COVID-19 brings security headaches as businesses roll out remote working in days
Social distancing to slow the spread of COVID-19 has presented IT departments with the enormous challenge of setting up almost all employees to work at home with only a day or two to prepare, and a heightened business continuity challenge. Working from home increases data protection risks all round and there’s been little time to update remote working policies.
In a crisis of this proportion, business continuity plans kick in and organisations providing critical services have sent key IT specialists home to self-isolate so that they will be ready to step in if colleagues should fall ill.
Data protection and remote working
Having so many people working remotely and using video-based collaboration tools needs an extra measure of bandwidth and different ways of working. Some organisations are routing their traffic through alternative third-party networks to provide enough capacity for so many staff to use video conferencing and collaboration tools at home.
Working from home also relies on the home broadband network, which will look very different to a corporate network. Most home networks have a Wi-Fi component which may not be fully secure, however a VPN can be secured. If there is a VPN in place, employees can safely use SaaS via a secure connection.
Taking laptops home increases the risk of a device being lost or stolen, with the added risk of breaching the GDPR and the large fines associated with that. The ideal defence against this would be to encrypt the data and the connection, to protect access to corporate data if the machine should fall into the wrong hands.
How to secure more endpoints and devices?
With so many people now working from home the endpoint attack vulnerabilities will inevitably increase. People are using smart phones, laptops and PCs with varying levels of security and possible vulnerabilities in the operating system, network or browser. Any of these could allow back door entries for malicious operators, and COVID-19 has caused a surge in malicious attacks which may be harder to identify when employees are working from home.
While the biggest concern is that thieves or hackers might gain access to a laptop and it’s data, there are also fears that other family members may innocently borrow the office laptop for games and entertainment, and download apps and material that have no place on a corporate device.
Computer Weekly reported that the greatest concern for CISOs is whether they can maintain their organisation’s IT security policy during the period that staff will be working from home.
Experts advise stronger security measures
The Government’s National Cyber Security Centre recommends that organisations should insist on strong, separate passwords and where possible, two factor authentication. Smart phones and tablets should be secured with a screen lock, and all key data must be backed-up.
While we do not know how long the current situation will remain, the GDPR still applies and valuable business systems still need protection. At Northdoor, we are offering our cyber risk management tool RiskXchange free of charge to help organisations monitor and manage cyber-attacks throughout the current crisis.
Organisations that already have enterprise-wide security in place for remote access will be glad they made the investment when they did.
Tools for improved Data Hygiene
- Outsourcing data protection: adding expert Data Protection to your security force to gain GDPR compliance.
- Data masking: hiding data from those who don’t need to know.
- Encryption: a useful tool which helps organisations to achieve GDPR compliance.
- Cloud strategy – hybrid cloud or public cloud? The balance between cloud and on-premise IT may look very different now.
- Endpoint and application security tools such as anti-fraud solutions, ransomware security protection, or a security. intelligence platform all help to detect threats at the earliest stages, right across the enterprise.
- Cyber and third-party risk management tools: good for scenarios where data is shared with third parties.
- Managed incident response platforms: can potentially reduce the closure of security incidents to a few days.
- Industrialisation of GDPR: using automation to achieve GDPR compliance faster with less cost.
- Mobile device management: using AI to manage security across a diverse fleet of mobile devices.