What’s next for remote working?
Five times more employees will be working from home. Prior to Covid, home working wasn’t really used that much. Even in banking and technology companies although the rate was higher. Around 53% of the workforce is now works from home.
Given where we are in cyber security and that new technologies are emerging on a daily basis, we need to retrain our staff to support these technologies. We have an attack surface that has never been growing faster. We are also seeing that there are more and more offensive investments being made by nation states. Campaigns are driven by a desire to gain a new capability and to monitor certain activities. This is now adding chaos to the cyber world. We have all had to respond to a business continuity crisis. It has been complicated to stay in touch with all of our employees. It was great to have security controls, but a business had to be able to operate. A lowering of security standards.
We are now looking at how we bring these standards back up. Adversaries see this as an opportunity, not a crisis.
There will be four themes over the discussion.
The new normal and related risks
What are the main threats with the new normal/remote working? What is less relevant today?
Given the new normal of having to connect with a workforce that we can no longer interact with in the same way, we have seen a number of organisations not able to run out the same security controls. They have had to connect home devices. It has increased the visibility to security threats. The state in which the devices are is unknown. Previously, it was easier to roll out an effective patching programme. It’s still a lot of work to do this, but with the home workers, you lose that ability. It isn’t the same as previous controls. We have to rethink the controls we have in place.
Some companies were able to upscale easily and patching was less of a problem. Legislators completely changed their rules on sensitive data to allow people to continue working. These changes were made on very quick time and are suddenly standard. It almost seems like legislation has gone and risks have been accepted. It’s almost as is some don’t care that previous security protocols are gone. The technology means we are running to catch up.
These companies have accepted the risk. Risk acceptance, or the risk itself is misjudged, so people understate the probability of the risk materialising. This is done in a hurry. If you are working from home in a VDI environment it is different than connecting random devices. These adjustments were made in just a few weeks.
Even companies that had VDI chose to bring in additional groups of workers but couldn’t bring in everyone. The big challenges have been lead times for more servers to host them. Bandwidth into buildings was – and continues to be – an issue. Public infrastructure is a different challenge.
The three areas where another company has had to pivot is technical controls where everyone is internet based and cloud based at home. Patching was previously not internet based. That has been a struggle. The long-term impact will be fantastic. In that respect, heading towards the zero-trust network model. The second one is staff communications, and probably the biggest issue. The effectiveness of that communication is magnified face to face. Unlucky if it’s all email. You are struggling to share a brain at work. It’s a challenge not yet mastered. Third was governance. The approach to risk has really changed. Now it’s what’s happening in front of your face, and assessing risk based on business requirements. This is a real switch and is based on personal requirements. This will change the way programmes are offered.
Scaling up for capacity for 36,000 people working from home is a challenge. Internally there is a lot of running around but is happening successfully. One of the interesting things was the challenges not previously thought of. In insurance, paper based is still important. The issue then is if the person printing it is not in the office, and the person reviewing it is not in the same physical location as the paperwork. We are pushing for more digitisation. This has pushed forward some of the things people have thought were a good idea but not implemented.
Other territories, such as the Middle East, companies are still very paper driven. It is a cultural thing in certain countries. When Covid hit it was a double whammy, being paper driven and doing everything face to face. The pivot has been very difficult.
Every crisis is an opportunity. Zero trust is something that has been worked towards and how we drive it forward. For a long time, a lot of organisations struggled to take risk away from the technical conversation to business continuity. This is continuity versus cyber risk. That is the level of conversation.
Around technology, email communications for some companies has been fixed. That investment in using platforms like Google has paid off. The big takeaway is that moving away from a fixed office environment and boundaries has happened. Nobody is going back to an office any time soon.
The capability to get new initiatives through has broadly diminished. It is still not that easy to make the move.
The biggest challenge in finance and insurance is the general push away from the cloud, a push back against it. Now there is a realisation that adopting the cloud, re-platforming legacy applications fixes a lot of issues. There is an expectation for things to be patched. The elephant in the room is removing Microsoft. 90% of the attacks are attacking poorly patched Microsoft servers and software.
An adversary however will find an exploit anywhere. In March or April there was an uptick in attacks taking advantage of people not getting around to patching.
Vulnerable endpoints – 14,000 workers make for 14,000 offices if everyone is working from home. If you are using collaboration-based tools, you don’t need to go anywhere near a Microsoft environment which is high risk.
A platform that has a large user base is always going to be attractive to attackers. There is security and security. Adversaries are looking at target rich environments. They can breach one in cloud-based environments. It is a much more business continuity driven conversation when it comes to ransoms and will be difficult going forward.
Two London local authorities have gone from 20% of the workforce working remotely to 80%. Mostly works well. Teams improving all the time. They have coped reasonably well. They are learning how to use tools effectively and work remotely. Risk appetite is slightly more aggressive. Risk is all about preventing bad stuff happening but can stop good stuff happening too. A lot of the sales speak is negative and should be positive. The change in risk appetite, some has been brought forward. However, people relaxing is a worry as it gives criminals more opportunity. Quite often, tenure of CISOs is not long – 18 to 24 months. In terms of continuity, driving forward is a worry as people are coming and going. Quite often there are breaks in continuity. It can take a while to get moving again. The message of being more relaxed about risk is a worry.
When it comes to risk management, it is about determining likelihood. The more devices connected that are outside of your control, the more the probability that one has already been compromised. It doesn’t have to be a nation-state adversary. Activity can be automated. Something we still need to pick up as a habit is running compromise assessments. This can take weeks, depending on the size of the environment. These assessments can be effective.
Red teaming exercises are expensive but effective. The environment is so different now with Covid and post-lockdown. The risks are a different world.
