5 Practical Steps to Help Businesses Reopen Securely.
The UK Government’s roadmap out of lockdown has paved the way for businesses to start to think about reopening their doors to their employees. However, it is crucial that we stop to consider that we may also be holding that same door open for the cyber criminals.
Protecting your team extends far beyond the stocks of hand sanitiser in the cleaners storeroom. The surge in new cyber security threats to our remote teams left an army of homeworkers and home Wi-Fi networks vulnerable. Criminal software could well be lying dormant and completely undetected, patiently waiting for those devices to connect to the corporate network so the fraudsters can escalate privileges, extract data and deploy ransomware – all from inside your own four walls.
The past year has demonstrated the frightening speed in which cyber-crime can adapt to capitalise on opportunities at every turn. We are in little doubt that this will continue as we familiarise ourselves with ‘the new normal’. Our practical guide will help IT departments protect their teams against known risks, future threats and facilitate a smooth return to the workplace.
Plan, plan, and plan some more.
Employers are required by law to protect their employees’ health and safety. And of course, you’re also required to protect company data – so IT’s role in the reassignment of teams shouldn’t be overlooked.
No CIO or CISO wants to oversee an enforced, sudden switch to remote working ever again. However, in reverse, the return to the workplace may be just as challenging. The good news is that this time, you have the opportunity to methodically plan an effective reopening strategy to help minimise potential risks.
There’s internal communication of the new COVID-secure workplace rules on the use of hand sanitiser and the one-way system but many businesses are failing to consider new, enhanced IT regulations that must be followed.
Whilst some businesses will need the whole team to return, others are choosing to evolve. A recent UK survey by HR software company, Personio reported that 1 in 3 employees would like to continue to work from home part time. This dynamic hybrid model demands appropriate cyber security policies for each of the physical, virtual or cloud-based technologies. It will require a review of working practices to help track IT assets off-site, monitor essential updates, security patches and authorised access. It is best practice to apply the principle of least privilege and immediately revoke access if someone leaves or is made redundant. It is likely IT will play a big role in contact tracking, staff rotation and the associated resource sharing systems – it’s important to consider what record-keeping is required.
Review all security policy regularly. Previously, a bi-annual review would have been sufficient but due to the severity of the threat, we’d recommend quarterly reviews.
Update your crisis plan.
Accidents and breaches happen, even to the most prepared businesses. A recent report by cyber security firm, Check Point, revealed the ‘return to work traps’ targeting diligent businesses. Criminals are disguising malware as IT security training recordings or essential reading. To prevent this, ensure all IT training is accessed via a trusted portal, rather than distributing updates via email.
Evaluate all threats whether external ransom or malware or an ‘insider threat’, such as human error or malicious behaviour. Highlight who is responsible for what so should a breach occur, you won’t waste precious mitigation time.
Not only does this help you to meet your legal legislative data protection obligations, a multi-layered security strategy will also help reassure your customers, build trust and enhance your reputation.
Sanitisation is not just for hands.
Undertake a full security audit on all devices and portable hardware. As equipment is bought back into the office, perform a mandatory ‘health check’ allowing you to screen for any potential threats. If an alternative device is available, you may need to quarantine equipment.
Review access requirements for each role, reinstating any relaxed IP settings that were necessary for employees to work remotely. Double-check that vital antivirus, software security and OS updates have been actioned. The audit also allows you to run unauthorised software checks, even if these were downloaded for work purposes. SaaS applications have been identified as a known GDPR risk with data stored on third-party servers.
You may set up a temporary office network for first-time reconnection. This partitioned network will add another layer of central protection. Enforce a change of password for all employees who need to access your network – apply strict character inclusions to ensure strong password creation.
If you have previously allowed your team to connect personal laptops, tablets and smartphones to your network, change the master Wi-Fi password to prevent issues resulting from auto-reconnection. ‘Bring you own devices’ (BYOD) may have been used to access corporate and customer data whilst homeworking but without adequate internal checks, this could pose a significant risk of a breach.
Embark on a spring clean.
Many offices have sat empty for over 12 months; numerous IT assets have had no use whatsoever, let alone their updates actioned, leaving them vulnerable to attack. They may no longer be required but they all have one thing in common; they all contain data.
An ITAD supplier can either refurbish and resell or recycle redundant IT assets. Many IT asset disposal companies offer a recycling service for end of life IT assets whereby you receive a residual payment – a welcome boost for reduced IT departmental budgets. Collaborating with an environmentally friendly ITAD provider with a zero landfill policy is a great way to demonstrate your corporate social responsibility, too.
You will have a Data Destruction Policy regarding the safe disposal of confidential records, but has this been updated to account for remote or hybrid working practices? Have you reminded staff of their information security obligations during their year out of the office? What if an external hard drive appears to be corrupted – do your team know how they should dispose of it securely? Improper disposal is one of the biggest ITAD mistakes, resulting in major data security issues and tough financial penalties for UK businesses.
On-site data erasure and data wiping services will provide certification for every piece of redundant IT equipment, should you ever be asked to prove that your business is compliant.
One of the key challenges for data governance in the near future will be the number of BYO devices that potentially have sensitive data scored on them. Do you have a policy in place to ensure you can access personal devices to erase corporate data?
Educate your team.
You will have had pre-pandemic compulsory procedures regarding sensitive data, which staff will know. However, with the sharp increase of social engineering scams preying on people’s insecurities and phishing emails targeting distracted home-workers, it’s crucial to update your team on additional processes and the new threats. Even the most security conscious have been caught out by a lapse in concentration.
Educate with best practice techniques and security training, rather than instilling fear that employees might be fired if they make an honest mistake. Encourage a culture of transparency so employees can report suspect activity without fear of penalties.
Better right, then rushed.
After over a year in lockdown, we are all keen to return to some degree of normality. However, whilst you can begin to open your workplace, should you take a cautionary approach?
The truth is your team have worked remotely successfully for over a year with no loss of productivity. Consider a phased return to the office; it will help you manage the increased workload of the assets security audit. It will also make employees feel more comfortable as they relocate once more.
With the right steps, the return to the office will result in minimal disruption. It’s better to have your cyber-resilience plan fully in place before you revert to a more familiar routine. In reality, it is unlikely that workplaces will return to ‘normal’ for the foreseeable future, if at all.
With over 25 years industry experience, tier1 are proud to be the UK’s most accredited ITAD supplier. We possess the skills, accreditations and experience to handle our clients’ data with the care they deserve, and to dispose of surplus hardware responsibly and legally.
Contact us today on 0161 777 1000 or visit https://www.tier1.com to find out how we can help you dispose of your data safely and reliably.
Resources:
icaew.com; icas.com; itproportal; redscan.com; infosecurity-magazine.com; itgovernance.eu; cio.com; fortressas.com;
