Coronavirus certainly threw businesses a curveball. Lockdown saw the business world change almost overnight, with many adopting mass remote working as the best solution in such uncertain times. But this sudden shift also opened up new risks to businesses’ cyber security, as we revealed in our article.
COVID-19 is still far from being banished to the back of our minds, but with the dust settling on many hastily put-together remote working solutions, what should businesses do next to shore up their information security?
Strengthening cyber resilience
If you had to adapt quickly at the start of lockdown, now is the time to review the decisions made during the crisis. By taking stock now, you can boost your information security and refocus, moving from survival to resilience.
To help your business create a new culture of security in the post COVID-19 world, here are 10 things you should think about going forward:
1. Assess access
In the whirl of activity following the start of lockdown, many businesses had to quickly give their employees access to servers and other information by relying on Virtual Private Networks (VPNs) and granting new permissions.
In a recent VMWare/Carbon Black survey of incident response professionals, 45% highlighted VPN vulnerabilities as an issue of concern, while another 34% emphasised the risk of access-mining. It is therefore time to review employee access and update VPN profiles and firewalls. This will help to ensure that employees have the correct role-dependent privileges.
2. Implement device distancing
Working from home means your staff are surrounded by personal devices. Review permissions given to staff who may have been working on these devices – personal phones, tablets and laptops are more likely to be behind on security upgrades, which could make them more vulnerable. If you can, issue work equipment to those who don’t have it already.
The presence of potentially vulnerable devices may also prompt you to implement a ‘device-distancing policy’. This would require employees to remove non-work devices from the room, particularly if sensitive information is being discussed in a call.
Sensitive file sharing should be restricted across applications or devices that may be insecure. For instance, alert staff that restricted information should not be shared via video conferencing.
3. Create an integrated suite of tools
If your business had to quickly purchase new software or cloud services in order to stay working remotely, it’s possible that some of these tools do not work comfortably together or have failed to integrate with your existing systems.
Review the tools you bought and replace those that do not integrate fully. This way you can create a suite of tools, platforms and software that work cohesively and simplify work for your staff.
4. Review and update business continuity plans
The sudden switch to remote working took many businesses by surprise. Take the time now to review or implement a business continuity plan. This will help your business to be more resilient in the future and adapt more quickly to similar situations. If you’re unsure about what to include, take a look at our article on the top five components of a business continuity plan. Once you have your plan, remember to test it.
5. Review control and collection of personal information
To aid track and trace, many businesses are now having to record and keep personal information of customers. Safeguarding this information is key in order to remain compliant with stringent laws and regulations, such as the Data Protection Act (DPA) and General Data Protection Regulation (GDPR).
To stay on the right side of the law and deter any data breaches, you could choose a data storage supplier who offers compliant security measures. Also ensure that you collect only the most essential information and that it is deleted after a set period. You may also want to implement additional security measures, such as two-factor authentication.
6. Create a strategy for cloud usage
Going forward, your business may want to move away from physical servers in order to adapt to a more hybrid way of working.
Cloud platforms should be chosen with care not only for usability but for data protection. Always check how the cloud platform stores data, and in which country. Their security should also be thoroughly evaluated in order to lessen the possibility of cloud hijacking – in the VMWare/Carbon Black survey, 42% of respondents predicted that this security breach would become ‘very likely’ over the next 12 months.
7. Review third party agreements
Chances are that your business has undergone a lot of change, which means that your suppliers have probably experienced the same thing.
Check service agreements and question suppliers on their working policies and cyber security. You may wish to implement an audit of your third-party suppliers if they have access to any of your company networks, data or systems.
8. Make it easier to flag suspicious emails
VMWare/Carbon Black’s survey of incident response professionals revealed the scale of hacking and phishing attacks in the wake of the pandemic. Of those questioned, 53% said that they had encountered or observed an increase in cyber-attacks that exploited COVID-19 by referencing cures, requests for donations or fake news updates.
Provide regular updates on new scams and risks to the business as well as protocols on what to do. Create an easy process for staff to flag anything suspicious and make IT or security personnel available to answer concerns or questions.
Going forward, scams are likely to focus on the personal stories of COVID-19 survivors, updates on the cure and bogus messages about unemployment or jobs, so make sure staff are aware of these tactics.
9. Enforce software updates
A remote workforce can make it difficult to ensure that everyone stays on top of software updates. Make sure these are enforced and explain how keeping up to date helps the business to resist cyber-attack.
10. Reinforce back-up protocols
Create a rock-solid back-up protocol that takes a more mobile or remote workforce into account. It’s possible that a more hybrid way of working will be adopted in the future, in which workers may move between home and an office. This opens up the possibility of data loss, which can be mitigated with the right protocol in place.
Creating a culture of cyber resilience
As we move through the pandemic and out the other side, more and more businesses will look to reorganise their infrastructure and policies to foster more cyber resilience.
Clients are also more likely to expect businesses they work with to showcase a new cyber awareness.
To achieve this, a business needs to put the right framework in place. One way of doing this is by implementing ISO 27001, the international Standard for information security.
ISO 27001 builds a structure of processes and procedures that help businesses to stay up to date with the latest legislation and regulations. It also requires businesses to put robust back-up protocols in place and develop a comprehensive risk management strategy to keep information secure.
As an international mark of best practice, ISO 27001 also showcases to new and prospective clients that you have the right policies in place to maintain information security and keep data safe.