Resetting security for the post-lockdown worldBy Dónal Munnelly,
As businesses enter a new era of work after lockdown, where employees are likely to divide their time between remote working and the office, IT security teams will need to find ways to protect a more fluid workforce. Over the last decade, they have learnt to look beyond the traditional office perimeter and protect a more mobile workforce, but having more people moving between the two environments on a regular basis presents a new set of challenges.
Security policies, and the way they’re enforced, will need to be revisited by organisations. To successfully support a hybrid of home and office working, I’d recommend a two-pillar approach to protection, one based on people’s behaviour and the other based on technologies to mitigate the risks.
Exploiting human behaviour
Interpol reported a 59% increase in phishing and fraud from January to April, a spike attributed to cybercriminals “exploiting the fear and uncertainty caused by the unstable social and economic situation created by Covid-19”. The 907,000 spam messages, 737 incidents related to malware and 48,000 malicious URLs show how people are perceived as an organisation’s weakest link.
Social engineering techniques that trick people into revealing something about themselves or their company, can be the hardest to protect against. Every employee is expected to sign up to a security policy but keeping people vigilant needs continuous engagement. Internal messaging must be frequent and clear, educating employees about suspicious emails, unsafe links and unusual requests, even if they appear to be from trusted sources.
Much of it is a mindset change. In a hybrid world of home and office, they need to understand the importance of doing things differently. Printing out a document at home, for example, is different to the workplace where confidentiality around information is inherently understood. Similarly, sending sensitive documents over a secure company email account will be GDPR compliant, whereas using a personal email account will not be. It might feel like home, but it’s now become their office and they may need to make some changes to reflect that.
The pandemic has advanced digital transformation strategies. Both of these examples make a case for organisations pursuing increased digitalisation, replacing paper trails and overcrowded email inboxes with electronic workflows that are more efficient and easier to lock down.
Other security protocols may be less obvious, such as making sure home devices like voice assistants are switched off or away from the workspace. Voice calls can be just as confidential as documents so people may need to think about how they handle this at home, especially in shared accommodation. Could employees use a space where they can’t be overlooked or overheard?
Hardware and software fixes
Changing technical requirements should start with endpoint security. Ideally, devices will be the same or similarly configured to the ones they have in the office, meaning security patches and operating systems will always be up to date with antivirus protection.
By now, IT and security should have addressed risks around ad hoc purchases at the start of lockdown, where devices were bought that couldn’t support enterprise-class security. And personal laptops, which might have got people through the first wave of the pandemic, should be phased out from work-use as quickly as possible. Hardware run outside the control of IT will have more vulnerabilities that cybercriminals will be looking to exploit.
VPNs should be in place for employees needing secure access to internal systems and file servers, and role-based access and authentication controls for cloud-based applications and services. With no clear end to the pandemic in sight, all organisations should be thinking of hybrid working is here to stay and ensure it can be carried out securely.
The good news is that there’s an opportunity to capitalise on the productivity boom that many organisations experienced in lockdown, but it needs to be accompanied by practical security steps to make sure people raise their game without raising their risk profile.