4 minute read
Cyber security in an increasingly digital world
In recent years cyber security and internet fraud have become areas of concern for organisations, governments and consumers. There has been an increase in cyber security attacks since COVID-19, as companies invoked rapid responses to the coronavirus pandemic, potentially leaving themselves vulnerable to security breaches.
Despite the current global pandemic, cyber attackers have made it clear they’re not taking any time off. Now that many workers have shifted to working remotely and organisations are distracted trying to handle the virus, security and risk management teams need to be more vigilant than ever.
Advertisement
What can organisations do to protect their business, employees and customers?
Below are six key areas of focus from Gartner that may help member organisations plan for future events:
1. Ensure that the organisation’s the altered operating conditions and are tested early
Review all documentation and conduct a walk-through with a careful watch for any problem areas. If the organisation does not already have a cybersecurity incident response plan or capability, consider using the services of a managed security service provider instead of trying to stand up a new system and develop your own plans
2. Ensure that all remote access capabilities are tested and secure, patched
Given how quickly most organisations found themselves moving to remote work, it makes sense that security teams would not have had time to perform basic endpoint hygiene and connectivity performance checks on corporate machines. Further complicating the matter are employees who are working on personal devices. Where possible, they should confirm whether personal devices have adequate anti-malware capabilities installed and enabled. If not, they should work with the employee and their corporate platform vendor to ensure the device is protected as soon as possible.
Other mechanisms such as two-factor authentication will also be useful to ensure only authorised personnel have access to corporate applications and information remotely. On a strategic level, make sure someone from the security team is part of the crisis management working group to provide guidance on security concerns and business-risk-appropriate advice
3. Reinforce the need for remote workers to remain vigilant to socially engineered attacks
The reality is that employees will have more distractions than usual, whether it’s having kids at home, worrying about family, or concerns about their own health. They’re also operating in a different environment and might not be as vigilant about security during a time where cybercriminals will exploit the chaos. Make sure you reach out to senior leaders with examples of target phishing attacks, and alert employees to the escalating cyberthreat environment. Remind them that they must remain focused and vigilant to suspicious activities. If appropriate, send out reminders every two weeks and remind them of the location of pertinent documents such as remote and mobile working policies, as well as where they can access security awareness training material if they want a refresher. Further, clearly communicate who to contact and what to do if employees suspect a cyberattack
4. Ensure security monitoring capabilities are tuned to have visibility of the expanded operating environment
The sudden relocation of much of the workforce (including security and risk management teams) to remote locations creates the potential for cybersecurity teams to miss events. Ensure that your monitoring tools and capabilities are providing maximum visibility. Check that internal security monitoring capabilities and log management rule sets enable full visibility. If using managed security services providers, check in to make sure they are adapting their monitoring and logs in a manner that makes sense for the new operating landscape
5. Engage with security services vendors to evaluate impacts to the security supply chain
The changes in the security landscape won’t just come from your own organisation. Be aware of what your partners and supply chain are actively doing about security that will affect your organisation. Confirm how they will be securing collected data and information from the business. Remember that each of these organisations has their own people to worry about and their own business concerns. Ask questions about where third-party organisations might fail to deliver on promised security services
6. Don’t forget employee/customer information and privacy
Organisations may collect employee/ customer information that relates directly to the COVID-19 pandemic. For example, you might want to record when a customer attends an open home. First, all this information is subject to data protection and privacy laws. Beyond that, organisations should seek to collect the least amount of information possible, ensure it is factual and store it in a secure manner. This information should be disclosed only when required by law and within the organisation only on a need-to-know basis.
What can you do to protect your company and customers?
• Lock your workstation when you are not using your device
• Don’t click on links in emails, unless you know who it’s from and trust it
• Report any suspicious activity to your manager, or follow your company policy
• When working at home, be conscious of confidential information and who in your household may see it
•Change your password regularly and use something people can’t guess
•Never write passwords down
•Destroy customer or confidential information as per your company policy.
Kirti Suman Chief Digital and Innovation Officer, REINZ
