Before the COVID-19 pandemic, organizations’ main business continuity risk was the “non-availability of working facilities or offices”.
In fact, upon being asked “Due to any reason (e.g. fire, flood, earthquake, civil unrest, etc.), if you and your teams are unable to come to your office, how in your opinion the IT would continue the support for company’s operations?”, managers of IT departments replied with “IT teams would work from home”.
Now, however, working from home has become the norm, and may continue to be so in the upcoming months. According to a survey conducted in March 2020 by Gartner, 74% of CFO believe some of their employees who were forced to work from home may decide to continue working remotely even when the pandemic comes to an end.
Some respondents believe companies themselves will request employees to continue at home to manage costs until they recover financially from the aftermath of the pandemic. On-premises technology spends and real estate expenses are the top two costs organizations have deferred or plan to do so in the near future.
The Risks Companies Face While Employees Work from Home
With a significant number of employees worldwide forced to work from home, organizations are beginning to face the threats associated with remote work without proper oversight or preparation. Here’s a quick overview of some of these risks.
1. Business Continuity Risks
By definition, continuity risks are high impact and low probability risks.
In this diagram, the impact of risks is shown on the X-axis (low to high) whereas the probability of risks is on Y-axis (low to high). Upon dividing the diagram into four quadrants, continuity related risks belong to 4th quadrant (Q4), where the impact is high and probability is low.
Traditionally while developing Continuity Plans, consultants including our own ensure that the organization has developed the required level of resilience by offering all the processes, tools, accesses, facilities, training to staff members, etc. for such a situation.
As work from home has become the norm for several IT teams the ‘non-availability of office facilities’ will not remain as Continuity Risk. Instead, it will be considered an operational risk. Keeping the above diagram in mind, ‘work from home’ will have a higher probability and therefore move to Q1.
Meanwhile, risks mentioned in Q1 and Q2 will come under the operational (business as usual) risks category.
In this case, the IT Continuity Risk Assessment will have a very different set of risks in the risk register post-COVID-19 lockdowns. Assuming that few teams always work from home, possible risks include:
- Nonavailability of internet facilities
- Interruption in a cellular network
- Overcrowding of collaboration tools like Zoom, WebEx, and Microsoft Teams
- Non-availability of the critical team member(s)
Access, Authorization, and Authentication Threats
Organizations that have not established or maintained a robust remote structure are struggling the most during the pandemic. Remote connectivity has left them vulnerable to access, authorization, and authentication risks.
Companies may not have comprehensive policies for access control – i.e. methods to guarantee users are who they say they are before providing them appropriate access to data. Similarly, they may not be able to carry out authentication (verify someone is who they claim to be) or authorization (determine if a user should be allowed access to data or make a transaction).
Without these measures being part of a company’s remote work policy, sensitive data will be exposed. This is especially true if employees access this data through a public-facing web server that operates with a software vulnerability.
Access mining is another issue companies may face. The collection and selling of access descriptors such as IP addresses and usernames and passwords is currently a thriving business that benefits cybercriminals. With their credentials leaked, organizations may end up facing catastrophic results.
2. Unsanctioned Remote Access to IT Infrastructure
Employees working remotes are working on a network that is not directly controlled by their organizations. Without a Virtual Private Network (VPN), businesses cannot maintain network security and end up facing an increased risk of data breaches and leaks of sensitive information.
As most businesses did not get the time to prepare for the mass move from offices to home spaces, companies are under pressure to monitor network security risks and block access to internal infrastructure upon detecting any suspicious access attempts. This, in turn, can affect employee productivity as most attempts would be their own.
3. Use of Bring Your Own Devices
With employees using their own mobile devices to share data or access information, they put companies at the risk of data theft. This is especially true when they neglect to change mobile passwords or do not have a BYOD policy at their workplace.
Companies face risk exposure from employees’ devices on the corporate network if they have malware or other Trojan software. With no mobile device management policy in place, companies have no authority to wipe these devices if they are lost, stolen, or used in violation of company policies.
Top Measures for Improving Security and Reducing Risks
While the aforementioned barely scratch the surface, their impacts can cripple a business indefinitely. Therefore, enterprises need to take several steps including those listed below.
1. Invest in VPNs
The Novel Coronavirus has made VPNs transform from being a luxury into a necessity for all working social classes. Using a virtual private network enables the creation of an encrypted virtual tunnel for traffic between employees’ home and work networks. As a result, the risk of attackers intercepting this data is reduced. Moreover, they make online behavior safer.
While VPN is ideal for transporting data securely, keep in mind that it provides limited anonymity. Furthermore, employees are not fully protected against targeted advertising. Therefore, you need to consult with an expert before implementing VPNs in a secure way.
2. Focus on Reducing Human Error
While employees are vital for your success, they may also be the cause of your downfall. The following are common human errors that can compromise the security and continuity of your business.
- Misdelivery – The fifth most common cause of cybersecurity breaches, misdelivery entails sending confidential information to the wrong people. A classic example of this is when an NHS practice employee ended up sending an email notification to HIV patients but accidentally entered email addresses in the ‘to’ field rather than the ‘bcc’ field.
- Password Issues – Most users tend to make password mistakes such as reusing the same password of their main email account, writing down passwords, or sharing them around. The majority also use simple passwords. In fact, 123456 is the most popular password worldwide.
- Delay in Patch Installation – Users can delay installing security updates on their computers. As a result, this provides cybercriminals the opportunity to attack.
Organizations need to take important measures such as enforcing privilege control, password control, and two-factor authentication across the business. They also need to create a security-focused culture where security is an integral part of every decision and action. Training will further help with this aspect as long as it is engaging and relevant.
3. Develop Strict Access Control Protocols
Access controls are integral as they add a layer of security around the network. Therefore, you need to implement these and ensure they do not log or else holes will appear in your perimeter.
The use of role-based access control (RBAC) has been known to help enterprises. Monitoring and strategically restricting access controls can also help reduce the risk of human error to your cybersecurity.
Let Us Help You Get the Most from Working from Home
There is so much more that organizations need to do to address any security gaps which can compromise their business. Business Beam’s team of consultants can help you in this regard by:
- Delivering real value instead of documenting for the sake of document
- Offering solid experience developed after conducting over 100 risk assessment exercises, mostly as part of implementing any other framework
- Providing the expertise of senior-level, certified and experienced consultants to help you achieve your security goals
- Utilizing ISO 31000 as the base framework for IT risk assessment; in addition to having certified consultants, Business Beam is authorized by PECB to conduct official ISO 31000 training courses with the certification examination
- Offering COBIT 2019 authorized assessments and training courses with certification examinations
So do not hesitate to contact us with your security needs to be fully prepared for the upcoming change in work cultures.