Maintaining best practice during COVID-19 and beyond

The restrictions around the globe, however temporary, are forcing us all to adapt to new ways of working and communicating with staff, students, customers and other internal and external parties. To meet this challenge, where no precedent has been set, and a reliance on a Business Continuity and Cyber Security Plans may or may not stand up, is changing practices, bringing innovation at great speed and a reliance of working remotely and online deliverables – whether citizen services, child education, online services or more.

However, while technology can be an enabler, it also brings with it, both attack and defense requirements as organisations adjust. Gone is the panic rollout. Now is the time to review, cement and align our new strategies around information governance and security. If you do not, you leave yourself open to the boom in cyber criminals who now, more than ever, have an open field to penetrate vulnerabilities that could render you with financial losses and loss of key services for those you serve.

The challenge now, is closing the gaps, reaping the existing controls within your technology estate and having robust policies and procedures to ensure everyone understands their part during this time – eliminating vulnerabilities and reducing risks.

Woman working from homeRemote Working

You’ve bought the laptop, applied some freeware and sent it out to the required person – so we’re okay now surely? Alas not – there is a critical risk responsibility on the shoulders of the remote worker to understand the security implications of their new home office environment and ensure that they always act to protect accordingly.

It is a known that home networks and public networks are less controlled than corporate networks – many home users don’t have firewalls and other security mechanisms. For many, they have weak, insecure passwords onto home WIFI routers and can be vulnerable to DNS spoofing where an attacker directs legitimate URLs to malicious sites.

As a minimum, staff and students should where possible      :

  • Connect to corporate systems via a virtual private network (VPN)
  • If your organisation is not set up for VPN use, employees should at least ensure that their home router uses a strong password and try to minimise the number of connected devices.
  • Ensure any device issued with a firewall, antivirus and other security measures are switched on.
  • Liaise with their IT Teams for support – or look to use managed services from leading providers such as Phoenix Software.
  • Have guidance on the minimum privacy and control settings for Video conferencing apps and should be limited to only those approved by your IT Teams – Microsoft Teams is a great application to use here.

Remember!  It is your legal and regulatory obligation, regardless of where your workers are based, to ensure these are being met. For instance, the use of sensitive information in hard copy should be limited to a minimum number of copies, so they can all be accounted for and when appropriate, securely destroyed. An example of this would be your Covid-19 Crisis Plan.

Many users will have children, partners and pets, around the home, so it is important not to leave confidential and sensitive information laying around. Clear screen and clear desk policies apply in the home, just as they would in the office. Lock and store equipment safely away when not in use and lock screens when you move away from your workspace, even for the shortest of time.

Open palm holding a security padlockProtecting your Organisation

Operational challenges just went through the roof with the sudden expansion of remote workers along with controls for information security challenges. If you don’t have a remote working policy or remote working procedures, the Risk and Compliance Team here at Phoenix can support you with templates and creation to ensure you meet compliance, legislation and compliance controls for your sector. These will help all your end users understand what is expected.

There will have been a dramatic increase as new remote workers place demands for more server infrastructure, network bandwidth, software licences and of course, IT support.

This is the challenge where the requirements on IT administrative tasks increase exponentially, while at the same time, offering support for a remote workforce with new device configurations, password issues, network defense reconfigurations, patching, cyber breach threats and more.

Working with a leading security and infrastructure partner can take the pressure off your front-line team, allowing them to concentrate on the security of the new perimeter, leaving the day to day stuff to experts like Phoenix.

Man in dispair looking at his laptopGovernance and Breaches

As the demand for remote workers continues to climb, so does the rise in the number of personal devices being used for business purposes. This brings with it new challenges as exposure of corporate assets and data are used alongside unapproved software and potential malware – leading to an increase in data breaches. You may have an enforced ‘Bring Your Own Device’ (BYOD) Policy in place but is it up to date? Does it include the following minimum requirements:

  • Approved antivirus and antimalware software.
  • Limited access to sensitive data
  • Access rights reviewed
  • Synchronisation from approved to non-approved stores
  • Prevention of copying corporate information uploaded to personal cloud storage.
  • Two-factor or multi-factor authentication.
  • SharePoint linked automatically to the Microsoft Authenticator App.

If you don’t have this in place – we can help you to create a policy and deliver best practice guidance.

Arrow on a roadBusiness Continuity and the Future Direction

With no immediate end in sight and even after we’re through the worst, there is still a requirement for you to look at how you have and are managing the disruption, and how you will recover to the new ‘normal’ in terms of operating capacity.

While Business Continuity is a formal discipline, trying to implement on the fly during a crisis, is most certainly not the right way, yet many customers have found themselves here. There is still a lot you can do just now to improve the short-term approach to resilience and recovery. However it is worthwhile – almost a given – that you start with the principles of business continuity management (BCM), which comes from various different bodies – ISO22301; NCSC; DPToolkit; NIST and many others.

