity.
Training to minimise risks, back-up protocols and supplier relationships also fall within the scope of this management system, giving your business a robust set of processes and procedures to minimise risk and react proactively to change. All of this can be managed and maintained on our secure cloud platform, QMS Connect.
To find out more about how ISO 27001 can help your business to stay secure in the new normal and adapt to similar situations in the future, give us a call on 0333 344 3646 or email [email protected].