Our cyber security products span from our next gen SIEM used in the most secure government and critical infrastructure environments, to automated cyber risk reporting applications for commercial and government organisations of all sizes.
In the first quarter of 2020 IT and security teams around the world faced an unprecedented challenge. The coronavirus pandemic grew in a matter of weeks to a phenomenon that would disrupt businesses, lives and the economy like nothing else we have faced before.
The introduction of lockdowns, travel restrictions and stay-at-home orders forced many businesses to adjust almost overnight to a different way of working that avoided staff being in offices or on sites. Some staff had to balance work obligations with a need to home-school children, some had to shelter for their own safety, some were furloughed or laid off – leaving businesses without access to their abilities.
All businesses rapidly moved to allow remote or home working, swapped face-to-face meetings to Zoom or Teams or Slack, worked around site visits, put data in hastily arranged cloud based file stores and swapped to a model where everyone didn’t have to come to work in the same city centre office location. Even after-work socialising and team catch-ups migrated to social media or collaboration platforms so people could still keep in touch.
In some cases, this has meant compromise, especially with respect to cyber security.
However, all this was only meant to be temporary – it would last a few weeks, maybe a month or two. The risks were acceptable – and necessary – in the circumstances.
As we draw (hopefully) out of the worst of the coronavirus crisis however, businesses are recognising that working patterns may not return to the same “normal” that they were before the pandemic struck.
What was put in place “temporarily” and often hastily to address a crisis might now become “permanent” and operational for a much longer time period.
This means that risks which were accepted out of necessity and on the basis they wouldn’t last for ever may now need to be reviewed, and that activities that could be paused for a few weeks because undertaking them was difficult, are now problems that do need to be addressed and have solutions found for them.
There are obvious areas where security approaches will have to adapt. We have written about the way that security reviews and assessments can be improved here – allowing the review and assessment of security controls in data centres and remote offices without the need for site visits or a reliance on local IT staff providing answers via questionnaires that may or may not be accurate.
We’ve also written a piece here about how the assessment of third parties needs to evolve to accommodate large numbers of suppliers or partners who can’t be visited but might also be in a different risk posture than before the pandemic struck.
There are two other areas where security functions need to work hand in hand with the evolving business models.
With the recent emphasis on home working and the fact that businesses have had to “make it work” there is a good chance some people will opt/ask to remain home based and others may find that their jobs move out of expensive city centre offices to become home based too.
One can argue that the reason people clump together in buildings to work is because we are social animals and the need to exchange ideas and interact with people is a strong one. Whatever the balance between saving money on office real estate, respecting social distancing requirements and the need to bring people together, there is almost certainly going to be a need for greater flexibility and mobility.
That may mean security teams have to ensure that users working from home PC’s have secure routes to gain access to corporate systems and email and that robust mechanisms for file sharing and storage are in place. In general, it is not acceptable for data to end up being stored on home user systems where it cannot be protected and controlled.
This will mean in some cases providing laptops in place of desktop systems or allowing access to cloud-based applications rather than trying to use legacy office/data centre hosted servers or working with spreadsheets on shared drives that don’t scale well when people are remote and might need local copies or have to try and synch their accesses.
This method of IT service delivery is not impossible to achieve, but the change in focus from a few people needing to work remotely to a larger proportion of the workforce will have implications.
Part of this is the way in which controls such as anti-virus, patching and security monitoring work. For systems connected to a corporate network, the ability to administer, connect and link to management systems for security controls is a lot easier than when these devices are being used in a remote location.
For example, one approach to security was to quarantine a system on the network if it was found to have a virus or a user was found to be acting suspiciously (inadvertently in the case of a virus). This way you could limit access to a part of the network where there was reduced risk of further spread but still give access to patch, AV and security intranet servers. In a remotely managed workforce this quarantining would have to work through a VPN connection that the user might or might not have activated. It’s not impossible, it’s just different.
For security teams the way the estate is managed, updated and monitored will need to adapt.
The need for collaboration, videoconferencing and team working solutions has also meant changes for IT functions. In some cases, for themselves so they can continue to operate.
Many businesses already had a facility for webinar-style meetings. More often telephone based, so people could make the calls from mobile phones or quiet meeting rooms. A more normal way of working now seems to be using computer audio – an odd but perceptible shift in usage patterns – more natural when people are using videoconferencing and audio and visual are integrated.
Also, for those people that didn’t have the facility and were more used to just arranging a meeting room, there will be some who have signed up for free systems such as Zoom to deal with their own requirements irrespective of what their corporate provision is. Some teams or departments will also have agreed at a local/team level to install tools such as Slack to keep in touch and possibly even set up shared cloud drives to handle data exchange “because it’s easier” than using a corporate solution.
