Managing IT risk - learning as we go
Enabling staff to work remotely during the pandemic has meant that managing IT risk has become a particular challenge.
As we all adjust to working remotely, this new norm has driven larger companies to change their working practices, almost overnight. Working practices that are supported by established policies and procedures are having to be completely re-evaluated.
Whenever a transformation programme is initiated, it generally finds it place near the top of a organisations risk register and is nearly always considered a security risk. A technology driven transformation programme is usually carefully planned with landmark dates that under GDPR has to have at its core the principle of Privacy by Design and Default. This means both security of and access to data is maintained, however, Covid-19 has not afforded us that time to carefully plan, develop, test and roll out.
In addition to the speed of the transformation it is also a very public one; attackers are aware of the situation and exploiting it.
The first thought for management has generally been how to continue when the office for many is out of bounds? The answer for many was to turn to video conferencing. The use of Microsoft Teams and Zoom has expanded exponentially with both developing their platforms on the hoof and Zoom in particular, initially found it difficult to keep up with demand. As of the end of December last year, the maximum number of daily meeting participants, was approximately 10 million. In March this year, the figure reached more than 300 million.
This demand increase has been driven by the corporate sector and has forced Zoom to move from a concept driven by ease of use and accessibility to a tool that was adopted at an Enterprise level only to be found lacking in the security department.
Many of us will have read of Zoom’s issues in the press, notably criticised for its security (or lack of it). It came under fire for something that has been termed ‘Zoombombing’. With a meeting ID, anyone could join a public video call and screen share, broadcasting whatever they like. There were also issues around meeting data being shared. Ex-NSA (National Security Agency) hacker Patrick Wardle also identified a series of issues, including a flaw which left Mac users vulnerable to having webcams and microphones hijacked.
However, with its Zoom 5.0 update in early June many of the known issues were addressed with a number of security features rolled out including encryption, the ability to report a user and a better password policy.
After considering how to communicate with employees and customers, attention turned to how to maintain some sort of continuity of service; the afterthought which generally followed a few days or even weeks later was “do these changes to working practices impact on our security?”
The office IT environment is capable of high levels of control and monitoring. Even where there is a mix of in-house and hosted solutions, the IT function are dealing with manageable and generally known issues.
Use of policies and tools allow an organisation to manage cyber risk by using filters on their firewalls, controlling access to routers and switches, ensuring that security patches are kept up to date, employing email spam filters and using tools to restrict and monitor access to the web. Plus, the increasing use of mobile device management tools, means they are also able to monitor and maintain security for managed mobile devices.
Remote working makes these tasks more complex and difficult to deliver. Many organisations, across all sectors have struggled to source equipment and this has resulted in people using their own laptops and desktops.
Anyone has been shopping for IT kit over the past few months, especially for laptops, webcams and headsets, will have noticed that stock shortages are common and lead times are extending.
Communications from the home environment necessitate using domestic routers and switches, and WiFi. These may or may not be secure and are out of the control of the IT department. But some may have to use unsecured public WiFi networks which are prime spots for malicious parties to spy on internet traffic and collect confidential information.
Access via VPN can add some security, but many smaller companies will not have the necessary expertise on tap to securely manage the remote devices. For many in IT this represents a ‘loss of control’ that could impact on systems and data security.
Without the ability to monitor and manage the IT estate the onus can fall on individual employees to show greater vigilance and dare I say it at this point in time ‘adherence to the rules’ where they have been considered and updated to accommodate the new remote working practices.
Since the start of the pandemic there has been a 600% increase in phishing attacks, and these are the sort of headlines that keep IT professional awake at night.
The ICO have issued general guidance, the caveat being an assumption that the organisation will have “adapted their approach to ensure that data is adequately protected.”
- Avoid the temptation to do things in a way you think is more convenient, such as sending emails through your personal account or using the video conferencing app that you use with friends for work calls.
- Only use approved technology for handling personal data
- Consider confidentiality when holding conversations or using a screen
- Take care with print outs – store them securely and it is unlikely you will have access to confidential waste bins
- If you have to work using your own device and software, keep your organisation’s data separate to avoid accidentally keeping hold of data for longer than is necessary.
- To avoid loss or theft of personal data, put print outs and devices away at the end of the working day if possible
- Be extra vigilant about opening web links and attachments in emails or other messages
- Use strong passwords
- Communicate securely - use the communication facilities provided to you by your organisation where available. If not, password protect documents and share password by a different channel ie: text.
- Keep software up to date.
There is more information on the ICO website.
By far the majority of security incidents and data breaches still require a certain element of assistance from us. Some companies invest heavily in cyber awareness training but still fall victim to a cyber breach facilitated by the action of an employee. It has been a long-held view in some quarters that if we can link corporate objectives to personal objective then we will see greater engagement and a reduction in cyber incidents in the workplace.
COVID 19 has presented an opportunity to create such a link. By helping employees bring greater levels of cyber security awareness to remote working we are also helping employees protect their home environments and their own data in addition to the employer’s data.
To link safeguarding corporate data assets with an employee’s desire to ensure their own personal data assets are better protected, could this make instilling good practice in regard to cyber security an easier sell?
Five tips courtesy of the SANS Institute
1. Be Alert to Scammers.
Cyber criminals have learned that the easiest way to get what they want is to target you, rather than your computer or other devices. This happened to me while I was writing this article. A very polite gentlemen called and said they were from Openreach and informed me that my internet connection was running at a much-reduced speed and to help identify the fault they needed to access my computer. My internet speed was fine, and I simply hung up. Another ploy is to email, claiming that your package cannot be delivered unless you confirm your mailing address by clicking on a link, which ultimately allows them to hack into your computer.
2. Secure your home’s wireless network.
To secure your wireless network, do the following:
- Change the default administrator password. An attacker can easily discover the default password that the manufacturer has provided.
- Only let people you trust connect to your network. Require a password for anyone to connect to your wireless network. It will encrypt their activity once they are connected. If you have workmen in your home, as we did, they may ask to connect to your WiFi if the phone signal is weak. Genuine as the request may be, don’t take a risk. If available enable the guest network or politely refuse.
- Make passwords strong. The passwords people use to connect to your wireless network must be strong and different from the administrator password.
3. Employ Multi Factor Authentication if available.
Two-step verification is probably the most important step you can take to protect your online accounts. If your organisation has an Office 365 subscription, then it is worth visiting the Microsoft site for guidance on how to implement.
4. Ensure your devices, programs and apps are running the latest version of software.
Cyber attackers are constantly looking for new software vulnerabilities, and when they discover them, they use special programs to exploit them and hack into the devices you are using. By making sure to install the latest software updates promptly, you make it much harder for someone to hack you.
5. Don’t let anyone else use your work devices.
Something you most likely don’t have to worry about at the office is children, guests or other family members interrupting your work or using your work laptop or other devices. Make sure your family and friends understand they cannot use your work devices as they can accidentally erase or modify information or, perhaps even worse, accidentally infect the device with a virus.
The above tips were taken from the SANS Institute.
Steven Connors - Director, HWCA