The Covid-19 pandemic already presented a robust security challenge. As organisations rushed to adapt to remote working during lockdown, they also had to act quickly to shut down new security vulnerabilities that opened up. At the same time, the climate of fear and uncertainty meant there was fertile ground for phishing attacks. For the most part, best practice has prevailed – organisations have weathered the first wave of challenges and appear to have entered a period of relative calm. However, at best we are only in the eye of the storm. There are still going to be massive changes to working habits worldwide; economic crises; and the risk of further waves of Covid-19 and ongoing global upheaval. Organisations need to take advantage of this period to ensure they are prepared to weather the whole storm.
Security vs. access
The guiding principle of security has always been relatively simple: the more sensitive data is, the harder it should be to access. In the most extreme cases, this means ensuring data can only be accessed physically, in a single location. With employees increasingly remote and dispersed, this has become much harder – meaning organisations need to prioritise their strategy for ensuring employees can still access the data they need without increasing risk.
First, organisations need to be certain they are providing employees secure access to the data they need. Most organisations will have rushed to give employees laptops and other technology to ensure they can work remotely in the early stages of lockdown. They should now revisit these devices and confirm they are protected adequately – for instance, are laptops encrypted at either the hardware or software level? If employees are using their own devices or, as is highly likely, their own internet connection, do they have access to a VPN or other secure network to ensure data isn’t put at risk?
Data sharing
With employees’ devices and networks secured, the second question is how they will actually access data. In some cases, data will be so sensitive that the only option is to require employees visit the workplace – meaning the organisation has to take measures to ensure they are protected. Yet even when employees can access data remotely, the organisation has to choose its approach – whether this means encrypting the data so it can be shared over an unencrypted internet connection; keeping the data on encrypted servers that can only be accessed via a secure VPN; or even couriering encrypted hard drives with extremely sensitive data to employees.
Data storage
With remote devices such as laptops and mobile phones now embedded in networks, it is essential that organisations decide if their data is hosted in the cloud, on remote servers, or whether it is stored on these local remote devices. Often businesses decide to opt for a hybrid of options, so the security roadmap of a business should consider device storage with password protection, dual access keys to secure data at rest drives and storage mediums. Secure drives are especially important for protecting sensitive data when considering the risk of devices being lost, damaged, accessed by third parties or even stolen.
A frame of mind
More broadly, securing an increasingly remote workforce in uncertain times demands a change in mind-set. It may seem a cliché, but organisations should see this as the equivalent of a military operation. If each employee is seen as the equivalent of a unit in the field, then the correct approach to take becomes clear. Employees need to be given all they need in order to do their jobs effectively, but also avoid putting others at risk.
As well as technology they can trust, communications are essential to protecting employees and their employers. Whenever there is a new security risk, the whole organisation needs to know exactly what it entails and what action is required so that everybody can act in concert. This means sharing a clear message and plan, while also ensuring every employee has the connectivity they need to receive and act on them.
Organisations and employees also must trust that their colleagues not only know how to keep each other safe; but also that they will take the right actions when under pressure. This makes training paramount – especially when employees working remotely will both have greater freedom to act, and will be more isolated from support networks that can advise them and prevent them from making mistakes. Training should combine both knowledge so employees better understand the threats they face, and best practice so that they are drilled in the right ways to act in order to minimise risk.
No “new normal”?
Finally, adaptability is crucial. Organisations need to be constantly learning – both keeping up with new and evolving threats and understanding their employees’ habits to identify training requirements. At the same time, we don’t yet know what the world will look like in a year’s time: there may be further upheavals and new risks as industries and governments continue to adapt to changing circumstances. Those organisations that can make themselves more adaptable now will be much better placed to keep themselves secure in the future.
Managing Director
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.