Balancing the security vs efficiency dilemma for your ‘new normal’

/

Many management and IT teams have done an amazing job over the last few months, completely changing their working environments to shift most, if not all, their staff ‘offsite’ in such a tight timeframe. A project completed in just a matter of weeks or months, which would usually be assigned many more months if not years to plan and carry out safely and effectively, is a great achievement, but at what cost?

Have we left major security gaps that can be exploited by hackers? Or have we locked our doors so tight, our staff are struggling to work effectively?

Finding the right balance between security and efficiency can be challenging, especially when under immense time pressures. Now the dust is beginning to settle, what can your organisation do to review and adjust your remote team connectivity to deliver on both levels?

Securing the remote environment

Cyber security has been a hot topic over the last few years due to the ever-increasing and high-profile attacks seen on numerous major and international organisations. The introduction of new or enhanced data protection laws such as the New Zealand Privacy Act, The EU GDPR and more recently within the Middle East, country regulations such as the Bahrain Personal Data Protection Law (PDPL), have only acted to enhance the focus on properly securing our systems and data.

We successfully locked our doors and secured ourselves, then Covid-19 came, forcing us out from behind our carefully built layers of security and into a more dynamic working landscape. We now need to work out how to safely open things back up again to allow our teams access to our data from outside our internal networks.

For a lot of our clients, remote working was already something on the agenda, and some had even set it up for key employees or senior management, but most had not finalised an effective strategy to roll out organisation wide on the scale that the current crisis has required.

Most IT departments have worked tirelessly over the last few months to implement their remote working strategies and in turn most organisations are now rightfully feeling very proud of themselves and the speed in which they have adapted their operating environment. But that does not mean the job is even close to done.

·       How many of these changes have been properly tested to ensure airtight security?

·       How long can you be comfortable just hoping no hacker notices the gaps before they can patch them up?

·       How many staff are using old laptops they had at home already which very likely have some sort of previous malware embedded somewhere?

·       How many staff are on home WIFI networks which may have been compromised a long time prior to the start of this pandemic?

·       How many staff or managers are reading or printing confidential company information and data in an unsecured environment which is open to visitors and potential prying eyes?

This is just the start of a very long list of security questions which may find serious compromises within your current infrastructure. My hope is that most IT teams will have already addressed most, if not all, of these obvious problems, but if you are not, then now is definitely time to clean up your systems; before someone else notices!

Balancing Security and Efficiency

Implementing secure remote access comes with its own set of usability problems: it can often take forever for a member of staff to get in to the system; layer after layer of passwords and links before even accessing emails. Or once you have logged in to your emails, you can’t just jump online to check something on Google, because your VPN is blocking access to anything else outside of your internal network. All of this creates a very secure environment, but not a particularly productive one.

That’s not to say there aren’t a number of good technical solutions out there that are able to allow both very tight security and also efficient ways to navigate through them, I just don’t know many organisations that been able to secure enough budget or had enough time to implement them yet.

How can you improve?

Before we accept anything as the ‘new normal’, or use any of our current practices as a roadmap for long term success, now is a critical time for an organisation to take a deep, long look at everything they have done recently and ask a few questions:

·       Are our systems and endpoints truly secure?

·       Are our people able to work within our systems as effectively as they were from the office?

·       Are our people truly happy with the current setup?

And if the answer to any of the above is no:

·       What can we do to make it better?

This may come across as all too easy, but the process of gathering the right information to answer these questions effectively should not be taken lightly. You will need to spend serious time and effort engaging the whole business and digging in to everything that has happened over the last few months, alongside any existing structures and procedures, and figuring out exactly how it will all best fit together going forward to ensure both organisational effectiveness and long term resilience.

If you would like help assessing you current environment or planning your next steps, then why not download our Free Standby Consulting Lessons Learnt questionnaire here or contact one of our team to discuss how else we may be able to help.

About Standby Consulting

Standby Consulting are specialists in organisational resilience based out of New Zealand and the Middle East with a presence in Bahrain, UAE and Saudi Arabia. With a wide range of experience across most business sectors, Standby is here to support your organisation in the development and implementation of your critical Business Continuity, Disaster Recovery and other resilience activities. We help our clients and partners by offering independent, honest, and experienced advice to ensure that all of your bespoke resilience needs can be met in a timely and cost-effective manner.

Working from Home – remote logins a soft target for hackers

/

With the current Covid-19 pandemic, many organisations are saying there are going to send their staff home and have them work from there. This is a pretty standard response to many Business Continuity Situations. There are some considerations to make around how staff members access your internal network from the outside.

An enforced isolation period will be simpler to manage for the current proportion of employees who have a role that sees them often work from home already, as they will have the processes in place. For others, the adjustment will be more challenging, but the technology we have today makes keeping teams connected and collaborations across locations far more accessible.

However, there is an important factor that cannot be overlooked. These people already working from home are likely to be using a Secure Virtual Private Network (S-VPN) into their worksite. VPNs have security profile tokens installed in them so only those authorised can gain access. 

Not every business will need this level of security, but there are some basics that need to be observed.

The risk of malware on personal computers to access corporate systems

If the remote worker is going to use their home PC, this can create risk of exposure. The dangers of risk are quite considerable, as one does not know what websites they or other members of the family have been to, what malware has been sneaked onto their machine. This type of Malware is just waiting for someone to sign into a corporate site and it will quickly load down its bad code into the corporate and start to trap passwords, sign-ins and other confidential information. 

Home PCs most probably will not have up-to-date or quality virus checkers on them. I have often spoken to home users who tell me they are using a “free” virus checker or do not update their virus checker because it costs money. This is a dangerous practice and one has to ask how much resources these suppliers of free virus checkers are putting into their product or is there an alternative motive – such as putting in their own malware onto the machine.

Keeping sensitive files away from prying eyes

If you do let staff members work from home, make sure they observe your company’s IT security protocols and procedures and do not let their children sign in and play with the machine. Keep any private company material away from small eyes who may talk about what they have seen at school the next day.

Home WiFi a point of weakness

The other thing to be wary of if people are working from home is the security of their Wi-Fi systems. So many people do not change the default Administrator Password on their WI-FI router when it is installed. If your provider does change it, they often do something quite simple and silly, like change it to your telco account number or street number, etc. The bad guys know this and will try and hack their way through your wi-fi router. Once they get in, they then have access to all the equipment on your network, not only your PC and Laptops, but your smart TV, CCTV and other “Internet of Things”. Again, once a route in is established, when your employee is accessing your company systems it is a back door into your systems. 

Two-factor authentication not a guarantee for cyber-security

Just to increase your lack of sleep, two-factor sign-in is not as secure as you think. There is malware on the market now that sits between corporate websites such as Outlook Web, and forwards the two-factor sign-on in realtime to the attacker. This hacking method was identified as a real and significant threat in 2019.

There is also a vulnerability in some telco systems that allow the attacker to intercept SMS from your two-factor sign-in. This attacking system has been noted since 2017 and shows how insecure SMS verification can be when compared with hardware and application keys.

What are the solutions?

By all means, send people home to work but just make sure they are clearly informed of the rules they need to follow to keep your organisation safe from breaches to your security through careless mistakes.

Ask some simple questions around their existing set-up to identify any gaps, and lay down the ground rules for best practices.

There may be other measures you can take internally, depending on how your network is set up. From your position, it is imperative you discuss the risks with your IT security people or your IT Provider before you implement any social isolation of team members.

Sam Mulholland is a business continuity consultant and disaster recovery planning specialist. Sam can be contacted through the Standby Consulting New Zealand and Middle East offices should you wish to know more about Cyber Security and Pandemic Planning for your organisation.