As a result of the sudden shift to remote working, firms are experiencing an enlarged attack surface, unfamiliar working practices, heightened risk of lapses of discipline, increased risk of insufficient capacity, and of resulting risky ad hoc workarounds. Worse, cyber-criminals are exploiting the situation to find weak points and monetize the disruption. This means a heightened cyber risk profile, and to avoid compounding risks, firms need new controls, rapid adaptation, and potentially a different risk appetite (e.g., to balance business risk against elevated cyber risk).
The following is a checklist of the immediate considerations for top management.
Capacity planning and prioritization
Many firms are effectively doing a live capacity test of their remote working infrastructure, hardware, and controls. Communications capacity is also likely to be tested, as is access to hardware such as laptops and servers.
Now is the time to prioritize users based on human and business requirements, in order not to let prioritization emerge by default, and to invest in additional capacity if there is a shortfall
Security hygiene factors
Many firms have been experimenting with collaboration and remote working tools, in some cases with multiple tools. We have seen huge diversity among levels of adoption across our clients pre-crisis
This is an opportunity to establish the remote working model, and quickly align all staff around the tools to use, the rules to adopt and the limitations on remote working (e.g., file sharing) that the firm wishes to adopt
Training and awareness
A sense of emergency and heightened external risk can cause remote users to take additional risks, breaking ‘normal’ rules to get online or share files
It is essential that, as you shift to a new working model, you remind staff of the need for discipline in file sharing, use of secure wi-fi, use of VPN, avoidance of webmail and other ad hoc tools (subject to any special arrangements or risk acceptance you may explicitly decide)
Protecting the core infrastructure
Shifting to remote working and compliance with new rules about social distancing will make it hard to manage infrastructure and office-based assets while enabling remote working
Ensure there is an adequate skeleton team to manage and protect servers, communications equipment and other office-based assets, potentially using shift-based teams to cover the 24/7 period
(Further out, this will accelerate the move toward hybrid cloud operating models)
Protecting mothballed assets
Many firms – e.g., in the transportation, leisure and hospitality sectors - are facing the necessity of mothballing assets, or shutting down capacity to minimize costs for the duration of the lock-down period in their markets
These assets still require physical protection and if connected also represent an attractive entry point for cyber-criminals unless they remain covered by effective cybersecurity (e.g. monitoring)
Cyber risk appetite setting
This crisis period is fundamentally affecting all firms’ risk profiles – including human risks as well as financial and business risks
At such a time, senior leadership must consider their overall risk profile and be prepared to make quick, explicit decisions about the risks they must double down on controlling and those they want to accept – for example, to relax policies to permit data exchange, spin up cloud environments quickly or change suppliers at short notice
Third-party risk management
Firms are focusing on their own people and their own resilience with a strong sense of urgency
However, most firms now operate in a complex ecosystem and as a result, are only as secure as their least secure key supplier … whether that supplier provides a critical function like cloud services or monitors the air conditioning
It is essential not to forget critical suppliers in resilience planning and to stay closely in touch with them to understand their status and contingency arrangements
Key-person risk
It is often the case that, even in a large organisation, technical skills or knowledge may be concentrated in a small number of people, sometimes even single individuals
It is essential to cross-train and document or otherwise codify knowledge now, to prevent technology and operations grinding to a halt when one of these key people falls ill or needs to self-isolate
Incident planning and management
Most incident management playbooks are based on assembling a team, undertaking an investigation, deploying specialist forensics resources, replacing hardware, etc. But with travel bans and a lack of available resources, how would you manage and recover from a cyber incident remotely?
In some cases, the logical answer would be, if it’s not critical, just shut it down. Preparing for these decisions – and the alternative recovery approaches – needs planning now
Finally, to the extent there is downtime among staff due to business operating restrictions, now is the perfect time to use any spare capacity for incident response planning and rehearsal
How are you, your team and your firm preparing for the challenges of remote working? What additional risks or challenges have you encountered?
I would love to hear your thoughts and experiences – let’s keep the dialogue going.