A big learning point is people that normally wouldn’t be interested in tech. People that normally wouldn’t touch something like Teams are becoming more interested and want to know why it wasn’t used before. The digitalisation has been accelerated. They are talking about these things as part of their day to day conversations. All the projects are now on the table, and tech is there to support. Everything coming through. The risks on the risk register are managed by the board as they are interested. Covid’s biggest value is to drive better behaviour in the organisation. Printing at home has become a conversation – do we allow it? As much as we’d like to be digital, we can’t get everyone to do a signature on their laptop. Sometimes, you need wet signatures. We need to facilitate this where possible. There is more focus and input. It has been positive.
By using compromise assessments, companies can see if their house is in order. It can be a difficult discussion is everyone is not on board.
Cybersecurity from a regulation perspective – from a manufacturer’s perspective in having a role to play in cybersecurity it is a challenge. There is a different perception in the customers. One challenge is the lack of standardisation. Going back to basics, if a company wants to connect to a company providing cloud services, that company will come up with a list which will have elements for vulnerability testing. There is no standardisation. People are grasping what they can and cannot understand. Even an organisation like the armed forces is opening up doors. There needs to be more behavioural change.
The cost effectiveness of security: new economic reality versus resilience
Financially, companies have to decide priorities. Have had to work more on the cost effectiveness side. A lot of focus in some industries is on maintenance just to adapt to coming new threats. They maybe cannot afford some of their planned projects this year. It’s a reality check.
A lot of organisations are realising if you are not moving forward digitally, you are dead in the water. Some are at the mercy of what they provide as a service right now. Technology and cyber security needs to move with you. Business inertia around it has to change. Those attitudes have been shaken. That has driven a conversation. That technology has to come in. This is a changing cultural mindset, allowing people to work from home. Cyber awareness and threat landscape has to compliment that.
Consolidating your platform is a message to agree with. AI can bring in automation. Teams can focus their attention on problems that have a higher business value. Effectiveness within cyber security is difficult to show. You get headlines saying that something has happened, but you rarely get a deep analysis. We don’t really learn from each other’s issues and frequently reinvent the wheel. It’s an ongoing discussion. We should share more of what we are seeing in breaches in a wider setting.
We all have to manage the reputational fallout from security mishaps, but there is nothing more valuable than sharing the impact and the learning. We are working in a marketplace where these attacks happen – share the information as it makes us all stronger.
We’ve had certain attacks that still manage to breach the organisation. If an organisation is doing everything right, but still something happens, when you look at it from an investment point of view you could question professionalism. Controls still fail to stop attacks. Because we are not really sharing, we can’t share and collaborate on what’s effective. It’s plaguing the industry.
Sometimes, we are forced into putting into place controls that have minimal value in today’s risk environment and we have to maintain that because the regulators expect to see it that way. It doesn’t matter how complex a password is, you should use two factor. What controls really are important.
Stakeholder Education – reducing risk
How do you ensure your organisation has the budget available to use in the event of a real-life crisis?
Simply, insurance. A lot of companies have cyber insurance. The small print will be getting smaller on that as the risk landscape expands. A lot of people will be investing in that now as relates to ransomware. CFOs don’t say no as long as they understand what’s happening and the risk to the business.
The risks are managed and visible and communicated. They must be consumable. Risks must be in a meaningful language that people understand. Then the board will and should be looking at that. They understand that and know why they need to spend money on it. Leading up to the pandemic, before lockdown, there were facts for us to communicate with. There were companies in Canary Wharf evacuating floors and sending people home. The dialogue needs to happen in a meaningful way. The financial impact, the ROI.
Some risk is easier to tackle in a crisis. From an insurance point of view, the small print changes, so you will have arguments about the coverage. It’s a reactive strategy. Assessments need to be repeated periodically and risks assessed as a scenario with a probability and range, together with impact. It’s a continuous process and should be carried out every three to six months.
One thing the industry does not do well enough is quantify this in a meaningful way. There is a lot of value we can bring by bringing whatever we want to invest in to the table. Spending to save. It’s not always possible, but we need to be better.
In the finance industry, this is one place where regulation helps us. Banks have to hold capital for events. There’s actually a lot more regulation around that type of principle, and one of things you are required to do is assess stress scenarios and the impact on capital from an operational risk. The regulated legal entities are required hold capital against those scenarios. You can invest and hold it in reserve. We can work with you on investments to help free up cash to invest. It’s a helpful lever that banks and financial services can pull as required to hold money in reserve. You don’t want to tape into it, but you’re require to hold it. Not many other industries do that kind of stress testing.
This level of stress testing is only seen in industries where a fault will have a negative impact. Certain levels of stress testing go into testing components in industry and so on. In most other industries there’s an impact on human life.
Driving Employee Security Behaviours and Future Threats
What have organisations been doing to support security conscious behaviours of their employees? Have employers been able to assess the efficiency of that support?
In terms of a set of procedures and good practice, in terms of behaving in a security conscious way ISO27001 isn’t perfect but it’s as good a place as any to start. It tells you the activities you’ll be undertaking. How do you make it relatively more so in the home environment where work and home are blurred? User awareness tends to centre around phishing. What’s missing is how you put together a behavioural change. How do you measure the effectiveness of that? How do you measure this in terms of business benefit other than ticking the boxes? It doesn’t give business benefit necessarily.
The standard and making the plan is difficult. The biggest challenge is email compromise. No matter what controls and training are put in place, the security assessment undertaken by a user is always trumped by business targets, so they will open an email whatever.
The phishing simulations need to be continuously more sophisticated. Where is the line? Some of that intelligence needs to be built back into products. AI can determine typical user behaviour and stop attacks and can stop data leaks. In an ideal scenario in an office, you can check security cameras to find the culprit. We can adopt more intelligent approaches to these problems. Staff can then be given rules to follow.