How have we coped through lockdown?
Almost every organisation knows there’s a significant security risk when it comes to remote working. The (real) virus has re-shaped our professional existence and IT security faces challenges undreamed of six months ago.
Companies must digest the lessons and apply them to a more permanent model for remote working.
The vast majority of companies in a recent survey for Tanium reported they felt prepared to shift to a fully remote workforce (83%), yet 98% of them admitted they faced security challenges in doing so.
Common security issues included identifying new devices on the network, excessive VPN traffic and video conferencing and, according to 92% of respondents, a rising incidence of cyber-attacks compounded this.
So… how did we really get on?
The security practitioners SC Media spoke to gave us their perceptions of how cyber-security coped under lockdown, based on conversations with colleagues across the industry.
Richard Starnes, chief security strategist at consultancy Capgemini, said their research found an extraordinary 667% rise in spear-phishing attacks since the beginning of the Covid lockdown. “The hackers know that many people are working from home and they mean to take full advantage of the situation,” he told SC. “For the most part, the attacks have been less successful against companies who already have a mature work-from-home capability,” he said.
A CISO for a challenger bank told SC that organisations such as theirs were well prepared for home working because its services were already cloud-based, meaning staff could relocate anywhere they had a decent broadband connection. He said this contrasted with other organisations in the middle of migrating to cloud IT or still reliant on on-premise, legacy servers.
Home alone and GDPArrgh!!
One of the big challenges in the transition has been communications and that the business is reliant on employees’ home IT, as Nick Ioannou, security consultant at Boolean Logical, said. “Not everyone may have a company mobile or even have a good mobile signal. VOIP and other host telephone systems are useless if the home internet is having issues – together with fix lead times of over a week.”
Companies have had to teach their staff how to secure their home networks and segregate the usage of their devices, among other things, as Zsuzsanna Berenyi, head of cyber security awareness and culture at the LSEG, explained: “You need to show employees how to secure their home networks as they don't have the robustness of a business network at home, so it's important that we provide guidance and practical advice that make a big difference to protect data, eg, securing routers and setting up separate networks for work and children, as well as reminding them not to share company devices with family.”
Another key message organisations need to convey to staff is vigilance. “We are at home, we are more vulnerable as many of us have to juggle busy family life and different responsibilities along with working,” Berenyi said. "I do think this unfortunate situation helped many businesses in cyber-security to embed and practice secure behaviours as it so personal when we are working from home for such a long time."
Ioannou added that organisations needed to pay particular attention to data protection. “I would guess that a lot of GDPR-related personal information is now on a vast number of unknown systems,” he said. “Every business will be different, depending on how staff are accessing business data.”
From adversity… improvements
If cyber attackers have seen Covid-19 as an opportunity to launch yet more attacks against organisations, it has also been an opportunity for organisations to upgrade their security practices.
Tanium’s survey found that cyber-security has a new focus: most organisations report cyber-security is a priority (69%) for remote working, ahead of avoiding business disruption (14%) and protecting intellectual property (17%) – a welcome boost for our sector and industry.
Starnes said: “Many companies have been forced into working from home. This doesn’t make for a well thought out, well executed transition; but, many will now be in a better position to realise the benefits for the company and its employees.”
However…“Properly executed, a work-from-home strategy will not extensively change the security profile of most companies. ‘Properly executed’, being the attention phrase.”
Our challenger bank CISO said lockdown had undoubtedly increased the pace of cloud migration. “Organisations are now moving into cloud because they know they can ramp up and down their operations as needed. This has provided the focus for something that’s been there for a while – but as more of a long-term aim than an immediate plan – to make the jump to public facing cloud infrastructure,” they said. “Now they just have to do it.”
Berenyi said that although remote working was thrust upon organisations, staff have not only proved they can work effectively from home but it has also allowed them to demonstrate they can do it securely.
Home working due to the Covid-19 pandemic has caused an epidemic of cyber-attacks, but thanks to cyber-security practices and the vigilance of staff, it looks like it will remain a feature of professional life for the foreseeable future.