New Year, new lockdown and after a well deserved break over the festive period, organisations are having again to support staff working remotely and ensure that their data and commercial interests are protected.
It's difficult to maintain a level of security awareness when you are working in a comfortable environment and distracted by pets, partners and homeschooling children. So what can you do to reduce the likelihood and impact of a security incident from remote working?
In all scenarios, I suggest the information security and leadership team start with a risk assessment. Do you know what you need to protect, from what and why? If not, you have no ability to target your protection activity at the right areas. You should already have an information security risk assessment, so this should not be an onerous exercise.
Review your security controls and their appropriateness for remote working on a full-time basis. What do you need to do about physical security when people are in their own homes? Do you need to introduce multi-factor authentication and VPNs instead of a complex password policy? Could you introduce weekly (daily?) online surgeries on specific areas of vulnerability or risk? Have a look at the NCSC guidance and NIST for the latest expert insight.
Then, remind your staff of how they can report a security incident. Don't make them feel embarrassed or that this is a disciplinary issue. As the security team you want to know about incidents so that they can be contained and prevented from happening again. A culture of learning from mistakes and encouraging honesty is a key tool in the security armoury.
Support your staff and reissue your acceptable use policy in plain language with a short list of top tips. Help your staff to help you by making it easy for them to understand and apply security within their home environment. Remind them of the need to lock screens when they are away from their device, ensure staff understand the need to keep their software and devices up to date - and that they know how to do it. Make sure your staff know the key actions you require them to take.
Now that you've completed the basics, it is time to take stock and consider your wider threat landscape. This guidance from NCSC remains useful for all organisations and should not be a one-off exercise. Look at your supply chain threats, cyber insurance, service agreements - and update your risk assessment to reflect your findings.
The art of effective information security is to always look forward - where will your threats originate from, how will they be exploited, what impact would a security incident have? Covid was unknown and the impact has been greater than any of us imagined. But although your threat landscape may have expanded, this is an opportunity to demonstrate the value of information security to the organisation. A risk based, evidence based approach that provides pragmatic, realistic responses to changing business needs and environments will lead to more kudos than any number of powerpoint presentations, MI reports and phishing exercises.
The threat from remote working is real - Carpe Diem.