Remote security for remote times
Report by Jason Walsh of the Sunday Business Post. Appeared on the 27th September 2020.
In the context of a global security skills information shortage, the pandemic has created ample opportunity for criminals. Businesses need to be aware and fight back.
We all know that information security is important but working from home and a wider sense of uncertainty in the business environment has led to law enforcement agencies and IT analysts alike warning of a serious and immediate problem.
Gardaí have warned that hackers have worked the novel coronavirus pandemic into their very modus operandi. And, like the pandemic, the crime spree is global.
The FBI in the US has said complaints about attacks have risen 400 per cent, from 1,000 to 4,000 daily, while Britain’s National Fraud Intelligence Bureau reported an identical percentage increase. In August, Interpol said the rise in attempted attacks between January and April was “alarming”.
EU police body Europol has also warned that the long-term outlook is bleak, with straitened circumstances making crime a more attractive option. Targets are varied, from individuals and small businesses to even global giants such as Honda, Garmin and Canon.
Róisín Cahill, director at IT Force, said that there has been a marked increase in cybercrime since the beginning of the pandemic.
“Criminals are exploiting the general confusion created by the pandemic to target victims, with lots of scams related to Covid-19,” she said.
The break in normal routine has left people more isolated and vulnerable to attack, she said.
“It is harder to spot unusual activity when everything else has changed. Online banking seems to be a particular target, with several well publicised attacks in recent months.
Users have had to move over to working from home at very short notice and in many cases it took time for cybersecurity and business controls to be properly re-established.”
At the same time, capital budgets have been under pressure. Companies were forced to invest in equipment to help staff work from home — an expense that came on top of their budgeted spend for the year.
“At the time, uncertainty as to the effects of Covid-19 on their businesses naturally caused uncertainty,” said Cahill.
“Some clients were more affected than others, [for example] hospitality [and] some retail and were inclined to spend as little as possible until things became clearer for them with respect to their trading position.”
Sudden upswing
With so many working from home the question is, can the security perimeter be extended to remote workers? “The short answer is yes,” said Cahill.
Cloud technologies mean the traditional security perimeter was already being replaced, she said, but the recent sudden upswing in remote work has accelerated this.
“The key is to protect your applications and data. Critical factors here are protecting the endpoint device, be it a Windows laptop or an Apple or Android phone, and the users’ identity, for example using multi-factor authentication,” she said.
“The use of secure VPNs will also protect systems which remain on premise. Thankfully, the same cloud technologies which have created this trend also include very powerful features which
allow organisations to operate in a secure and compliant manner, even when users are working remotely.
“These features are often available as add-ons to the basic cloud services and therefore have additional cost both in terms of implementation and ongoing licence costs. It is important that organisations are aware of the features available and are willing to invest time and money in implementing them. The trend for remote working is not going away any time soon and is likely to be a major factor in the strategic plans of most companies over the coming months and years.
Managed security services have never been more vital – or useful. Most businesses have long struggled to recruit in-house security personnel anyway, but following the pandemic many were forced to downsize, and during the lockdown there were few staff in central offices anyway.
“Decisions were made around the viability of retention of staffing numbers and whether it was a better alternative to outsource rather than having permanent staff,” said Cahill.
Cahill said Irish business is increasingly taking advantage of managed service providers to strengthen their defences, in light not only of high-profile attacks but also the changing legislative landscape.
“Historically, Irish companies have been behind the curve when it came to security and compliance matters,” she said.
“Recently, GDPR provided a strong catalyst for businesses to consider security and compliance as critical to their business. The Central Bank has also played a strong role ensuring that financial companies take the issue seriously.
“Large fines and well publicised cases have focused minds and we find that our customers are increasingly aware of the need for cyber security and are willing to invest time and money to get it right.”
There is still room for improvement, though. Cahill said that policy has a role to play, and businesses should consider using an existing framework such as CIS, ISO 27001 or Cyber essentials, and to work from the board down rather than seeing it as an IT issue.
“The important thing is to start. Even if you don’t get it right the first time (you probably won’t), having a written policy gives you somewhere to start and something to improve upon. The key point is to build a culture of security and compliance into your organisation from the top down and to embark on a programme of continuous improvement,” she said.