Cyber Security during COVID-19

Date: 29th July 2020

Watch Full Video

Our third edition of the Webinar saw us talking on the topic Cyber Security during COVID-19. We were accompanied by our esteemed panellists.

Stuart Golding

Ron Stainsby

Hans-Nicolai Hars

With the sudden shift to Work From Home that the Pandemic brought on, this change leads to a shift in the working pattern of employees. Thus this episode talks about the Cyber Security needs a Company should take care in order to run the business smoothly while working from home. Wherein the topic bifurcated in three parts i.e People, Process & Technology. The webinar session talks about change in Cyber and Data security from the traditional office to work from home, which includes changes in the role of People while keeping data security in mind, changes in the Business Process and also the emerging Technology which plays a critical role in shift towards Digital Workforce (work from home.)

The panelists then started the discussion with their personal views on change in Cyber & Data security from the traditional office based and controlled to a wider diversified work from anywhere approach.

Stuart started with his views on cyber security during and post COVID-19 in terms of people, where all organization was forced to move out people from the offices and a large number of them were unprepared to function remotely. The challenges or area where the company needs to focus is on providing suitable infrastructure for employees as well as keeping the data security in mind.

Where Stuart also mentioned about the data security policies focused towards the office environment and the same incorporating outside offices, and also the need of online security training for the remote workforce.

Rob carried forward his views on the same and mentioned the People factor as a variable pace. It is the critical area of business to protect the security of business as the fallout is massive. In the current situation there is a high risk of cyber threat. As employees work remotely through their personal devices which leads to chances of sensitive / valuable data leakage. The businesses are now facing cyber attacks like Phishing, Insider threat, Data leakage, Hacking etc, Due to lack of education and lack of depth of service provided internally or externally. Thus companies should focus on these critical areas to avoid such threats.

Hans mentioned his user experience during and after the lockdown. Initially pre-covid times as they were used to Whiteboard to plan or solve complexity and are now facing difficulties to perform it virtually through Microsoft Teams or any other platform as it reduces the work productivity. And also as a user experience people using other tools as a sensible quick solution to get their work done - might have a huge effect on data security.

Further on, the webinar was broadly split into three different categories i.e People, Process & Technology wherein the panellist shared their respective views on each category in the Q&A session.

People: The transition from working from office to working from home, the People have a critical role in these remote working times in terms of data security. All organisations, big or small, the managers / IT Teams have to ensure the wellbeing of their employees - people while delivering business critical projects from home. Here people should understand and comply with basic data security principles as their actions lead to cyber security incidents. Few measures should be undertaken by all the organisations to protect the business against cyber attacks - Compliance monitoring with policies and procedures, Cyber security training for employees to protect themselves and business too.

Further the panellist answered the questions related to human factor in Data security. Where they conferred about the People section in detail and shared their thoughts and ideas aligned with the current working pattern & data protection.

Q. Should employees be more careful while handling the data at their work station (WFH) and bring in more responsibilities?

Where Stuart agreed on employees working from home deals with responsibilities in terms of data protection. Further he also mentioned that data security is not just the responsibility of the IT Department, each employee is solely responsible for the same. To work securely the organisation should not just provide tools and systems but they also need to give proper technical support and guidance to the employees.

As the workforce goes digital during this pandemic to support the employee, process plays a very important role. Where the employees or companies are supported with compliances like ISO 27001 and GDPR for handling critical information.

Process: Organisations should develop and adopt best supportive practices/ standards to support the business wide security strategy to avoid cyber attacks or threats. An organisation should adopt proactive measures to identify attacks (solution to prevent cyber attacks), protect systems (security tools), detect and respond to threats, and ways to recover from successful attacks.

The Q&A session then segued into the next section i.e. Process. As the employees were asked to work from home, it was feasible for them to log in at any essential time due to the pause in travelling.

Q. Are these standards supportive enough while employees are working remotely?

Rob mentioned that a business can’t just rely on these standards and the organisation should focus on implementing and controlling the same. As employees work through their personal devices they start using tools or applications whichever possible to get their job done and that might impact on data security. So it is important for an individual to understand the business process and work sensibly.

Hans adds his views in terms of process. The standards are good but as we work from home implementing and controlling the standards is challenging.

Stuart mentioned some great bunch of standards which are most likely to support WFH or Remote Working in the current scenario and have no direct impact on those standards as such. As there is the whole section which covers guidelines on remote working and how we as an organisation can protect both the data and our people to protect the data in a remote working environment. Organisation should ensure that those standards are getting implemented and followed for the very best effect to support the team and protect the data. This standards provides a framework for maintaining and improving compliance with data protection legislation and good practice.

Q. Do you think it is an easier job doing disaster recovery and business continuity planning with this kind of working style?

To which Rob replied that there are some aspects which might be easier due to working on a cloud based platform but there are few complex exceptions too.

Hans adds that some moves to the clouds are much easier but there is no such massive difference in the working pattern.

Stuart mentioned that the quick change of business process due to COVID-19 where organisations were forced to move out employees from offices to work from home, and there has been a huge variety in the Business Continuity Plan & Disaster Recovery. It is essential for an organisation to face such situations as it gives a huge amount of knowledge and experience to explore changes in plans to cope up with the given situations. Due to COVID-19 many companies seem to be cutting their budgets with respect to information security but eventually they have to pick this up at some point as the bad hackers will continue to exploit the situations. So it is essential for businesses to invest in information security in the current situation.

Technology: Emerging technologies are set to level up in the battle field of Cyber attacks. It plays a very important role in the digital workforce environment. It is essential for an organisation to protect their business by investing in right/suitable devices, tools, softwares etc. Organisations should focus on protecting the three main elements in their business activities, which are devices, networks and cloud. The development of cyber-security applications is important to address potential cybersecurity threats. Networks, systems, hardware and software are the major areas where a Company should focus and protect.

The last section talked about the ways in which Technology helps in pandemic management.

Where Kaushal comments that the companies who were already working on the cloud and encrypted applications will probably handle this situation or say as transition working from office to now working from home very well.

And thereafter the Q&A session began.

Since we are operating business from home.

Q. Is it better to give a dedicated computer/ laptop only for work purposes and how do we ensure security / employee privacy?

To which Rob replied that businesses can use some applications which can be installed virtually in the devices to run business activities. Even if the devices are not owned by the businesses these applications can help to protect the data and internal business activities while working remotely.

Q. How far can we monitor or track business users?

Stuart responded that there were many organisations who all decided to put tracking & monitoring tools on business users' devices and keep a watch on the business activities through the webcams. But Stuart suggested the culture in those organisations are wrong from the outside, as employees are mistrusted by controlling and monitoring them through such tools and leaves a wrong impact as a company culture.

Data privacy laws in several countries are not just to protect the organisations but also to protect the individuals. Everybody has the right to privacy which is legally enforceable. We need to make sure as an organisation that we are protecting the same. If we place our employees in the trustworthy organisation, of course we do background verification before employing. We encourage them into our organisation in the position of trust. Plus we also onboard them with proper training, explaining the policies, procedures and standards to protect our organisation. We make sure the information security team is accessible for them when in need.

To sum the discussion we can say:

An organisations should invest in technology - software or better systems for data protection to set them up in future or even during situations like COVID-19. Policies, tools and systems are available and now it's up to businesses to make the right choice and customize the same.