How resilient is your home working strategy?
During these uncertain times when much of the working population is working from home, the IT infrastructure is under more pressure than ever before as it struggles to cope with a huge and sudden increase in remote working. Many remote working solutions adopted by organisations before the pandemic were intended to be adopted as temporary measures following an incident, until normal working practices could be resumed. IT departments are at full stretch ramping up capability and providing helpdesk support to the many workers who have little or no experience of working from home as they encounter slow broadband speeds, failing VPNs and limited mobile reception.
Organisations with strict security protocols for normal business operations are having to think where security can be relaxed temporarily to allow for more efficient working. Enabling workers to access key systems and documents that under normal circumstances would be off-limits for external access. Workers’ personal devices and other hardware such as printers need to be connected to the company systems. Sensitive material that normally would not be allowed to leave the office premises may be needed to facilitate work at home. Workers in shared flats have limited workspace and may not be able to achieve an appropriate level of security.
Whilst every effort continues to be made to ensure there are no gaps in security and data protection, adopting different modes of working to ensure business critical activities can be sustained can lead to a reduced ability to maintain high levels of security. Clicking on an unassuming, but detrimental link or attachment in an email, not logging off properly, leaving sensitive documents or passwords in view, home devices with open internet access and reduced security levels could expose weak links in the chain vulnerable to unauthorised access.
It is a real priority for organisations to keep their cyber security incident procedures under review in the light of changing work practices and ensure they are fit-for-purpose now and in the future. Even with colleagues away from the workplace, raising levels of awareness of likely cyber security threats is as important as ever.
In its Advisory: COVID-19 exploited by malicious cyber actors, the National Cyber Security Centre (NCSC) notes a marked increase in malicious cyber actors using Covid-19 and related themes as a cover for scams and phishing emails. The NCSC also reports: “At the same time, the surge in home working has increased the use of potentially vulnerable services, such as Virtual Private Networks (VPNs), amplifying the threat to individuals and organisations.” The NCSC explains that this move to mass home working is enabling malicious exploitation of a variety of publicly known vulnerabilities in other remote working tools and software, including Citrix.
The tenets of business continuity are to enable a cohesive response to the loss of resource whether people, premises, technology, suppliers or information or a combination. Even organisations who did not have business continuity and/or IT disaster recovery in place before the pandemic have implemented typical business continuity strategies by adopting working from home practices.
All well and good so far, but experience suggests that when incidents occur they do not affect just one type of resource and this is where organisations need to be thinking about building resilience into the often fragile digital working environment.
The rise of cloud services have proved a boon to facilitating remote working, but even virtual services need to sit in a physical location somewhere. Your data centre may be offsite or in an onsite computer room in your office premises which has been shut up for the duration. Either way have you considered what would happen if a fire or flood damages servers to the extent that the ability for colleagues to carry on working from home is lost for a period of time.
In this scenario, what is the exit strategy? Staff could not return to the office to work to retrieve papers under lockdown conditions; IT staff are also working from home, likely unable to manage the physical activity required to rebuild servers and networks. How long could staff manage critical work with just a mobile phone? At the very minimum, there should be a strategy in place for recovery of email capability, using cloud applications. This would provide a workaround for the short term at least.
To take the scenario a step further, consider the possibility of a complete loss of IT services resulting from a cyber security incident which compromises all company systems; the knock on effect being that the entire network is shut down. All devices used to access the network could be impacted and rendered inoperable, significantly reducing the ability to access cloud services, make calls, send emails, etc.
With so many priorities at this time, it’s understandable that the wider aspects of building resilience may not be top of the actions list. Bear in mind that a combination of unfortunate circumstances is not the exception and the consequences of such should be considered as a priority before they happen. Look at different scenarios, review your systems and workarounds, implement recovery strategies and appropriate security, thus placing yourself in the best position possible to restore confidence and reputation should your best laid plans begin to unravel.
Teed’s specialist knowledge and experience of Contingency and recovery planning is second to none. We have been working with clients since 1999 to implement comprehensive, proven business continuity and IT disaster recovery plans. We were writing pandemic plans long before the swine flu pandemic of 2009 and provide advice to clients every day during this current pandemic.
An increasing focus for our clients is developing a cyber security incident response to ensure they have considered the potential consequences of what could be a crippling scenario for many organisations. We help our clients develop and exercise cyber security response procedures and playbooks, ensuring that they dovetail with IT disaster recovery and business continuity strategies and plans. Helping our clients build resilience is what we do best.
Link to the NCSC's Advisory: COVID-19 exploited by malicious cyber actors here
- Date: 27th April 2020