As a minimum, you should understand for your organisation:

  • What it is
  • How it works
  • Common pitfalls to be avoided
  • How it is documented and communicated
  • How it is tested

Once you understand the principles, you can begin to develop a Business Continuity Strategy Plan. Using this plan, you’ll be able to determine which areas of your organisation need to be prioritised in the recovery effort; what is an acceptable level of recovery; what remains a risk and more – do you have the right resources? What are the key risks? How quickly do you need to recover and in what order? What happens if you can’t?

You can then develop policies and procedures to support your organisation rise to challenges and achieve the desired outcome as defined to your unique organisational requirements.

As you’re reading this, it may well sound like we’re closing the door after the horse has bolted and I wish this was the case, however, no one knows how long this pandemic will go on for and the longer-term impact on resources, health of our staff members and more. Developing a Covid-19 Business Continuity strategy should cover multiple scenarios with differing timelines – what does disruption look like to you in two weeks; two months; six-months or longer?

Close up photo of a desk calanderBusiness Continuity – The Longer-Term View

At some point, this crisis will end and while it may be tempting to view this pandemic as a one-off event, to do so, could be considered short-sighted because terrorism, climate change, cyber crime and a plethora of other threats make for an unstable world and we should be as prepared as possible.

You may already have business continuity measures in place; you may have implemented one during this pandemic, or you may not have one at all – however, one thing you should be mindful of, is once we’re through this, your customers will want to know what yours is and will demand evidence and review before signing up for your services.  Customers will not be satisfied with an ad-hoc approach and the case for a formal business continuity management will become evidently clear.

So just what is a formal business continuity management system? In ISO22301, it describes the specification for a Business Continuity Management System (BCMS), which offers a systematic approach to managing business continuity risks and how to mitigate the effects of any disruptive events. Certification is a great way to demonstrate and prove to customers and stakeholders that you have an effective plan and it’s tested should it need to be invoked for any reason.

Even if you don’t certify against the standard – using the ISO22301 controls around Business Continuity will prove effective in protecting your organisation. To learn more, ask your dedicated Phoenix Account Manager to schedule a call with the Risk and Compliance Team.

Visualisation of a network breachAddressing New and Changing Threats

The events around Covid-19 have introduced new threats into the cyber security landscape. We have seen a huge increase in phishing scams, masquerading as legitimate government issued emails that play on fear of the virus itself. These carefully crafted phishing attacks are using email that purport to be from suppliers or trusted senders (spear phishing), and reports indicate a rise of 66% in phishing attacks between Feb 2020 to March 2020.

Map into this, the shift to remote working and many organisations are finding themselves subjected to more frequent business email compromise attacks, which are fooling people into believing that emails or requests come from someone with authority within their organisation.

Working remotely has increased the risk of persons falling victim to a coronavirus phishing attack as people rely more on emails and other communications which are arriving from unknown or unfamiliar addresses and channels across different devices.

So, while you can’t stop the scammers from trying, you can support your people with education about what phishing scams are and how to protect against them. Awareness training is key and it helps keep your users safe, as any computer infection during these critical times could result in disaster.

The rapid changes to corporate networks to accommodate the new ways of working, pose with it, significant security risks to information security. While many of us have hastily set up new infrastructure, we may have inadvertently introduced vulnerabilities; we may not have patched correctly, and malicious actors are using confusion to exploit any vulnerability.

Many organisations deploy vulnerability scanning and penetration testing after a major IT infrastructure change as a matter of best practice, but the pace and scale of change from coronavirus made it almost impossible to complete this task. Penetration testing and or breach simulation testing are great ways to test your network and ensure you keep your users safe online.

Working with Check Point Software Technologies, Phoenix can offer a FREE breach check (irrespective of your technology infrastructure) whereby Check Point will handle the entire incident lifecycle from triage to containment and remediation with detailed documentation and reports. More information on this service is available from the Phoenix Security Team. Consider this as an extension to your existing SOC or IR Teams.

Risk and Compliance Services from Phoenix

Consulting – our experienced consultants, with Public Sector focus and multi-standard knowledge and experience are here to support you accelerate your requirements.

Software – delivering software optimisation for best practice software to ensure you mitigate risk and take control of your network.

Training – staff training webinars to ensure best practice at all times and that cover a range of subject areas in real, non-technical formats.

Take Action Today

The Risk and Compliance Team at Phoenix can talk you through best practice; review your Business Continuity and Cyber Security Plans; create and review your policies and procedures and support you with Tabletop exercises. Please get in touch on 01904 562200, email hello@phoenixs.co.uk or fill in the form: