Blog · 21 Jul 2020

How to tackle post-Coronavirus security risks and compliance gaps

Since Coronavirus hit, organisations have made changes across almost all aspects of their infrastructure. But how has this impacted security?

Tris Morgan
Director of Global advisory, BT

Since the Coronavirus pandemic hit, organisations have made changes across almost all aspects of their infrastructure. Unfortunately, one of the potentially worrying impacts is the lack of control this may have had on security.

They’ve had to move record-levels of people to work from home, including people in business functions that were never designed to work remotely. Only now are organisations starting to explore and understand what the security impact of this may be.

While many businesses were pleased and relieved to have been able to move at such pace and scale, now they’re left worried about gaps in their security postures that may now be exposed.

The more disparate your workforce is, the more prevalent your cloud use is; and the more OTT services you use, the more likely you are to be a target for security attacks. Some legacy infrastructure, particularly in sectors like manufacturing, was never designed to go anywhere near the internet. Now, it’s having to work remotely and it’s negatively impacting the security position of affected companies.

It’s important to understand how your risk profile has changed since the changes you’ve made to your business to cope with the impact of Coronavirus. This isn’t just at the business level or departmental level, but right down to individual personas. Different personas have different risk profiles, so it’s important to who is doing what and where.

In light of different users working in different ways and the massive scaling and changes to infrastructure that have been necessary, your business may not be as resilient as it’s been in the past.  What if your users couldn’t access one of your cloud providers and one of your business-critical functions was down? That’s why one of the next big challenges should be making sure that your business resilience is where it really needs to be.

For the last few months, we’ve been having lots of conversations and online boardroom events with our customers. Common across all sectors and regions is an acute awareness that now more than ever, key data and intellectual property is being accessed remotely through the cloud. This throws up a huge warning signal as to the potential risks this could cause – such as gaps in security policies, confusion over where data is being held, uncertainty over the security controls suppliers are using, etc.

Stuff you don’t know about is what you need to worry about most. Minor changes, such as a small configuration change to network routing may have business-wide implications for where data ends up being stored. In turn, this may have an impact on your data compliance. We can’t know how forgiving regulators may be of non-compliance in the long-term…

It’s for these reasons and more that we’ve seen a noticeable increase in requests for services, such as red teaming (mirroring real-life cyberattacks to test an organisation’s security defences and response) and penetration testing (authorised, simulated cyberattacks on IT systems to test their security).

These services help you understand the risk - specific and meaningful to your business. Once armed with that intel, then you can focus and prioritise the remediation needed to get the visibility and control you want.

But getting a holistic view of risk is multi-layered:

  • there’s what your own blue teams and security operations centres see coming in
  • there’s what providers, like BT, can offer in terms of sector, regional and global views on threat intelligence
  • there’s what national cybersecurity bodies, like the NCSC, can share, and
  • there’s what we can learn by all working together as a community.

Coronavirus is a global pandemic, so the more we work together to share intelligence, share learnings and share ideas which defend against the cybercriminals looking to take advantage of this, the stronger we’ll all be.

The adjustment to the impact of Coronavirus has been huge, but the need to consider regulations and compliance, as well as resilience should still be paramount.

The most prolific way into your organisation is through one of your people. So, the best line of defence against the cybercriminals is making sure you’ve turned on your human firewall.

It’s crucial to make sure your employees are fully aware of your security policies; that they’re using the security available to them on their work devices, as well as personal devices; and that they’re always taking advantage of the latest updates for these.

You also need to encourage your employees to be on the lookout for emails - no matter how legitimate, no matter how urgent – that demand a quick action. They need to be encouraged to always take a pause and ask themselves, ‘Is what I’m being asked to do normal?’, ‘Is there anything strange about this email / instruction?’

If there’s any doubt, they need to pay attention and figure out how they can verify if it’s real and how they can keep themselves and your business safe.

It takes no more than 30 seconds to engage your rational brain. Those seconds won’t make much of a difference to the right decision, but it could make all the difference in the world to the wrong one.

But with your employees working from home, security awareness and your security guidance shouldn’t just be shared with them; you also need to think about extending it to the people sharing their new offices – partners, children, relatives.

The future is hard to predict right now; we don’t know what the new norm will be. But as we adjust, it’s a great time to explore and identify the additional security controls you need as part of your new reassessed and reset security strategy.

If you want to know more or have any questions, please get in touch.

Whether it’s practical help or reassurance, we’re here to help