A novel coronavirus has resulted in an ongoing outbreak of viral pneumonia in China, leading to a global catastrophe and the loss of hundreds of thousands of lives. The coronavirus (COVID-19) pandemic has changed our global society forever.
The storm after the calm
The sudden pandemic has forced many organisations and governmental departments to ask their employees to work from home (WFH) and stay in isolation. Coronavirus has altered the culture of work completely, whilst introducing many challenges. Some of the challenges are well-known, and some are new to us; however, the extent and pace of these challenges is changing exponentially.
The workforce exodus to online platforms has alarmed security professionals. Security firms and law enforcement, including the FBI, are warning of increasing phishing and other cybercriminal scams targeting a largely at-home workforce. Those firms that have invested in digital transformation projects are prepared to deal with the demands of the virtual workplace and secure their information assets.
This article discusses the challenges in securing data and information assets in the virtual workplace from the Confidentiality, Integrity, Availability and Compliance perspective - and provides some recommendations for securing the virtual working environment.
What is virtual working, and what are its challenges?
Digital communication and collaboration technologies develop rapidly. Such technological acceleration has enabled the physical distribution and spread of workers to remote locations where the most significant leverage can be achieved from the effort. The virtual working capability provides many benefits but brings its own set of challenges.
Maintaining a secure access control is one example of such a challenge. Cyberspace becomes a conflict zone, with organisations that lack adequate cyber defences, on the one hand; and many sophisticated cyber adversaries who are in a constant state of innovation to invent new techniques to let themselves into secure networks, on the other.
If organisations fail to adapt to the new reality and leave their security unattended, then they are falling behind. They need to push themselves and their teams to embrace innovation and modernisation - this would accelerate digital transformation, agility and automation, with sound and consistent risk management and effective security established across the organisation.
What are data and information assets?
‘The world’s most valuable resource is no longer oil, but data’. Data and information are vital to the success of most organisations; thus, they become valuable assets.
Such assets can be in the form of structured, semi-structured or unstructured data that is physically stored, not only in information systems, but in other forms like photographs; therefore, a data and information asset might even be a phone call. Personal data and intellectual property (IP) are the top two data types compromised in malicious activities, followed by financial data such as credit card data.
Cyber adversaries are more focused and are targeting more specific data that they perceive to have a higher monetary value. Securing data and information assets, thus becomes a number one challenge for all enterprises, and ensuring compliance with ever-tightening regulations on data security and privacy, such as GDPR, only adds to the challenge.
Why secure data and information assets?
Data and information assets form the backbone of businesses. Securing them from unauthorised access, use, disclosure, modification or destruction is one of the most critical tasks of any organisation. That said, most organisations do not know where to begin. The migration of workers to digital platforms and a WFH environment just adds to this already complex and chaotic situation.
Many employees use their own devices to access the corporate network. Some have no way of securing this connection adequately, and many have no reliable and secure internet connection at home in the first place. Additionally, many people lack sufficient understanding of the nature and complexity of methods used by cyber adversaries.
Ineffective security awareness and training programmes contribute to the institutional failure of many organisations to secure and preserve data security and privacy. Regardless of the use of the latest technologies and automation, human factors are still at the heart of cybersecurity.
How to respond to WFH challenges
Organisations must ensure operational readiness and capabilities, whilst continuing to maintain good cybersecurity hygiene to manage the broader risks associated with both employees and the business-at-large in the remote workplace.
People are at the centre of the #WFH environment and all technical and non-technical readiness must be user orientated. Securing remote connections and ensuring data security and awareness around malicious activities can only be successful if organisations onboard their employees effectively and adequately; no automation of system security would be adequate alone, without employee input. Recognising the implications of curfew and isolation on people and the psychological impact is vital.
NASA astronaut Scott Kelly, who spent a record 12 months in space in 2015/16, recommended setting and following a schedule to establish structures combining work and home life; thus, ongoing education and training for employees on how to deal with the challenges of working in isolation should be undertaken, alongside cybersecurity initiatives and activities. A comprehensive response package for data and information security should comprise the following core activities and control settings:
- Cybersecurity education and awareness training: there must be ongoing training with consistent and regular reminders of evolving cyber threats. Embed and champion the security aware culture with unique slogans such as: ‘Think before you click’, ‘Beware of phishing emails’, ‘Think secure’, ‘Refrain from believing and spreading rumours and misinformation’, ‘Be responsible while #WFH’, ‘Information security: Dos & Don’ts’. Continuously updating education and awareness training programmes is essential. Security awareness campaigns must be reviewed and evaluated regularly, in light of the evolving ways in which unauthorised access into corporate networks is being gained by cyber adversaries.
- Carry out full and comprehensive backups of all data and systems, enabling the organisation to quickly roll back or restore systems in case any cyber incident occurs.
- Take all necessary steps to secure remote access through technologies such as IPSec VPN, SSL VPN or Microsoft DirectAccess. They can provide the tools to ensure that anyone who accesses the organisations’ networks is authenticated and uses a secure connection. In addition, enterprises should consider:
- Multi-factor authentication for the verification of several independent authentication factors. This combination of components could include something the user knows (password), something they have (key fob) or a physical characteristic (fingerprint).
- ‘Least privilege’ policies should be in effect, ensuring that users are only given the minimum access required to do their job. The policy should apply to both internal and third-party users.
- Ensure passwords are difficult to crack by using strong password combinations.
- Lower organisations’ attack surface by patching every system as fast as possible, eliminating non-essential complexity and sanitising configurations and inputs.
The set of recommendations made in this article provide a basis for securing virtual workplaces, using fundamentals and essentials of cybersecurity practice. Enterprises should review the security of their architecture, application stacks, infrastructure, data, Cloud computing, endpoint & IoT and third-party services.
The current pandemic situation has pushed many more organisations to move their day-to-day business activities to the virtual workplace and remote working; however, the question is how this exodus and migration to virtual platforms should be done whilst prioritising security.
Organisations leave much to be desired in ensuring safety in the #WFH era. Such a transformation will be a massive cultural shift for many enterprises and demand significant resilience in people, technology and risk management strategies.
The shift in work culture can create unanticipated threats, since a higher burden is placed on remote-access systems that, if not correctly implemented, may expose them to the world wide web and impact organisations negatively through reputational and financial loss as well as regulatory non-compliance fines.
Additionally, the pandemic may force organisations to rush into rapidly embracing digital transformation, such as moving core services and applications to the Cloud, without having first carefully planned, tested, validated and secured their approach.
The fact remains that the coronavirus pandemic has impacted digital transformation and virtual working practices significantly, but with a strategic and pragmatic approach to security challenges, organisations can turn this adverse and bizarre situation into a successful operating model through which they can meet their stakeholders’ and regulatory objectives.