What comes after COVID? Top tips to manage your security risk

What comes after COVID? Top tips to manage your security risk

July 9, 2020

Article content

When the COVID-19 restrictions came, they came quickly. Most Australian staff were working diligently in the office in early March. Just weeks later, Gartner estimated 88% of office staff were working from home.

Security teams had to work fast, not only to enable remote access to critical systems but to integrate hundreds of new endpoints safely.

Dealing with the impact of COVID-19 will hopefully be a once-in-a-lifetime event for us. It is testament to those teams that most companies were able to immediately move work remotely without significant effects to their organisational security posture.

The scramble to get up and running

Yet it’s no surprise that most companies had to scramble to get staff safely connected in those first days.

That often led to temporary, band-aid solutions to fix the biggest problems. Organisations were making technology decisions and implementing solutions on timeframes more akin to choosing what’s for dinner. Even the world’s biggest technology businesses said they experienced as much digital transformation in two months as they had planned for two years.

The changes COVID-19 has wrought are likely to be permanent and, as time has gone on, we’ve seen businesses begin to look to the future to empower the eight in ten workers who want to continue working flexibly as we slowly return to normal.

The security imperative

While Australia’s workforce stayed productive at home, so did malicious cyber attackers. In fact, we were given a timely reminder about the importance of strong cyber security recently, with the Prime Minister highlighting major cyber-attacks that are putting pressure on critical infrastructure and public services.

I was recently joined by my Telstra security colleagues John Powell and Cate Furness to discuss how businesses can best manage risk in the aftermath of COVID-19. We came up with three key takeaways for any business looking to improve its security posture:

1. Beyond business continuity plans – it’s time to review and renew security plans

Many organisations had some type of business continuity plan (BCP), however limited, in place pre COVID-19. Yet, it’s probably fair to say most BCPs didn’t have the word ‘pandemic’ specifically outlined.

That situation has meant that a lot of businesses have had to improvise. We’ve seen reliance on VPNs skyrocket, for example, and many organisations have looked to free software to patch up the gaps in their remote working infrastructure. Similarly, businesses across Australia have essentially enabled wide scale Bring Your Own Device (BYOD) policies, as they quickly integrated employee-owned devices into corporate networks.

Those changes significantly alter what types of risk your business is exposed to. Now is the time to reappraise your infrastructure and renew your security posture and BCP plan to ensure your organisation is still meeting its governance, privacy and compliance requirements.

Understanding where the changes to the security processes and responsibilities have occurred during COVID-19 is fundamental to ensuring you are as prepared as possible.

 

2. Balance security and trust

The next piece is to understand how your people fit into the puzzle.

Australian workers have been proven to work harder and be more productive during their time working from home, but there can even be risks even in that good news story.

Think about employees who are struggling to work on big online files or cloud enterprise apps.  Poor performance could lead staff to resort to downloading documents that may contain confidential data never intended to be stored to personal devices.

Similarly, consider credit card payments. It’s critical that financial data is kept secure and compliant, but staff are likely to simply write down payment information on paper in their houses if they can’t access CRM systems in real-time.

As consultants, we’re often asked how to monitor staff to make sure they’re doing the right thing. I believe the best answer lies in a true balance between trusting employees and empowering them to be productive, compliant, and secure.

One specific way we do this is combining ongoing security communications programs with emerging technologies like Secure Access Secure Edge (SASE). SASE is a way to future-proof your security infrastructure to be more flexible by working from the assumption that the entire internet is your corporate network, and that every single transaction therefore needs to be verified. 

3. Re-emphasise security in your transformation journey

It’s important to emphasise that, while recent reports indicate that security spending is predicted to slow during COVID-19, the priority on security has to remain high. While our teams haven’t necessarily seen a retraction in spending, it is understandable that there has been a delay while organisations have been focused on keeping the wheels moving through the lockdown.

In fact, COVID-19 has shown us exactly how important security remains to our digital transformation journeys.

IT teams have accelerated their existing plans to move toward cloud infrastructure during lockdown to better enable remote employees. That acceleration has seen the security perimeter that was once closely held around corporate networks expand exponentially.

Investment is increasingly being made into cloud security to deal with this new normal – a situation backed up by our own research, which indicates security is the top IT priority for Australian businesses in the next 12 months, closely followed by cloud.

Partnering to define a secure new normal

If COVID-19 has taught us anything, it is that things can be more difficult when we are separated. That lesson is as true for security as it is for people. Security shouldn’t be a standalone solution, but instead viewed as something that is embedded as a better way to respond quickly and robustly to empower our employees and our customers.

Now is the time to take stock, re-evaluate the third-party vendors you are using, the cheap software you may have signed up to, and confirm whether they set you up for success or could be a future point of failure.

And remember that help and consultancy is available from the experts to help your employees stay connected and secure, no matter what the ‘new normal’ looks like for your business.