Securing Post-Covid Business Strategy
Regardless of size or industry, chances are the Coronavirus pandemic has changed the way your Business does business. Whether it is the services and products you provide, how you provide them, or just working out how to keep your staff working- adapting to these unprecedented challenges, and fast, was essential to mere survival.
During the initial response the focus was purely on keeping the business going- and that's entirely understandable. But when necessity, functionality and convenience become the priority, security inevitably takes a back seat. In the context of necessity and 'temporary measures' to get people working, the increased risk of putting security concerns to one side was acceptable and, in many cases, unavoidable.
But what if these temporary measures have changed a business for the better? What if actually, these temporary measures allow a business to operate more efficiently, save money and increase productivity whilst improving their employees' work/life balance? In short, what if a business decides that these temporary measures become permanent?
Having been forced to create a more flexible working environment, many employers and employees alike have come to notice something unexpected- it works. It works really well. Employees can do their jobs wherever they are whilst still being able to meet and collaborate with colleagues, customers are still engaging- and in some cases new opportunities have arisen- albeit virtually.
It is no wonder then that many businesses are considering making these temporary measures permanent and adapting long-term strategies to take advantage of the benefits.
But those security concerns haven’t gone away. Those risks, while acceptable at the time and given the circumstances, can no longer be ignored.
The right tool for the job
The first place to start is to review and evaluate the tools you are currently using. Regardless of whether they were implemented as a COVID-19 workaround or not, look at everything in use today- file sharing tools, video conferencing tools, email and messaging tools, the lot.
You should know now better than ever exactly what your business really needs to operate. What is essential for your employees to be able to work effectively? Do you have the tools in place to facilitate it, and are they the right tools from a functionality AND a security perspective? Just how secure is Zoom anyway, and is Dropbox really the place to share and store commercially sensitive data??
It is so important that the right tools are made available proactively by the business- don't let 'Shadow IT' put your business at risk. Find out what your employees need to do their job and provide the tools for them, before they start finding them for themselves.
Many service providers offer tiers or licensing, with functionality and security features to match. Along with identifying your tools identify what tier works best for you- while this will probably mean paying a license or subscription fee for a corporate-level toolset, but this is money well spent considering the potential risk of 'open' tools.
Keep business data within the business
How you provide external access to business resources now may well be different to how you used to do it, when it was perhaps less prevalent or more ad-hoc. If remote working will form a more fundamental part of your business strategy moving forward, then now is the time to put in the right framework to make it secure.
If your business is using 'Cloud' services such as Office 365 or other Software-as-a-Service (SaaS) options such as Salesforce, then be aware that sufficient security isn't necessarily part of that 'Service'- at least not out of the box. It is still your data and your responsibility to keep it secure, so password policies need to be up to scratch and multi-factor authentication should be strongly considered.
If your data is within your office environment, then you should aim to provide a secure remote access solution that keeps business data within the corporate environment. If you or your IT partner put some temporary Remote Desktop provision in place to allow remote access, is it as secure as it needs to be? Is it usable, auditable and scalable enough to enable your strategy? If not then you should look to implement a new, secure end-to-end solution, or build onto whatever is in place to make it secure.
If you don't already have a VPN capability then again, now might be the time to do it. VPNs offer secure and encrypted communications between your staff and your business data which is great, but it will require expertise and the right equipment to be set up so assess if it's the right solution for you before weighing up the potential costs.
Before pandemics and lockdowns were part of our everyday lives, home network security wasn't high on many people's list of priorities. Home networks are often relatively insecure, but the risk was small as there was not much to be gained from by an attacker breaching a home network, except to maybe leech some free broadband.
This is no longer the case, and Cyber Criminals know it. Now, breaching a home network can essentially mean breaching a corporate network by default, and suddenly the security of your employees' home networks could be critical to the security of your business.
Issuing corporate devices and implementing a VPN can massively reduce the risk, but regardless, make IT Resources available to them to help them secure their own equipment. You should also mandate best practices to follow, and provide recommendations in your policies or communications (Is your internet router still using factory-default credentials? Here's how to check!).
Document and communicate your policies
Possibly most important of all, once you have decided on the tools and practices to help you deliver on your new strategy you need to document them in your policies and processes. Creating and communicating clearly defined policies to tell employees what tools they must use and how they must use them will make it clear to everyone what is acceptable and what isn't.
These policies are also something to point to that demonstrates to potential clients (or auditors, if security accreditation is part of your strategy) that as a business, you understand the threats you face and the risk they pose, and steps have been taken to mitigate these risks where possible.
What the 'New Normal' could mean for your business
Businesses have always had to adapt to survive and Coronavirus forced many to adapt faster and in ways they never thought possible. Many business owners now find themselves at a crossroads- do they endeavour to go back to 'how things were' or do they embrace the positives, and potential, in how their business was able to respond?
Each business is of course different, but think about it. If your employees can effectively do their jobs remotely, do you really need all that office space? If your employees can access your business data from anywhere- couldn't that data also be anywhere- or effectively, everywhere?
Suddenly all sorts of opportunities present themselves- opportunities to save money by scaling back real estate, opportunities to cast your talent search wider if location is no longer a factor, opportunities to reduce or eliminate on-premises servers and infrastructure by adopting SaaS and cloud services, and many more. These in turn could then have real business impact- what could less CapEx and more OpEx mean for your business model and your cash flow for example? It's surely worth thinking about.
Cyber Security strategy is a part of your business strategy
If you use a Service Provider or partner for your Business IT then take your business strategy to them, and talk to them about your options to maintain security. You know your business and they should know the best ways to deliver on your strategy- but make sure they tell you exactly what they are doing to ensure that security, and auditability is being implemented. Don’t assume that you’re getting the Information Security that you need, you must understand the risks specific to your business and what is being done to mitigate them.
For more general advice and recommended practices, particularly around new challenges that the Coronavirus pandemic introduced, the National Cyber Security Centre (NCSC) is an invaluable resource. This Government organisation exists to provide Cyber Security guidance to businesses such as yours, and is a great baseline for the levels of security you should have in place, and that you should aim to maintain.
The fact is that your business has changed since the beginning of 2020, and the Cyber Security threats it faces has changed along with it. Surviving COVID-19 forced many organisations into adopting practices they may previously have considered as unfeasible or too much of a security risk- but the benefits and opportunities that these new ways of working can afford your business are real.
With the right security consideration and guidance, they can be part of your New Normal if you choose to embrace them for your business.
We do understand that even with the great free information available from the NCSC and other sources, the time required to read and understand this, and to plan and take the relevant actions is time not spent running your business.
If you need a fresh pair of eyes to validate your IT team is covering all the bases and simply if you don’t have an IT team with some specialist security advice we invite you to schedule a 30 minute call with one of our Cyber Security Consultants to help you understand where your key risks and opportunities are, and how we might be able to help.
n the circumstances, can no longer be ignored.