An explosion of CMYK colour from the centre of the image outwards.

Expo Talks: Cybersecurity and the WFH world

Do you mind if I run my business from your house?

In the latest ‘Expo Talks’ webinar, our Director of Information Security, Quentyn Taylor is joined by Jason Apel from NT-Ware, Brian Honan from BH Consulting, and Dr Jessica Barker from Cygenta. In the full video below, they do a deep dive into the challenges, wins and learnings of an accelerated move to working from home:

How does your cybersecurity infrastructure cope when your office suddenly becomes twenty offices? Or two hundred? Or two thousand? This was the formidable task that faced millions of businesses around the world when the pandemic struck and lockdowns forced us all to work from home – effectively turning every business, large and small, into multi-site operations. When the safety net of the internal security perimeter suddenly no longer exists and IT teams need to factor in the flaws of employee home office set-ups, it’s not only a change of information security infrastructure that’s required, but a complete change of mindset for everyone.

Digital transformation in days, not years

While most companies had long-term plans to move to cloud and allow employees to work from home, this was largely a strategy for two to five years. When they found themselves transforming in just two to five days, many desk-based companies were simply not prepared. Many had employees logging in from their own personal devices and networks, and, as a result, Brian reports seeing a large number of SMEs experiencing cyber-attacks in the early days of the pandemic, as they were suddenly exposed in a way they hadn’t anticipated. However, this turbo-charged change forced businesses to re-evaluate the way they approached security, resulting in huge innovations.

Security got personal

It didn’t take long for people to realise that the cybersecurity issues they traditionally left at the office now affected them at home. As a result, they began to take more interest in matters of security and privacy overall. However, it was a challenge for information security teams to create frameworks that covered every lifestyle. As Quentyn points out, not everyone has a dedicated working space, or even a room in which they can take calls without being overheard. From chaotic house-sharing to extreme isolation, each circumstance needed to be considered – and not just from a security perspective. Equally, Jason makes an important point about the mindset change required when employees work from home – their houses also become an organisation’s security responsibility. which means helping with their router questions or ISP issues. Yes, this sounds frustrating, but it’s critical to overall security, as people are ingenious at finding workarounds to their IT problems – but in the process can expose you to serious risk.

People-centred training and policy

Jessica rightly stresses that now is not the time to bore with hour long security briefings. “People do not want death by PowerPoint. So, giving people short sharp security briefings, maybe a few minutes video, maybe a quick flyer or a virtual background with a couple of messages on instead. The key is to direct time and effort to snappy comms, bitesize training and readily available support.” It’s also become increasingly clear that positive reinforcement is the most effective approach – encouraging the right behaviours, rather than discouraging the wrong ones. All employees should understand that new cybersecurity measures are simply reflective of the changed way that everyone is working and are there to protect them, their identity and the business that gives them an income. In this respect, it’s important to be mindful of people’s fears and concerns and be measured and realistic when you communicate any level of threat.

However, there are plenty of positives

Many companies are seeing real benefits to the WFH model and actively want to move forward with it. They have discovered that they in a better position to protect themselves from an attack because instead of preparing for disaster recovery, they are instead living with it day to day. Moreover, issues of information and cyber security have found themselves firmly in the boardroom, being treated as matters of business risk, rather than outsourceable IT challenges. It’s become a given that those companies without the correct infrastructure in place are actually at a business disadvantage. This deeper understanding of security issues at a board and management level is also a great way to cascade the importance of cybersecurity to the rest of the organisation, as they can act as influencers, reassure and guide their teams.

Listen to the full discussion below, including three valuable tips on people, process and technology from each of Quentyn’s panellists.

Written by Sarah Vloothuis, External Communications Senior Manager EMEA