With the UK continuing in a state of enforced lockdown due to Covid-19, I’d like to reflect on what the data and information security industry has achieved to enable safe and secure home working across multiple industries, and to look at what security professionals should be doing right now and be considering as we plan recovery to a recognisable state of ‘normal’.
Pace of change in working practices achieved across the country in organisations of all sizes has been nothing short of phenomenal; technology and information security teams have excelled to ensure organisations remain viable with workforces forced to work from home, equipped with the tools, processes and training by which to work securely.
Mature and immature organisations have had to increase their resilience rapidly through necessity and have faced the steepest uphill learning curve they have ever experienced.
Rapid decision making and extensive testing of business continuity plans driven by the power of an unplanned crisis has become the normal, driving enormous innovation and change; organisations will now be questioning the need for large offices with thousands of colleagues working closely together, and consequently re-evaluating how they maintain the security of their data and information security assets effectively in the future ‘normal’ world yet to be defined.
In the face of so much rapidly enforced change and with the uncertainty of what the future will look like, company executives across the country will be looking to information security professionals to provide leadership to define the secure networks and cloud based solutions of the future.
We must look after our information security teams as front-line workers; current acute pressure on information security teams and CISO’s is no doubt intense and must be recognised and managed to avoid fatigue and burn-out. Organisations must make sure these teams are looked after, are encouraged to take time out of work and enjoy family time, and to take holidays at home – see my previous article – Supporting CISO’s and Reducing Stress – Feb 2020.
We must not allow complacency now; messages from 10 Downing Street are as relevant to maintaining data and information security assets as they are to maintaining social distancing.
We should now be reviewing everything implemented since lock-down in detail, and make sure we are totally confident we have implemented the right technology tools, processes and training to facilitate ongoing secure home working, and that everything is working as designed and as expected, and can be maintained. If you have been forced into ‘cobbled together’ solutions with security vulnerabilities in place to allow home working now is the time to invest and make fast but well considered changes for the long term.
We should be reviewing systems logs to see how our dispersed workforces are adapting and make sure that insecure workarounds and unauthorised apps are not creeping into the organisation, which could introduce significant vulnerabilities and unravel existing defences.
We must maintain the basics and keep patching right up to date; if your patching programme has previously fallen behind now is the time to take hold of patching and re-establish an achievable plan across all your platforms.
We have to continue to review all of our current defences, our logging and alert reporting, our intrusion protection and detection systems, our data loss prevention tooling, our phishing defences, our ‘bring your own device’ policies and tools, all with renewed focus on remote working from home across the internet being the new normal.
Our ongoing training is more important than ever to ensure that our teams are aware of the added risks and potential vulnerabilities introduced by working from home; we must keep them questioning their home working environment and their ways of working, remembering that they can be our greatest asset in defending our data and information.
Completely free and with no obligation during Covid-19 lockdown, many excellent information security training modules are available from a number of ukdatasecure’s associate organisations, as well as many other on-line public domain training tools, all of which can be made easily available to our colleagues for them to use at home.
Focus should be on topics most relevant to working from home, and on attacks that have increased during Covid-19 lockdown, such as targeted phishing attacks – see my previous article – Spike in Email Scams Linked to Coronavirus – March 2020.
Organisations should maintain and consider increasing frequency and scope of vulnerability testing to ensure technology and tools provided to our colleagues to work from home are as secure as if they were when working in the office.
We have a responsibility to review and update our business continuity and incident response plans; many of these will have been tested harder than ever before over the last few weeks and now is the perfect time to update them and re-publish them with real life experience fresh in our minds.
And my final reminder for now, we must not lose focus on compliance obligations, especially PCI DSS and GDPR; remember that these need maintenance all year round and the controls that we have in place may not be as effective or may need adjustment in the home working environment, with consideration to how external auditors can achieve the same level of assurety remotely as would have previously been achieved on site.
I have added hyperlinks throughout this article to point you in the right direction of multiple resources, and have included some further hyperlinks here from trusted sources which you will find useful to support you at this critical time:
ukdatasecure can help you with any of the challenges raised above and we can be contacted directly by calling 02380 972006, or by emailing stuart@ukdatasecure.com today for an immediate conversation.