As governments and citizens work hard to overcome the spread of COVID-19, one of the largest containment measures implemented globally has been the massive shift to remote working. Life has changed so rapidly over the past few weeks; in my own base in Singapore, we have seen ‘Circuit Breaker’ measures extended further1, which means that I will be spending a lot more time attending meetings from my home office than initially anticipated. Fortunately, I have already had quite some time to adjust!
While many companies have had to quickly scramble to accommodate this phenomenal change in working practices, there is another crucial focus area for supporting a remote workforce: new and increased cybersecurity risks. While driving business continuity operating procedures, CIOs have had to rethink priorities, and grapple with challenges such as shortfalls in technology tools2 and consider an increase in cybersecurity investments. As the cyber threat landscape broadens, attacks are also becoming more sophisticated and constantly evolving; just recently CenturyLink’s Black Lotus Labs uncovered a new Mozi malware family that was previously believed to have already been in existence.
Security is a people business and never has it become more important to place some of that responsibility into the hands of your own employees. As mentioned before, a virtual workplace has also meant that some layers of security are difficult to manage; in efforts to maintain business as usual, remote workers are now accessing more data and critical business software and systems from networks, and maybe sometimes even devices, that are not managed by their organization.
Particularly now, during the COVID-19 crisis, there can be a number of ways in which to develop security awareness across the organization including:
Help leadership understand the repercussions of data breaches and losses to enable effective planning and defense strategies. Methods such as embedding cybersecurity into business continuity plans6 and increasing investment in security awareness training for employees, lay a more stable foundation for protecting an organization’s assets.
Developing and improving cyber intelligence and cyber literacy among a workforce, especially for home-based workers, will ultimately become important digital business priorities to reduce risk stemming from internal sources. It is for these reasons that a vendor-neutral community such as SANS Security Awareness7 exists, bringing together cyber security specialists from across the industry to create comprehensive and globally relevant content and training programs for the entire organization. However, this does not mean that the onus lies only with employees to protect your business; rather it is about establishing systems to ensure adherence to security policies.
This ecosystem is where most of the cybersecurity dangers are and the threat surface is wide; it would be a huge undertaking, if not often impossible, to gate and firewall everything and therefore background checks would be vital. For most organizations, the view on cyber security is very technology (i.e. tools) focused. A robust connected security model involving people, processes, and technology is actually what will help evolve your cybersecurity program.
Having a well-defined asset lifecycle management program and data classification in place allows organizations to create security zones and granular role-based access controls, including segmentation of their assets. With proper segmentation, organizations would be able to apply appropriate access control policies, which in a way ring fences assets and data according to their criticality.
But it is not only the private sector that has fallen prey to security breaches that are caused by human errors; the discussion is also pivoting to the public sector, the large data breach from an agency of Singapore’s Ministry of Finance being a glaring case in point8. Promisingly, we are seeing greater emphasis on collective responsibility; the Cyber Security Agency of Singapore is one example of an APAC government agency that actively supports organizations through grants and resources to develop cybersecurity capabilities9 while Australia’s cyber security strategy10 has come under new review to take into account the balance of responsibilities among individuals, businesses and government.
Creating a culture of security cannot be expected to happen overnight; rather it’s a transformation that begins by demystifying technology and preparing your employees to be vigilant of cyber threats in its myriad forms, and to know how to respond appropriately. Cybersecurity professionals recognize threats are always evolving, but the consistent vulnerability is people internal to an organization.
Although security measures such as antivirus software, firewall and system updates are managed by IT departments, employees too can be empowered with education on how to prevent breaches on their end.
Raising knowledge and accountability among the workforce will translate to better customer satisfaction, brand loyalty and digital trust – and these are the values that need to be constantly communicated and upheld to underpin the overall importance of cybersecurity and why it starts at home.
1 ‘PM Lee’s address on the COVID-19 Situation in Singapore’, Gov.sg, Apr. 21, 2020
2 Natalie Gagliordi, ‘How remote work is changing CIO priorities amid the COVID-19 pandemic’, ZDNet, Apr.9, 2020
3 Rae Hodge, ‘How to prevent Zoombombing in your video chats in 4 easy steps’, CNET, Apr. 29, 2020
4 Joseph Menn, ‘Hacking against corporations surges as workers take computers home’, Reuters, Apr. 17, 2020
5 ‘Surge in Remote Work Increases Cybersecurity Risks adding to COVID-19 Pandemic’, CISOMAG, Mar. 19, 2020
6 Michael Coden, Karalee Close, Walter Bohmayr, Kris Winkler, and Brett Thorson, ‘Managing the Cyber Risks of Remote Work’, BCG, Mar. 20, 2020.
7 SANS Security Awareness
8 Eileen Yu, ‘Security lapse exposes personal data of 6,500 Singapore accountants’, ZDNet, Nov. 22, 2019
9 Singapore’s Cybersecurity Strategy, CSA Singapore, Oct. 2016.
10 Australia’s Cyber Security Strategy, Australian Government Department of Home Affairs
This content is provided for informational purposes only and may require additional research and substantiation by the end user. In addition, the information is provided "as is" without any warranty or condition of any kind, either express or implied. Use of this information is at the end user's own risk. CenturyLink does not warrant that the information will meet the end user's requirements or that the implementation or usage of this information will result in the desired outcome of the end user. This document represents CenturyLink’s products and offerings as of the date of issue. Services not available everywhere. Business customers only. CenturyLink may change or cancel products and services or substitute similar products and services at its sole discretion without notice. ©2020 CenturyLink. All Rights Reserved.