As a result of the sudden shift to remote working, firms are experiencing an enlarged attack surface, unfamiliar working practices, heightened risk of lapses of discipline, increased risk of insufficient capacity, and of resulting risky ad hoc workarounds. Worse, cyber-criminals are exploiting the situation to find weak points and monetize the disruption. This means a heightened cyber risk profile, and to avoid compounding risks, firms need new controls, rapid adaptation, and potentially a different risk appetite (e.g., to balance business risk against elevated cyber risk).

The following is a checklist of the immediate considerations for top management.

Capacity planning and prioritization

  • Many firms are effectively doing a live capacity test of their remote working infrastructure, hardware, and controls. Communications capacity is also likely to be tested, as is access to hardware such as laptops and servers.
  • Now is the time to prioritize users based on human and business requirements, in order not to let prioritization emerge by default, and to invest in additional capacity if there is a shortfall

Security hygiene factors

  • Many firms have been experimenting with collaboration and remote working tools, in some cases with multiple tools. We have seen huge diversity among levels of adoption across our clients pre-crisis
  • This is an opportunity to establish the remote working model, and quickly align all staff around the tools to use, the rules to adopt and the limitations on remote working (e.g., file sharing) that the firm wishes to adopt

 Training and awareness

  • A sense of emergency and heightened external risk can cause remote users to take additional risks, breaking ‘normal’ rules to get online or share files
  • It is essential that, as you shift to a new working model, you remind staff of the need for discipline in file sharing, use of secure wi-fi, use of VPN, avoidance of webmail and other ad hoc tools (subject to any special arrangements or risk acceptance you may explicitly decide)

 Protecting the core infrastructure

  • Shifting to remote working and compliance with new rules about social distancing will make it hard to manage infrastructure and office-based assets while enabling remote working
  • Ensure there is an adequate skeleton team to manage and protect servers, communications equipment and other office-based assets, potentially using shift-based teams to cover the 24/7 period
  • (Further out, this will accelerate the move toward hybrid cloud operating models)

 Protecting mothballed assets

  • Many firms – e.g., in the transportation, leisure and hospitality sectors - are facing the necessity of mothballing assets, or shutting down capacity to minimize costs for the duration of the lock-down period in their markets
  • These assets still require physical protection and if connected also represent an attractive entry point for cyber-criminals unless they remain covered by effective cybersecurity (e.g. monitoring)

 Cyber risk appetite setting

  • This crisis period is fundamentally affecting all firms’ risk profiles – including human risks as well as financial and business risks
  • At such a time, senior leadership must consider their overall risk profile and be prepared to make quick, explicit decisions about the risks they must double down on controlling and those they want to accept – for example, to relax policies to permit data exchange, spin up cloud environments quickly or change suppliers at short notice

 Third-party risk management

  • Firms are focusing on their own people and their own resilience with a strong sense of urgency
  • However, most firms now operate in a complex ecosystem and as a result, are only as secure as their least secure key supplier … whether that supplier provides a critical function like cloud services or monitors the air conditioning
  • It is essential not to forget critical suppliers in resilience planning and to stay closely in touch with them to understand their status and contingency arrangements

 Key-person risk

  • It is often the case that, even in a large organisation, technical skills or knowledge may be concentrated in a small number of people, sometimes even single individuals
  • It is essential to cross-train and document or otherwise codify knowledge now, to prevent technology and operations grinding to a halt when one of these key people falls ill or needs to self-isolate

 Incident planning and management

  • Most incident management playbooks are based on assembling a team, undertaking an investigation, deploying specialist forensics resources, replacing hardware, etc. But with travel bans and a lack of available resources, how would you manage and recover from a cyber incident remotely?
  • In some cases, the logical answer would be, if it’s not critical, just shut it down. Preparing for these decisions – and the alternative recovery approaches – needs planning now
  • Finally, to the extent there is downtime among staff due to business operating restrictions, now is the perfect time to use any spare capacity for incident response planning and rehearsal

How are you, your team and your firm preparing for the challenges of remote working? What additional risks or challenges have you encountered?

 I would love to hear your thoughts and experiences – let’s keep the dialogue going.