What seems certain is that there will be a continued use of these types of systems and facilities for conducting meetings and sharing contact and data between internal and external partners, between offices and between people.
For security teams trying to build security around “getting back to normal” this may mean ensuring their corporate facilities are available and mandated so that little “islands of personal use” and free offerings don’t crop up to fill a void, and that the ability to monitor and police these new communications mechanisms can be found.
Finally, the network bandwidth of 50 people on video conferences and using VoIP might mean that previously uncongested LAN or WAN provisions start to feel the pinch in a way that they didn’t when meetings were face to face or over the phone.
Security in the post-lockdown “new normal” won’t be the same as the “old normal”, but it won’t be the same as under “the lockdown” either. There will be some changes and adaptions needed and a greater need to deliver assurance and protection to a business environment that has greater flexibility in how it operates.
Central security management, monitoring and oversight will have more systems and technologies to implement policy for, and a more disparate network of systems and users to do it in. This will mean that IT security teams will be forced to look at security delivery/architectural models like “Zero trust” and will have to find ways to protect data that don’t depend on there being a physical location, corporate network and secure endpoint that can be controlled – because there won’t be any of those things for some users.
When this extends to the assurance, visibility and monitoring of systems, there will be a need to decide what data is available, where it can be collected from and what threats (including new or changed ones) need to be detectable from within the security operations function. The oversight and audit team will have different controls and platforms to assure in order to give senior stakeholders confidence that levels of protection haven’t been weakened, and risk introduced, as the business has adapted to the wider environment,
The UK market has its own regulators, security standards and challenges. And while rulings from SEC in the US or the Australian Prudential Regulation Authority (APRA) in Australia don’t apply to UK companies, for the most part, the observations are undoubtedly relevant and the resulting advice instructive. It would be wrong to think UK financial […]Read more
<<< Part 2a: Australia’s Essential Eight: Beyond Endpoint Control <<< Part 2b: Activating UK NCSC & US NIST Guidelines: Beyond Endpoint Control Part 4: Systematic Measurement of Cyber Controls >>> As much as we invest into cyber security controls, external threats are inevitable. In a recent Notifiable Data Breaches Report from the Office of the […]Read more
Keen campers, scouts and even the Swiss Army know – that a good penknife is indispensable. This simple device has mitigated many a disaster at one point in time or another. Whether it’s to cut through a bit of string, tighten a screw or simply to solve the problem of no bottle opener in the […]Read more
Supply chain risk is an area of cyber security that demands the ongoing attention of every enterprise; because it can make the difference between being resilient or not. It’s no surprise that insurers warn that the vulnerability of supply chains is potentially a systemic risk that can quickly propagate across supply chain dominated industries. Organisations […]Read more
It took a “tripartite cyber assessment” by the Australian Prudential Regulation Authority (APRA) to identify that a sample of financial organisations had inadequate cyber security: poor security control management, a lack of business recovery planning and inadequate 3rd party risk assessment. Why were there gaps? Where is the failure? Clearly the common practice of unsubstantiated […]Read more
The discussion over data-driven vs qualitative cyber security assessment has been going for some time. Nowadays, it is at the top of the priority list for many security and senior executive teams. Managing cyber security has always been a noble ambition but without reliable measurement, the lack of actionable information makes evidence-based management decisions almost […]Read more
Attack Surface Management (ASM) characterises a business’s security risks as the monitoring and risk mitigation of a constantly changing and vulnerable “risk-surface”. Importantly, this attack surface extends to both internal and external assets and services. Some ASM solutions deliver clear visibility across both Internet facing and internal assets. Others do not. Instead, they assess external […]Read more
The UK Government has released its annual “Cyber Security Breaches Survey 2023”. It provides some valuable insights into how cyber security is currently being managed in the UK, by a range of organisations. It also speaks to how current competing economic priorities are impacting the effectiveness of some cyber security management efforts. The full report […]Read more
Solving the mismatch between cyber security reporting and directors’ requirements You are undoubtedly familiar with the headlines; you may have even become in part desensitised to them: ‘Cyber-attacks are increasingly damaging’, or ‘large amounts of personal data are most at risk’. The important take-away, however, is that modern day thieves can easily gain access to […]Read more
A system to address the untrustworthy security environment Zero trust approaches to security have been talked about for a while; but in recent times they have certainly gained more currency. As a model for protecting data and services, the simplicity of the concept is its biggest strength – assume, as a default position, there is […]Read more
Read by directors, executives, and security professionals globally, operating in the most complex of security environments.