Challenges of cyber-security when teleworking
COVID-19 has brought with it the compulsory enforcement, in most cases, of teleworking, revealing the agility and adaptability of companies to the change, with the added complication of its unexpected arrival.
Several months further down the line, companies want their employees to return to the workplace, but many are still keen to keep offering teleworking in the future. According to the Spanish Statistics Institute (INE), in 2019, 952,000 employees regularly worked remotely. In 2020 this figure rose to 3 million. We are moving towards a variable combination of on-site and remote working. Whether through preference or requirement, remote working presents new challenges for companies, above all regarding Cybersecurity.
Cybersecurity challenges within companies
1. Protecting data from attacks outside of the company.
Data leaves the facilities and must remotely reach any part of the world safely. This is one of the greatest challenges for the Cybersecurity team, as the number of cyberattacks grows each year, as well as the seriousness of the incidents.
According to a Sophos cybersecurity report, during 2019 53 percent of surveyed companies suffered a ransomware attack. In 2020 this figure is estimated to be even higher. There are a host of anti-virus services, event monitoring, weakness searches, etc., but there is still no 100% guarantee. An anti-virus can only protect what it knows, not what may be created tomorrow. Despite this, we can reduce risks. A crucial issue in the hands of organisations, is pinpointing critical assets, i.e., knowing what we want to protect based on its importance for the company. This challenge engages not only the cybersecurity team, but should also count on the support of management, in collaboration with other business areas. By doing this, protection resources can be target specific places, instead of applying blanket security across the entire organisation. Would it make sense to protect a plastic bottle with the same system that protects an armoured room in the Bank of Spain? This is where we see the importance of identifying the company’s critical assets. In the long-term saving are made, and not just financial.
2. Protecting data from within the company.
This means that employees can unknowingly place the company’s data at extreme risk. Hence why “employee training” is so important. There are many different ways of teaching employees about cybersecurity. Some are even fun.
The first task we recommend developing is to teach users how to differentiate the possible attacks they may face and how to detect them. The second, and by no means less important, is teaching users how to notify the company of an incident as quickly as possible. Drawing up a practical incident management procedure and disseminating it will save time when reacting to a crisis.
We must also remember users that are not on the staff base but who also have access to the network. They too are easy targets.
3. Developing the applicable regulatory framework within the organisation.
Despite the recent entry into force of the eagerly awaited remote working labour conditions in the Spanish Official National Gazette (BOE), there is still a long way to go in terms of policies, regulations and internal procedures regarding security. Having a regulatory security framework would result in more effective data security, reducing risks and protecting the organisation from threats and vulnerabilities, consequently reducing the impact on its assets. Stop for a moment and reflect:
- Does your organisation have a register of employees who, given their profile or duties within the company, carry out their work activity remotely?
- Do these employees only have access to the applications and resources necessary for their work? If the answer to both questions is yes, that is not bad going.
- But does the company have a teleworking policy?
- As well as a user account cancellation or blocking procedure?
- Is a review of the users carried out regularly with administrator privileges? There is also a solution for all this. Support from the ISO27002 would be a good start for success, as well as drawing up internal policies to regulate remote working in accordance with that stipulated in the Royal Decree-Act published on 22nd September 2020.
4. Implementing collaborative tools.
It is not all going to be problems, and today there are a whole host of possibilities when it comes to contacting each other without having to be in the same room. But of course, with so many options, which to choose? The most generalised collaborative tools are not necessarily the best. However, they will allow you to communicate with the largest number of clients, suppliers, etc., and at the end of the day, communication is the main objective.
5. Providing employees with corporate devices.
With the arrival of the quarantine, staff required to telework needed computing equipment. Many companies already have laptops for everyday use, though remote working still is not practised within the organisation. Others used desktop computers and had to transport them home. The rest used employers’ personal devices to work remotely. The National Cybersecurity Institute recommends using corporate devices to reduce the possibility of a cyberattack, which already have the security policies that the company deems appropriate, and ready-installed software for carrying out work. However, in the event of using private devices as a remote working tool, the cybersecurity team must ensure that they comply with criteria such as using strong passwords, making regular back-up copies or for the connection to be via a secure and trusted VPN, to name just a few.
Fusing remote working with cybersecurity
Many companies have activated remote working from the Human Resources department, leaving the computing security team or the cybersecurity department to one side. This is a mistake, as this job must be mutual.
To conclude, remote working has been, and still is, a veritable challenge for the cybersecurity team. At Izertis we help companies to define, launch and manage a plan of initiatives, needed to adapt to the new digital reality. This initiatives plan amalgamates and maintains regulatory compliance, the security of corporate information, and the management of change across all levels of the company. Furthermore, we have the knowledge we need for change to be integrated within all the cross-cutting elements needed for effective, long-term results.