10 Practical Steps to Maintain Cyber Security in a Crisis

Offices are closing their doors and where possible staff are being asked to work from home creating what will be a paradigm shift. While we know the technologies exist to support this, it opens up a new wave of risks for both businesses and individuals to consider.

Before anyone had heard of Covid-19 or the coronavirus, many organisations, and in particular SMEs, have been typically slow in recognising and responding to the business risks of Privacy concerns, Data Breach legislation and associated increases in Cyber Security threats.

Such organisations are typically operating using legacy tools, ineffective processes and outdated IT policies. They are unaware of the increased business risk that this creates.

Given the current ‘crisis’ business leaders are rightly prioritising their staff and their customers. However, if organisations are to survive – and thrive – beyond this crisis then leaders must not forget to manage underlying business and IT risks which (unfortunately) do not disappear.

In reality, organisations running remote workforces are now potentially exposing their networks, applications and data to more risk.

Hackers are switching to target SMEs having recognised larger organisations have increasingly effective cyber measures in place. This is already resulting in specific campaigns (e.g. via email, SMS and Voicemail) to trick staff into compromising their systems or data.

https://www.scamwatch.gov.au/news/covid-19-coronavirus-scams

It is arguably, now more important than ever to ensure organisations have reviewed and updated their IT policies and procedures and that remote staff have effective Cyber Awareness training.

So what can organisations do?

Here are 10 practical steps:

1. Ensure staff dedicate their personal device for company use.

Request staff to not visit sites considered inappropriate for office use on any devices (company or personal)  used to access company networks and systems. Staff should also be required to ensure company approved Antivirus and Endpoint protection software is installed.

2. Implement a password policy.

Ensure all staff use strong passwords and that they understand not to share credentials.

3. Harden your applications.

Make sure staff can only access the applications, files and data required for their roles and also restrict the use of office macro files.

4. Secure access to your network,

Consider implementing a company VPN or similar. You may also wish to require your staff to use a VPN for all work-related internet activity.

5. Review your Backup / Restore and Disaster Recovery capabilities.

Given your staff pose the biggest threat to your digital security, review your backup and restore policies. And test them! Should your network, files or data be corrupted how quickly can you recover? Don’t forget your staff will be working remotely so if your systems go down, you can’t rely on a ‘war-room’ situation.

6. Provide Cyber Awareness training for your staff.

They are your first line of defence and also your weakest point.

7. Move away from legacy tools to secure collaboration tools.

If you have been over-reliant on Excel, Email and whiteboards to track work then now is the time to consider implementing tools designed to facilitate remote collaboration. There are plenty of tools to choose from that will help your organisation manage your clients, workflows and tasks etc.

8. Review all staff-focused IT policies and procedures.

Make sure they are appropriate for the current circumstances. (E.g. Acceptable Use, Password Policy, Bring your Own Device (BYOD), Cyber Security Policy, Business Continuity, Disaster Recovery). However, if this is likely to be too time-consuming then a ‘crib sheet’ of key initial policy information should be created. This can be a single ‘emergency’ document of additional rules that could span all of these policy areas.

9. Implement data leakage prevention software.

For organisations storing large amounts of personal or sensitive information (e.g. health and professional service organisations), the risk of data loss or breach is heightened with remote working – staff can potentially copy emails or send data through personal email accounts. So, being able to automatically identify sensitive data (e.g. TFN’s) or documents and prevent that data from being emailed or printed requires specialist software.

10. Run a network vulnerability scan.

Understand whether your network has any basic vulnerabilities that might already be compromising your business.

 

Due to the pace of the coronavirus and the sudden need to have remote working arrangements in place, it is easy to miss the risk management side of IT but as the dust settles, it is critical that all organisations do a review to ensure they are not exposed.

Simon Cohen
Virtual CIO and Cyber Security Specialist

If you are interested in learning more about Simon and his Cyber Security Workshops in Perth, please visit this link.