In May 2020, the UK government introduced ‘COVID Secure’, a program to reduce the risk of COVID transmission in the workplace, including limiting the number of employees in the building at any one time. Fast forward to July, and we see café chains closing because footfall from ‘office’ staff has not picked up and the Government is now ‘advising’ we should be going to the office, where it is safe to do so. We see companies like Google not welcoming back their employees to the office until April 2021 at the earliest, and many other companies following suit. When speaking to organisations, there is not one that expect their working pattern to go back to pre-covid.
With COVID Secure being discussed at board level up and down the country, I believe we should borrow the phrase for Cyber Security, we need our organisations ‘COVID Secure’ to protect against a successful cyber-attack.
If you are looking down from 10,000ft on your organisation in July last year to today, the organisation’s footprint is highly likely to be completely different. You have users who have never worked a day at home before, working from home fulltime, you will likely have new collaboration tools, you may have new remote access solutions and you may have implemented new SaaS solutions such as Microsoft 365. Many organisations are telling me they had to make snap decisions to ensure their businesses were able to operate efficiently, and often this came at the detriment to their security posture.
Hence wanting to borrow the term ‘COVID Secure’; is your organisation secure in this new landscape, the new tools you have in place, users having different distractions, we have all been on a video call when someone has had to go and answer the door or their child has popped into the room, it’s becoming normal?
What I am about to say is nothing new, but it is extremely important to our organisations, some may challenge this, but in my opinion, now more than ever:
“Reducing your risk is a mix of People, Process & Technology”
Your users are becoming more comfortable working in their new environment, the kitchen table, however they still have those distractions I spoke of earlier, they are being targeted by the attackers, I am not sure if there is one vendor who hasn’t mentioned the increase in COVID-related email attacks. It is crucial that continue to educate our users, that they can be both our first and last line of defence. Educate them on the current challenges in this new environment, provide them with examples of what to look out for. Educate them to flag suspicious items to their IT & Security teams. Do not create fear of flagging that they may have made a mistake; the difference between them advising and not could mean the difference between one machine being compromised to the whole network being compromised.
We have had to make snap decisions as mentioned earlier; however, we need to ensure we now reverse engineer those decisions and ensure our processes are being followed. Was your change control process followed? Has your risk register been updated? How many firewall changes were made to ensure you could continue to operate? The stats show us that 94% of breaches due to the firewall were as a result of misconfigurations.
When it comes to technology, you still require the same visibility, the same granular control but you need more, you need to protect corporate devices on non-corporate networks. Networks that have machines with outdated operating systems, no anti-virus, these networks in some cases create a back door into your previously secure corporate network. Many organisations have found themselves with no visibility, limited control and back doors into their network due to those snap decisions made earlier in the year, when their normal processes were not followed. The attackers always have a march on us ‘defenders’ at the best of time, without control, without visibility, their job just got easier.
So: Is your business Cyber ‘COVID Secure’?
Guest Blog by Karl Alderton, Charterhouse Voice & Data Group
Charterhouse deliver technology solutions that drive business success, with our cyber security solutions helping businesses to protect critical data, users and customers, and to achieve and maintain compliance. We help you identify your security vulnerabilities and integrate a range of technologies to help mitigate the threat of security breaches. Our security expertise covers every enterprise requirement, from network security, mobile security and security consulting to compliance and governance. Karl Alderton, Cyber Security Technical Account Manager, with over 10 years of expertise, is a key member of our Cyber Security Practice.