The Covid-19 pandemic in 2020 accelerated the need for all organisations to consider remote or home working in ways that nothing else before it had or could have had. Previously, this may only have been considered by Small Organisations as they grew. Even then this would have been in different conditions that the ones we find ourselves in now.
This is an edited transcript from a video blog recording of Sarb Sembhi, CTO and the CISO for Virtually Informed, and his co-host Nick Ioannou, Director of Boolean Logic.
Today we're going to be looking at working remotely or from home for Small Organisations. The Covid-19 pandemic has forced employers to adapt to survive or cease operations. As it was something that was forced onto them, most organisations did so in less-than-ideal circumstances and did so very quickly. Where organisations have conducted operations abroad and travelled to meet partners and customers in person, now that type of remote working is very unlikely.
All organisations have learnt that work can continue without travelling using video conferencing tools – which have improved more since the start of the pandemic. Today's remote working, mostly means working from home rather than the office; and doesn’t involve travel or an overnight stay in hotels. So, we are exploring some of the things Small Organisations can do to not only ensure that they are secure now but that have some points of action to continue to be secure even when staff start to come back to the office and what may be required for a hybrid model.
What has Changed?
The starting point in exploring this is to consider what changed and the impact of those changes to the security of an office-based organisation. Some of the key changes include:
- Security technologies have often been focused around the office – most organisations had not implemented many controls for remote working. This meant that they had to start considering additional controls in a very short time period, and in some cases some organisations didn’t put these in place until several months later.
- The lack of working laptops and devices – organisations had previously invested in desktops for office-based work, to they had to very quickly commission laptops or to allow staff to work from their own devices. This meant that those organisations were (even if it was temporary,) not complying with their own security policies. This was an unusual operating risk that all employers had to consider.
- Home networks are not necessarily secure - since most organisations’ security controls were all focused around being at the physical office, most never had to concern themselves with individual employee home network setups. As, staff are not necessarily technically knowledgeable to secure their home networks this was a risk that employers had to accept as part of the working from home at short notice.
- Home environment not necessarily secure - it is not only is the network not secure, but nor is the whole home environment, including the lack of shredding facilities for printed material, and the lack of physical security for work assets from any intentional and unintentional interference, etc.
- Implications for data protection - these were and have been very apparent to employers, and since all security is to be based on risk management practices, most organisations had to accept that being softer on data protection was preferable to a complete stand still. It is highly unlikely that any data protection authority anywhere will attempt to take any action for non-compliance, even if there may have been some element of gross negligence and lack of adequate consideration for data protection.
These changes had several impacts, which is what we will explore now.
The Areas of Risk that were Affected?
These changes affected many areas of risk, for most organisations, including the following. We won’t go into much depth here as we’ll explore some of these further today and some in episodes:
- Devices for accessing work data and services - the requirements for the use of devices in the office are different from ordinary home use where many people may share devices. Further, due to not being ready, many organisations had to accept that some staff may use several devices to access the services needed to undertake their responsibilities.
- Networks - the change from everyone being on the same network in an office, to one where accessing a central point from multiple networks (and devices) made it difficult in the early stages to identify what is an authorised network connection and what is not (without the use of specialist security tools).
- Infrastructure - employee home infrastructures became part of the unknown, especially since home networks may have many unrecognised and, in some cases, compromised devices. If there are compromised devices, be it mobile devices or IoT type SMART devices (like CCTVs) they could be used to spy on traffic or attack other remote targets.
- Use of Data Sharing tools - when staff are all based on one site it is easier to share data between them using the existing infrastructure. However, for some organisations, the changed working practices necessitated the use of additional tools and services they had not previously used and staff were unfamiliar with.
- Use of Conferencing and other apps for remote working – the use of Zoom and Teams has been talked about often, as these had not been extensively used, although there has also been the use of many other related apps and services. The use of encryption in such apps was a topic that was regularly in the news.
This section of the article is only available for our subscribers. Please click here to subscribe to a subscription plan to view this part of the article.