As I mentioned in my last blog, myself and my colleagues at CyberCube are currently conducting research to model the likely effects, both short and long-term that the Coronavirus pandemic will likely have on businesses in the coming months through the lens of cyber risk. Early research has thrown up some interesting findings already so I thought that I would share some of them with you.
Our research into the potential effects of the current (and future) pandemics will eventually allow ourselves and our customers to build a picture of IT risk that spans both “mid-pandemic” effects (what changes whilst the pandemic runs its course) and “post-pandemic” (what lasting changes are we likely to see once the outbreak has been brought under control). Plenty of people predicted what was going to happen (for a good read, take a look at “Deadliest Enemy” by Michael T. Osterholm), but few were prepared. It feels like the least we can do is use current events to help map a model of the future and ensure appropriate security defences are in place.
In future blogs, I’ll turn my attention to subjects such as what new “cyber norms” might appear as we exit from global lockdown, on the increased reliance on cloud services and on what some of the general risk dynamics might change for various industries as a result of pandemics such as the current Coronavirus outbreak. First, though, let’s turn our attention to the business of “lockdown” and, in particular, the huge swing towards home working that this has caused in business.
An estimated 80% of commercial insurance policies do not include a communicable disease coverage or exclusion clause. Interestingly, a pandemic such as Coronavirus could lead to claims on a cyber insurance policy through circumstances that may not have occurred if not for the huge amount of home working forced by the global lockdown. These claims could range from loss of intellectual property through to claims related to equipment theft.
What are some of the dynamics in cyber security that could affect a change here as a result of 80-90% of the working population of a country working from home?
Let’s start with governance, risk and control (GRC). Whilst many businesses have been encouraging or at least supporting the concept of home working with their employees, many have not progressed as far as ensuring that corporate governance, as it relates to cyber security, is as good at home as it is at the office. Security governance can touch many areas but some key aspects are outlined here:
Communication networks – In most cases, employees are left to their own devices (pardon the pun!) when it comes to connecting to the Internet. Even where the use of a Virtual Private Network (VPN) is mandated for access to remote corporate resources, unsecured and poorly configured Wifi networks are often evident at home. This can lead to “man in the middle” attacks, theft of sensitive data, poor network quality (affecting productivity) and huge exposure to cyber crime involving the infection of home routers.
Non-corporate device usage – Increases in home working have been proven to lead to the relaxation of standards when it comes to “which” devices are used to conduct company business. Many of our homes are now littered with endpoint devices (I counted 16 at my house today and I’m sure I missed some), any of which could potentially be used for work. The failure of a mobile phone or a laptop can force workers to look for quick alternatives and the alternatives (little Maddie’s Ipad covered in breakfast cereal, for example) most often will not have been configured with corporate security in mind. A malware infection did not seem like a big issue whilst all that was available to the criminals was last week’s episode of “Peppa Pig” but now that the endpoint has some confidential client information or some engineering designs on it, things could go south very quickly.
Staff education – From the perspective of cyber risk, employees are exposed to different and more threats than tend to be in the office. Of course, one reason for this is simply that, whilst at the office, they are working within the relatively secure confines of a “behind the firewall” environment. Physical security is tighter and the IT department “have their back”. At home things are different. The aforementioned device and network issues create very compelling attack surfaces for the cyber criminal to play with and these, coupled with a lack of personal knowledge concerning where these threats can come from and what to do to avoid them can wreak havoc on the home network and, ultimately, corporate resources.
These three areas of security governance are by no means a definitive list, but they are not a bad place to start for workers at home.
So, if we have some priority areas to focus on, what are some of the things that the business should be doing, through good governance, to move the needle in these areas to minimise cyber risk as it pertains to home working?
Let’s start with the people. Often referred to as the “weakest link” in cyber security whereas, in reality and when well-educated and engaged, they can form a strong part of your cyber defence posture. Create custom-built cyber security training that is engaging, competitive, fun and specifically tuned to the home-working environment. Engage third-party specialists in this area, if necessary. Videos work. Role-play works. League tables and awards work. Steer clear of boring, multiple-choice quizzes and make the training something that the whole family can learn from. Believe me, your kids are exposed as is anybody online and they deserve this education.
When it comes to network and device use, mandate the following things to home workers and enforce the rules through inspection:
- Strong passwords on home routers and end-points
- Mandatory use of VPNs when conducting business from any device
- Multi-factor authentication for use of corporate applications
- Mandatory use of a reputable (not “Free of Charge” – you generally get what you pay for in security) Anti-Virus software with firewall protection
- Compulsory and provable updates to Operating Systems including latest security patching
- Mandated and managed system backups for all home devices that may be used for work purposes.
Again, not an exhaustive list but I would sleep better at night if I knew that all of my remote employees were operating at home on this basis. Like with everything worth doing in life, there is not a silver bullet to secure home working and it's as much about people as it is about technology. The current Coronavirus pandemic is doing a lot of harm. It should also prompt us to be better at what we do, whether that be at the office or at home.
