The Real Impact of Security as a Result of the Pandemic
By Naveen Vasudeva
Over the last few weeks, I have been talking a lot about the impact the pandemic has had on businesses across the globe and what the future might hold in terms of how we as a global business community are going to deal with what people are calling “the new normal”.
For a lot of businesses at the height of the pandemic, there was a massive rush and need to digitally transform for large-scale corporate mobilisation of staff forcing a change in strategy, change in business focus, and of course, the ability to fund would have allowed for rapid deployment.
For small/medium-size businesses, they may have not been able to transform as quickly and rapidly, and therefore in some cases, their businesses may have failed, or they’ve moved to a solution that potentially will now cause them more harm than good.
So, what is the impact of this rapid digital transformation?
Having worked in global corporations most of my career and I’m sure some of you can attest to this, we were required on an annual or semi-annual basis to run disaster recovery, business continuity, and resilience testing. With whole functions focused on ensuring that they can recover business operations effectively with minimal disruption to business activity.
Spreading functions over different geographical locations by dividing and separating technology services and ensuring staff could access information and applications that were critical to the survival of any given business.
So, my question is: “How many of you invoked your business continuity or disaster recovery plans at the height of the pandemic?”
The more I have discussed this with my peer group, the more I have found, that even though crisis management teams were stood-up, the agreed plans were less likely to be followed. Would it surprise you to know that most of these companies had gone through a pandemic simulation test?
The whole point of business continuity and disaster recovery plan is that you have focus if something goes wrong, that you have the right procedures, processes, and technology in place to ensure the effective running of your business, such as the run-up to lockdown 1.0, where every country was instituting its own national restrictions this made any existing plan void.
The realisations are any plan went from being active to reactive.
There is a massive drive for digital transformation to enable businesses to work in a very different way, this has created its challenges and the likelihood that a lot of command and control would’ve been taken away to allow for remote working, as just one example.
Those organisations, that were not equipped or in the middle of an existing digital transformation may have to change course.
However, the bigger question is –was security compromised as a result of the pandemic and a sudden drive to ensure all of the staff could work from home? Does that also mean that organisations effectively and potentially compromised themselves by reducing security control to allow for a quick and simple solution for staff to access corporate resources?
Have organisations effectively educated their staff and provided their staff with the right level of tools to protect themselves and the business?
Recently I had interviewed Craig Ford on The CyberTree Paradox podcast.
Craig and I were talking about what needs to be done to now ensure we don’t have a two-year technical debt hangover as a result of the pandemic.
What do businesses need to do to ensure they haven’t compromised security as a result of rapid digital transformation? What are the basic things that need to be done to ensure effective cybersecurity hygiene? What can organisations do better to help protect their staff now the way they work has dramatically changed?
Here are a few simple tips:
a) Go back to the basics of cyber hygiene we talk about it a lot within the industry, but it’s very rarely carried out, if you get the basics right, you’re already in a 50% better position, it’s important to understand what those basic controls are that you need to ensure, that your information and your corporate assets are protected effectively.
b) Take stock and go back and have a look at all of the changes you’ve made over the last year. To ensure the design and operational effectiveness of all of the controls are adequate.
c) Now is not the time for shiny new toys, yes, we all like the blinking lights yes, we all like the advanced and exciting new technologies that are out there, but if you want to be effective work what you have and make it work for you.
d) Re-look at all of your contractual terms and reach out to your vendors or your suppliers or your technology providers and talk to them to make sure all of you are on the same page. The pandemic has changed the way that we need to look at our supply chain, but also the way that we deal with our vendors. Are your contracts still valid? Does the service that you have with your supplier in terms of security still the same?
e) Ensure you can patch both have a desktop, network, and application services and do that on time.
f) Give home users access to VPN tools, if you’re a heavy Office 365, Google, Amazon, and so forth enable to factor authentication it’s such a simple tool ensure you can control devices through MDM or applications through MAM
g) Ensure you have effective auditing switched on
h) Redefine what security education, training, and awareness mean to you in this “new normal” and adjust as quickly as possible, and most probably more important than any other champagne you will run this year.
Going back to my original question: “Did resiliency, disaster recovery, and business continuity effectively play a part in your business's ability to recover or change the course of direction during the pandemic”- it’s a really interesting question with varying answers of and degrees of success the question is where we go from here. There’s going to be a lot of technical debt as a result of this pandemic.
So, what security vulnerabilities may you have introduced as a result of all of this change……….