The “New Normal” Could Mean New Risks to Your BusinessFour cyber and operational risk of working remotely
Many organizations are not ready to manage a remote work force, and cyber criminals can use this to their advantage. Now, that many business owners are considering a more permanent remote workforce, they also need to consider the risks associated.
This COVID-19 pandemic has forced many organizations to make major operational changes in order to keep their employees safe and ensure business continuity from a distance. Prior to the lockdowns and shelter-in-place orders, only 29% of Americans were permitted to work remotely, according to the Bureau of Labor statistics. Shifting from loose remote working policies (or no remote working policies) to having basically 100% of a workforce working remotely was of course a feat in and of itself. The health and safety of employees and how they were able to work productively at home was the priority for business owners at the height of the pandemic.
Now, as we transition into a “new normal” the question that should be topping business owners’ minds is shifting, from the initial urgent need for ensuring personal health, to now questioning safety of business operations – i.e. ensuring your networks are secure, your company data is protected and remote working isn’t opening your business up to certain vulnerabilities or potential cyber attacks. This is especially true if you and your management team are considering shifting to allowing for your team members to work permanently from home for the near future, and/or adopting a flexible remote work agenda for the long term. When doing so, there are important (and potentially damaging) aspects to consider, to ensure your team – and your business – stay safe.
Now that you’ve made sure your employees are safe and secure while working at home – can you say the same for your business and company information?
If you are considering a more permanent work from home/remote work environment for your team, it is of the utmost importance to question your risk analyses and appetite, while taking into account your new financial and operational reality. There are several areas and issues we see that could have the potential to impact your business.
1.First, remote working means different working environments. Many companies are now turning to remote work as a solution to ensure business continuity, but this situation makes it difficult for IT Teams to enforce security hygiene and ensure secure connections. Weaknesses in employees’ actions or set ups can increase the potential attack exposure to cyber criminals.
Most organizations were not ready for massive teleworking and in some cases had to use workaround processes or solutions, which are also riskier. It would be important to check in with your IT team or risk management professionals, to address potential areas of weakness, such as:
- Access to confidential company data through unsafe home or public Wi-Fi networks;
- Vulnerable VPNs due to outdated software;
- Ineffective backup and recovery systems; and
- Reduced security on personal devices and computers.
2.Second, now may be a good time to consider an assessment of your overall cybersecurity solutions and processes. Many organizations paused or slowed down operations during this crisis; priorities shifted. Cybercriminals are not pausing. If you rely on a Security Operations Center to monitor your security events, chances are that it is not performing as well when everyone is working remotely. And the increased cyber-threats that we currently observe require optimal attention and solutions.
3.Third, picture it: you know that there are more risks to consider for your own company, and some processes may be performing less than optimally at this time; the same can be true for the third-party suppliers that you rely on. The potential for cyber incidents originating from the third-party suppliers that have access to your systems is on the rise. Your vendors’ performance might also be impacted by remote work or workaround processes that they needed to implement. The crisis really does impact the whole supply chain, so it’s best to ensure enhanced security and vendor management.
4.Lastly, beware of social engineering – CEO scams and other impersonation techniques like the fake bank supplier or technician have been very popular in the past few years. Guess what. When employees work remotely, rather isolated from their day-to-day environment, social engineering becomes a lot easier and chances of success increase for fraudsters. In the past, many fraud attempts were not successful because the targeted employee could easily to speak to his/her colleagues by chance while in the office. At home, you are a lot less likely to “bump” into your boss and ask about the wire transfer you were ordered to send. It’s important to remind and educate your team members that the threats are always prevalent, so they should remain vigilant.
The above list of business and IT risks that have become more predominant because of the pandemic is by no means exhaustive. Risks are constantly changing. Companies must analyze each risk to determine the potential impact it could have on the business, and put in place the appropriate measures to decrease or mitigate risk exposure.
We suggest risk assessments to uncover where your business may be most vulnerable. As illustrated below, a sound risk assessment should consider the following activities:
- Identifying key assets which will help in focusing efforts in the right direction.
- Evaluating key risks from the perspective of your IT teams as well as business teams.
- Mitigating measures to evaluate whether risks identified are adequately managed as per the organization’s risk appetite.
- Sustainable action plans should be built when the risk level exceeds the risk appetite.
The pandemic has created a situation where several risks are increased, from information theft to cyber attack, from social engineering, to third party vulnerabilities, and the list goes on. Organizations need to have a clear perspective on their business and IT risks; how they have been or may continue to be impacted by the pandemic or any future remote working policies; and how they can implement sustainable plans for their immediate needs, for the recovery period, and for the long-term.
How can Richter help you?
- Identify critical assets, physical, information, hardware and software.
- Evaluate business and IT risks and mitigating measures.
- Design and implement sustainable action plans.
- Monitor execution of actions plans.