Lastest news

Cyber security and the new way we work

Jul 16, 2020

Uptake in remote working brings about big cybersecurity issues. How can organisations keep themselves and their end-users safe? Ross Spelman outlines the best ways to mitigate the risks.

It is nearly four months since most businesses in Ireland moved to remote working from home. It was evident early on in the crisis that most organisations coped well with the initial challenges, exceeding expectations in delivering remote working and collaboration capabilities at scale. The investment of time, money and effort in business continuity and crisis management planning paid off for many organisations and essential services providers. Many organisations across all sectors have executed their crisis management strategies with relative ease. Security, however, can often be sacrificed in times of rapid change – not just the direct implications of technology changes, but also indirectly through changes to behaviours and processes.

More “mature” organisations (from a cyber perspective) were able to introduce essential technology solutions by making smart, quick risk-based tactical decisions, without sacrificing security or compliance. While security is often described as a “non-negotiable” by the C-Suite, it is not easy for the security function to push back on a wide-spread Zoom or Teams deployment due to security, configuration or privacy concerns.

Addressing these concerns early on has been vital in the successful introduction of these solutions, as demonstrated in the media since April (and before).

The risks in our new way of working

The transition into the next phases of the crisis and beyond into the new ways of working will present several risks, including the potential for complacency. Organisations will need to remain vigilant and closely monitor the evolving threat landscape and their threat profile. They should continue to make users aware of their security obligations and provide guidance on specific risks. Broad phishing attacks, for example, have been reported globally since the outset of the pandemic, and now we are seeing an increase in targeted spear phishing attacks, particularly against the healthcare industry and pharmaceutical companies. Phishing attack simulation exercises should be considered to heighten awareness.

Safe computing practices

It is critical for organisations to provide continuous guidance to end-users on safe computing practices. End-users may begin to work from alternative locations including public places, such as local coffee shops, which may introduce risks. Even at home, guidance should be provided for remote workers on securing their environment, including the secure configuration of home wireless networks and the dangers of unauthorised software installation and shadow IT. These are potentially significant risks.

Above all, multi-factor authentication should be in place for all users connecting to the corporate network remotely from anywhere, and organisations should review the appropriateness of their existing identity and access management solutions.

Enhanced security monitoring

Other considerations are to enhance security monitoring and testing processes. Reviewing and improving the scope and granularity of end-user systems and access monitoring will help to ensure that organisations have a comprehensive view of remote user activities with no gaps, particularly for remote users with privileged administrative access. Additionally, increasing the regularity and breadth of vulnerability assessments and penetration testing will provide added assurance.

Critical resource planning

Critical resource planning is another area which can often be overlooked during a crisis. Organisations should be looking at succession plans and already have a strategy in place to ensure that they have a level of resilience for critical cybersecurity roles. This can be achieved by documenting critical procedures and cross training across the wider team. Reviewing crisis and incident management practices for ease of execution by a remote workforce is important, and should include both incident response and data breach requirements.

Trust but verify

The old saying “trust but verify” is very apt when it comes to remote working. Organisations should review and enhance their monitoring capability to account for their ever-evolving threat profile. This should include additional security testing and reviews of the security controls for the remote workforce.  Planning for the worst is a proactive approach.

Organisations should consider all facets of their third-party relationships, including security questionnaire responses, service level agreements and contractual obligations in supporting the organisation to continue to operate securely. A good understanding of cyber threats and existing vulnerabilities is fundamental for effective cyber risk management.

With a surge in remote access, an organisation’s identity access management, VPN and security information and event management solutions will increase in priority as critical components in a defence-in-depth approach to security. Reviewing, testing and monitoring all aspects of these controls is critical. Additionally, encryption and data loss prevention solutions is crucial for protecting data on end-user systems and devices.

Finally, by educating users on the cyber risks associated with the current crisis and secure remote computing practices, the likelihood of end-users being compromised will be reduced.

Ross Spelman is Director of Cyber Risk Services at EY Consulting.