Authored by John Coletti, Chief Underwriting Officer & Head of North America Cyber and Technology for AXA XL, a division of AXA; and Aaron Aanenson is director of cyber security for S-RM
Changing working patterns
With the ongoing spread of coronavirus, government guidance is changing rapidly. In many countries, healthy individuals are being asked for the first time to avoid unnecessary public exposure, for example at large gatherings, on public transport … and in the workplace.
As a result, many businesses around the world are now either planning for or actively implementing a business model involving far more remote workers than they had ever anticipated. IT and management teams are hard at work on the infrastructure and organization to facilitate this. In the rush to keep businesses working, there is a significant risk that security will not be properly thought through.
Good business cyber security practices, under any circumstances, should consider the following:
If the right level of security is in place, your business will be well-placed to fend off cyber security threats. Too little, and you are vulnerable. Too much security, applied in the wrong ways, and your employees will feel stifled and start finding workarounds, ultimately still leaving the business vulnerable.
Key security advice when building remote capacity
In this spirit, S-RM has listed below some key areas to consider when planning or deploying remote working capabilities.
Securing devices
One key consideration for remote workers is that they have laptops, mobile phones, tablets or other devices to work from. Many companies are now issuing additional equipment to their workers, to allow them to remain fully effective outside the office. But please be aware of the following:
Make sure you have effective asset management in place. Know what devices have access to your network and data, plan for any changes, and block or remove obsolete equipment from your network before it becomes a weak point in your security.
All company devices, especially any device taken outside the office, should be encrypted, protecting data if they are lost or stolen.
If you allow employees to use their personal devices, consider whether your corporate data is appropriately secured. Mobile Device Management solutions may allow you to secure data on these devices, or you may need to restrict what employees are allowed to access in the first place.
Don’t forget about the equipment that is still in the office! With employees working from home, is there sufficient physical security at your sites to protect servers, desktops, and other parts of your network from malicious actors?
As you move devices, employees and user accounts around, don’t forget the other parts of day-to-day security preparation – strong passwords, secured and appropriate local administrator accounts, and control over the applications and services on your network are just as important as ever, to name a few.
Securing your networks
If your endpoints and your servers are both appropriately secured, it’s important to make sure the two can connect! Access to your network should be easy for legitimate users, but blocked (or at least very difficult) for everyone else. Consider the following:
Securing employee connections
The network may be thoroughly secured at your end, but that data has to come from somewhere. As employees are based outside your secure environment, it is often up to them to make sure they are acting appropriately. You can help by providing them with suitable guidance (as discussed further below) on topics like:
Informing your employees
The points above are all important areas where you can provide guidance to your employees, but in fact clear and effective communication is one of the most important steps you can take in any area. Even if you have a clear plan and a secure infrastructure in place, without clear information employees will make mistakes, or else assume you don’t have a plan and start taking (potentially unsecure or counterproductive) measures of their own.
Make sure employees are clearly informed, at least a week in advance if practicable, about what devices they can use, what services they can access, and how they should do so. Keep them up to date if this changes. Some employees may not have the access they need; you need to find a solution before they come up with their own! If access isn’t in place yet, employees should know when implementation is planned so they can act accordingly, and if at all possible, what alternative solutions are available in the interim.
Communications of this type are not just a matter for technical IT or Cyber Security teams. Communication with employees regarding remote access should be overseen by executive management-level staff. While the technical teams can provide the appropriate solutions and guidance that employees need, this information needs to be effectively prepared and packaged so it can be delivered in clear and simple language, using an appropriate method, and at an appropriate time. Importantly, the guidance or policy should be clearly backed by the senior leadership of the organization, to ensure that it has the authority and clarity needed to convince employees to follow the advice given.
As much as practicable, make sure you provide sufficient information to third parties as well, including any customers who need to access your network. They will also need to know how to contact you, how to access relevant services and infrastructure, and what you expect from them in terms of their own security. Make sure your planning and requirements are clearly in place, then let them know clearly and decisively what you want – and, if the situation changes, consider when it will be most effective to update them.
Planning for the worst
Any cyber security professional knows that no one is ever absolutely safe from a malicious attack. Combining the increased exposure from remote working with the confusion and short deadlines of responding to the changing coronavirus situation only increases that risk.
If you have effective cyber incident response, crisis management and/or business recovery plans in place, it is important to review them in light of your new operating environment. Can you access all the equipment you will need to test or reset? Is your data still being backed up to a secure site? Can your users still effectively report phishing or other indicators of cyber incidents? How are you going to maintain communication between the key crisis managers if all your laptops and mobiles get encrypted with ransomware? If your plan isn’t tested yet, now may be the wrong time to start – but at a minimum do all the relevant staff at least have a clear understanding of the plan, and how your current situation has altered it?
If you don’t have these plans in place, you likely don’t have time to build them right now, but it is important to at least consider the basics. Do you know where your key data is stored? Do you know what services are key to your business survival? Do you have backup communication channels, independent of your network? Do you have similarly separated, and regularly updated, data backups?
Most of all, in your current situation – who will be needed to respond to a crisis? Who else needs to be informed? How are they going to coordinate, and who will replace them when they need to get some sleep?
Evolving
As stated earlier, the global situation, and advice from governments, is changing rapidly. As time passes, businesses may have more time to implement additional measures and better adapt to the new situation; or new events may force them to continue to react. In either position, please bear in mind the following: