COVID-19 has accelerated the adoption of remote or distributed working, yet many businesses are potentially unaware of some significant cybersecurity risks inherent in remote working. In this blog I highlight these risks and look at what your strategic response could be.
This blog is based on an interview I gave to the Adviser Talk podcast. Listen to the full interview here.
‘The best time to plant a tree was 20 years ago, and the second-best time is right now,’ goes the ancient Chinese saying. The same applies for ensuring that your business is prepared for the risks and opportunities in a world that has accelerated to distributed, digital workforces in its response to COVID-19.
You might be considering digitising and optimising your internal processes in pursuit of productivity gains, or moving your offline business online, to compete in a COVID-19 and post-COVID-19 world. A key focus area for business leaders in these turbulent times should be on enabling a seamless transition to an operating model that supports distributed/remote working while also ensuring business continuity and security.
Enabling your staff to work from home (WFH) is an integral part of this approach. While New Zealand has opened up again after the initial lockdown, the desire to keep up at least some remote working is strong in most sectors. There is also the possibility of a second COVID-19 wave flaring up, resulting in another full or partial lockdown and on a local, regional or national basis.
Digital transformation was disrupting business models even before the COVID-19 era – the digitisation of manual processes, properly done, is a sure path to improved productivity. Not only that, but when teams are working remotely, cloud-based services and online processes help to ensure that everyone’s on the same page, even if they’re not in the same space.
Three areas of cybersecurity risks in WFH environments
We’re seeing increased risks from remote working in three key areas: personal risk, business risk and government risk.
Staff are working from home often over insecure WiFi networks and without firewalls. They’re accessing their usual personal sites such as banking, shopping, and social media – which is frequently done from home – but now they are also accessing business systems and data, and/or government systems or infrastructure from home as well.
If your distributed workforce doesn’t have the correct protection on their computers, they aren’t using a secure WiFi network, firewall or certificate-based, always-on VPN, then it’s likely that their access to those enterprise or government systems, or their personal data, could be insecure and vulnerable to a compromise or exploit.
Currently, the biggest targets cybercriminals are exploiting are these inadequate and vulnerable WFH setups. This has created the “perfect storm” for cyber-criminals to access enterprise or government systems, to exfiltrate company data, personal information, financial information, or company intellectual property.
We’re seeing emails being attacked, malware on websites, ransomware, phishing attacks, man-in-the-middle attacks, hijacked mailboxes, invoice and identity scams, and extortion occurring more regularly around the world. These cyberattacks are being perpetrated both by individuals, as well as organised crime and criminal gangs, and in some cases even funded by state actors (i.e. rogue states are funding cyberattacks).
Historically, to steal or to destroy something, you had to actually be physically present onsite. Now, a nation state or a criminal can undertake a cyberattack from anywhere in the world against any business, government or person. Rogue nation states and their cyber armies, or criminal gangs, and even highly focused individuals, all present real risk in terms of individual or enterprise property theft or attack on a country’s infrastructure – and all of this remotely.
How can distributed workers (and your business) be protected?
What do you do if your staff are working from home and/or working off site? End users need, at a minimum, endpoint security protection on their laptops and on their mobiles, which helps protect against some of the types of attacks outlined above.
Here are seven basic security measures that businesses need to put in place for distributed workers and WFH workers to be secure:
- Implement an endpoint protection solution for laptops, tablets, and mobiles. It should combine most if not all of the following: anti-virus, ransomware protection, anti-malware protection, data-loss protection, intrusion protection, anti-exploit technology, and web and application control.
- Implement a mobile device management solution (MDM solution) to help control and manage personal and work laptops, tablets, and mobiles.
- Use secure or encrypted networks – ensure that any WiFi connections are encrypted. At a minimum, use a basic firewall at home and/or certificate-based, always-on, VPN connectivity to the office and its systems.
- Set up password manager software so that passwords can be long, unique for each website or service, and regularly changed.
- Put company policies in place that require multi-factor authentication for every login to any significant system.
- Conduct audits, provide cybersecurity and phishing training, and distribute regular reminders of best practice against cyberattacks.
- Develop a plan and a pathway to improve security across your organisation as well as a disaster recovery and business continuity plan in the event of any successful cyberattack.
Mandatory disclosure of data breaches will shortly become a reality in New Zealand. A number of countries have already introduced mandatory reporting for significant cyberattacks and theft of customer or public information. Companies will be required to notify both the Privacy Commissioner, and any individuals whose data is compromised, about a cyberattack on their business if the breach has caused, or is likely to cause, serious harm. Now is the time to start preparing.
Managing employees that leave
Desperate times cause people to behave in desperate ways. Businesses need to protect against malicious behaviour, and remove any temptations by shutting every door possible for malicious activity.
When someone leaves a company, there should be a process that removes their access to various systems and applications. Running single sign-on (SSO), a method that ensures that a user connects to all its systems with a single user ID, is a sound strategy.
It’s beneficial for onboarding because you can quickly add new staff to a number of systems and applications, and you can control hierarchically what they have access to. Inversely, it’s also excellent for offboarding or exiting someone from the business, because in a single command, you can remove all rights to systems and applications. You can rest assured that they can no longer gain access to any of your enterprise systems.
Start planting that tree
As more companies embrace flexible or distributed work practices as a result of COVID-19 and the ongoing level of uncertainty, cybersecurity becomes increasingly important. Personal data, financial data, intellectual property, and enterprise and government systems that can be accessed remotely all need to be secure and protected.
When it comes to a company’s business continuity and disaster recovery planning, cybersecurity considerations are key. With the increased focus on this area, now’s a good time to ‘plant that tree’, and leverage cloud infrastructure and cybersecurity platforms that can help you secure your business in a cost-effective and manageable way.
Ensure your team is able to remotely and safely access and manage critical business data, regardless of where they’re working. Schedule a time with Martyn to discuss your organisation’s remote working strategy now.