As of October 2020, we would seem to be dug in even deeper into the pit of the global Pandemic with no end game in our forward vision. Thus, those Remote Working, Out of Office forced conditions would not seem to be something that will be going away anytime soon – so time to adapt – not on a Tactical basis, but with long-term Strategy at the forefront of our minds-eye.
On the 27th of October I ran a Webinar which showcased the serious plight businesses are finding themselves in – picking up on the massive exposure that multiples of soft-belly SME’s (Small Medium Business) already face outside of the conditions of the pandemic, which have been reported by Cisco that 53% of such small businesses suffered a security breach in 2018 – with 4,500 of that SME grouping accounting for UK based organisations! Add to the Cisco findings a report published by NFU, who concluded that no less than 45% of businesses have lacklustre cyber defences in place, and one only may conclude that the size of the bigger picture in which unknown unknowns exist (unreported) will increase the number significantly!
The Webinar (see link below) which aired to a global audience of subscribers covered key areas which can get, on occasions overlook – for instance, forgetting that the implications of GDPR will follow the business data to the remote, home based office no matter its locality – with any shortfalls arriving back at the corporate door with a sharp set of teeth with which to bite, along with an awaiting pen to ensure the guilty party is fully lambasted and outed in the press. Here you only need look to BA, Marriott, Equifax, Yahoo, Talk Talk and many many more who can confirm the savage outcomes.
Webinar 27/10/2020: https://we.tl/t-NCjeyyqeTO
When considering the SME, I also focused on the use of very easy to use, secure solutions such as the O/S-Platform agnostic smart hardware based encryption solution out of the iStorage stables in the form of a FIPS-140/2 DATASHUR BT USB drive. What I particularity like about DATASHUR BT is that works with your Cell Phone, employing Facial Recognition, and 2FA to secure those golden assets of information. Thus, when you consider the low cost of such proactive security, as opposed to, say an imposed GDPR associated fine, and the bad stink it leaves wafting in the air, one may be left wondering just why any sensible business owners would not do the right mandated thing – beats me!
I was also considering those other potentially imposed risks which may creep into that out-of-sight ‘authorised’ home office environment, for example, but not limited to:
Classified Waste Control – paper
Data Retention
Secure Communications
Multi Home Computer access
Physical Security (or lack of)
Data Retention on disposed equipment (including Cell Phones)
Security Education and Awareness (again, or the lack of)
Computer Maintenance (Patch and Fix – Anti Malware)
Incident Response and Engagement
The list goes on……
I am sure that in many cases the aforementioned risks have been subject to a robust Risk Assessment, along with the delivery of the associated mitigation controls. However, I am also equally certain that there are many who are, let us say winging it with their individual approach to just-do-it security – and here, taking into account the above Cisco/NFU findings which relate to the on campus office, one may only imagine what the extended perimeter of enforced operations can do in the pandemic conditions to generate rise from just 45% with a potential of exponential growth!
Given the gravitas of the current pandemic, linked to the dire fact that many, both personally and professionally are still not following the rules. Here, it is time to start to take this global viral condition very seriously, that is, if we expect to conqueror this Chinese gift. It is now of paramount importance that the incumbent Security Teams and HR start to kick down some silo doors and work together to Risk Assess the demographics, migration, moments, and socially distanced mixes of their workforces. For example, in the East Midland, and many other UK locations (and of course the globe) we have various levels of restrictive Tiers in place at County and Community lines. Thus, here I would urge those who hold the people data (HR) to work with their businesses so as to direct an Internal COVID-19 Policy, which categorises their staff into pockets according to their locality and COVID-19 Tier, and to apply some restrictions as to:
Who may come into the office-environment?
Who stays away?
Who may mix with whom?
In this pandemic, security is a bigger animal than that of conventional of Cyber. We would never dream of introducing a potentially infected USB key into a computer network – the same applies here, we need to remember Malware spreads by logic, COVID-19 is spread by people.
John is the Principle at Shadow-Intelligence (Si), partnering with PALISCOPE, BreachAware and iStorage. He is a Visiting Professor at the School of Science and Technology, Nottingham, Trent University (NTU) and holds the appointment of Editor in Chief for the International Journal of Cyber Forensics and Advanced Threat Investigations (CFATI). For the last decade he has delivered training courses in the Middle, and Far East to Commercial, Industrial, the Financial Services Sector, and Military Agencies, including the UAE, US, Pakistan, Saudi Arabia, Malaysia (KL), Singapore, Argentina, and Sao Paulo
He served in the Royal Air Force 22 years’, specialising in Counterintelligence, working with UK Agencies such as GCHQ/CESG, and others in the fields of SIGINT, COMINT and Satellite Communications, holding appointments such as System ITSO for a CIA SCIF.
In the commercials sectors of IT/Cyber he has worked for/with Logica, Bae, T5, GM, Experian, Betfair, Palace of Westminster, House of Lords/Commons, TSol (Treasury Solicitors) and provided Consultancy to the Saudi Arabian MOD, TRA (Telecommunications Authority (Dubai) and the Military Academy of Malaysia (KL) on SOC, CSIRT, Digital Forensics and OSINT. Within the last 5 years he has focused on Geopolitics, with global expertise around the UAE and Russia, Anti-Terrorist Operations (ATO), Cyber-Warfare, Dezinformatsiya (Disinformation) and Maskirovka (Military Deception).
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.