Robin Clive-Matthews and Steve Mair
With the outbreak of the Coronavirus (COVID-19), there are an increasing number of employees working from home—either to prevent the virus spreading or because they have been required to self-isolate. While this will hopefully lessen the impact of the virus on business continuity, it is likely to put significant pressure on IT and security infrastructure as many businesses are likely not set up for a large contingent of the workforce to work remotely.
We thought it was timely to share some key suggestions for keeping your organisation running smoothly.
Non-technical mitigations for business continuity
Make sure that users know whether they can print when out of the office and, if they are permitted to do so, how to securely dispose of any sensitive documentation they print off. For example, using a cross-cut shredder may be acceptable while putting confidential documents in a recycle bin at home may not.
Update crisis plans
Review your business continuity and disaster recovery plans. Are there key personnel who must have corporate devices and others who could be given extra leave instead? It may be that you decide to focus on providing key services to clients and choosing not to deliver all services all the time.
Check client contracts to confirm whether remote working is permitted and under what conditions—this will be relevant if your staff are embedded on a client site or your team are working with sensitive client data on your own site. If working from home is specifically excluded, talk to clients to develop appropriate acceptable working practices for the duration of the COVID-19 season.
Make sure that you have implemented two-factor authentication (2FA) for all users, and that they all know how to use it. This helps mitigate the risk of having unauthorised users accessing systems remotely.
Make sure that all devices (company or personal) have been patched and have antivirus software installed, active and up to date. Ideally use Application Whitelisting, which is built in to Windows. Importantly, ensure your remote access solution itself is kept up to date.
Check for vulnerabilities
Make sure that your remote access solution has been penetration tested recently, and that any urgent, high or medium issues have been resolved. This helps mitigate the risk that the remote solution is vulnerable to attack by malicious third parties and helps ensure remote access for legitimate users is maintained.
It is also important to consider user support issues; for example, should employees need to print from home on devices outside of your normal printer fleet how would you facilitate the installation of drivers? Or manage job storage on personal printers.
Make sure you also consider the implications of requiring staff to use their home internet connection for work, including whether it is fit for purpose and how to handle technical issues with that connection. Consumer internet support tends to be considerably worse than business-grade internet.
Additionally, ensure that portable devices have appropriate firewalls to protect them from other devices on untrusted networks.
Consideration should be given to stress testing the remote access solution, so that your organisation has a good idea of how many concurrent devices can be connected remotely without adversely affecting performance. It may be necessary to improve the capacity of the remote access solution for the duration of this period while your network is experiencing higher numbers than usual of remote users.
Some organisations have chosen to split mass home working into groups, e.g. 50% of the company works from the office one week and the remainder from home, then the next week they switch over. Does your remote access solution have sufficient licences for mass remote working? Some solutions give short time licence over-use, but this may only be for a few days or a week.
Mitigations for Bring Your Own Devices (BYOD)
Cyber security is even more important if your organisation permits employees to use their own devices. Staff using their own devices bring about a number of other cyber security risks, such as sensitive data leakage and lack of central control.
To mitigate the risks around employees using personal devices:
- Make sure employees’ machines are updated to the latest operating system and security update.
- If you allow BYOD to be connected to corporate networks consider enforcing Network Access Control or limit the machines to a segregated wifi network.
- Make a risk-based decision on whether non-corporate devices can be used if they do not have full disk encryption installed.
- Consider granting a temporary waiver for these extraordinary times, but beware of GDPR and requirements for company certifications, e.g. Cyber Essentials and ISO27001.
- Issue users with temporary corporate devices even if the device may not have the full specification the user is used to.
As will nearly all cyber security responses, it’s your people who have the most influence over how smoothly your organisation copes with disruptions, such as enforced large-scale remote working. Good communications are key – every individual should be asked to confirm that they understand what’s happening and why, and commit to identifying potential problems early rather than in a last-minute panic. Some people will have to come to grips with applications and working techniques that they either haven’t encountered, or haven‘t bothered with up until now. In this sense, remote working could even be a positive in illustrating how the right technology (and behaviours) can keep us resilient in the face of this type of challenge.
If you need assistance with your cyber or information security measures, please contact us: email@example.com or +44 (0)845 600 4403
Your free global geopolitical
PGI’s Risk Portal tool provides daily intelligence feeds, country threat assessments and analytical insights, enabling clients to track, understand and navigate geopolitical threats.
The Risk Portal gives users up-to-date information and analysis on global affairs.
The Risk Portal allows users to visualise information in a unique and instantly understandable way. Mapping filters enable the visualisation of incidents by threat category, time period, perpetrator and target type.
Risk Portal users can upgrade their accounts to include the Report Builder and Country Profile Generator features. The Report Builder allows users to select information, data and images from the Risk Portal and create bespoke reports and emails.
Subscribers to PGI’s Bespoke services receive tailored analysis on specific sectors and geographies of interest, delivered at a frequency they determine.
Making ongoing compliance easier for you and your business
GDPR is now in force. Make sure your business meets the necessary requirements, providing assurance for all of your customers and employees.
A full audit of your business to assess the level of your compliance against GDPR requirements.
Become GDPR compliant with minimal work. We will conduct an analysis, review, report and implement any necessary changes to your business.
We will conduct simple security assessments to help you understand and mitigate the potential risks to your business.
Get your business ready to face the cyber challenge.
We provide a full range of accredited, certified and bespoke services that assess the resilience of your cyber security posture.
PGI’s Qualified Security Assessors (QSA) will help you meet Payment Card Industry Data Security Standards (PCI DSS).
Find out more on PCI DSS
Demonstrate your commitment to cyber security by achieving and maintaining accreditation for the globally-recognised information security standard.
Find out more on ISO 27001
Understand the threats of phishing and malware to avoid being targeted.
Undertake our phishing vulnerability assessment to reduce your organisation’s risk of attack, by measuring the cyber awareness of your workforce.
PGI will conduct a tailored phishing campaign, using multiple methods, to identify realism and train employees where necessary to mitigate future attacks.
PGI monitor multiple metrics to identify the types of phishing, generate in-depth analytical reports and provide an informed decision to help improve your organisation’s level of security and awareness.
Prevent attacks, respond to breaches and protect your business.
Our bespoke range of cyber security services not only protect your critical assets but provide the education you need to keep your operations and data safe.
Implement this cost-effective cyber security measure launched by the government to prevent cyber-attacks, demonstrate information security commitment to your clients, and attract new business by being recognised as a secure organisation.
Find out more on Cyber Essentials Accreditation
The most effective way to identify how attackers target your organisation’s weaknesses is by evaluating your system, your network security, and reporting on any vulnerabilities that could have an impact on your business.
Find out more on Penetration Testing
If your business has experienced breaches, network compromises or operational disruption, our team of cyber security specialists can deploy quickly, and will begin the process of detecting and eliminating the threat efficiently.
Find out more on Data Breach Response & Recovery
Data Breach Response & Recovery
We prevent attacks, respond to security breaches, and protect your business
Our team of specialists can deploy quickly and efficiently to begin the process of detecting, eliminating and preventing future threats of a breach.
A vital part of the response process is making a copy of your data for safe forensic analysis. We will work with you to preserve and use this evidence to discover the extent of an intrusion.
Find out more on Digital Forensics
We will identify and minimise the risks, as well as the possibility of future risks to your business.
Consistent interaction with your management team and recommendations on how to approach all outcomes that need attention.
Subscribe to our Cyber Bytes Newsletter
Keep yourself in the loop with PGI by signing up to our Monthly Cyber Bytes email. You will receive updates, tips and narrative around what has been happening in the world of information security.