It is difficult to believe that it's already mid of June, and we are still firmly in the grip of the Corona crisis – and in more ways than one. Many companies have been forced to switch to having their staff working from home. As a result, it has been necessary to use technologies that were not previously used (or even avoided) in many cases – “working 2.0”, and having to do it almost overnight. However, change always means new challenges and risks, and it is no different for IT and cyber security. So what lessons can we draw from COVID-19 in terms of security? How can sudden change or crises be better managed in the future? This article will give you some initial pointers.
COVID-19 struck us all like a blow to the head, and not just in Switzerland, but all over the world. Many people have been racking their brains (almost literally) over the problems and challenges, and not just in recent weeks. The huge number of issues and concerns will stay with us for a while to come. Every company is facing different challenges, but nevertheless, there are issues that everyone can or will have to work on, sooner or later.
Viruses are not just a danger to health
One of the (big) areas that countless companies need to work on is IT and cyber security. This has always been a constant challenge, but the abrupt change, especially home office, has set in motion a whole lot more. A particularly unpleasant fact is that cyber criminals do not show the slightest consideration, they shamelessly exploit new targets and the fear of the coronavirus (click here for the article).
Many companies have realised that cyber security must now be at the top of the agenda this year. At the very latest, once the Federal Council relaxes the sanitary measures even further and working conditions feel "normalised", it will be time to review the strategies and measures that have been in place to date and make the necessary adjustments. But where do you even start? First of all, the most elementary questions need to be clarified, for example:
- Who takes on which role in a crisis? Who is responsible for what?
- Are there any strategies in place for crises/emergencies? When were they last revised? Was a tabletop simulation ever carried out?
- Have all the necessary technical precautions been taken?
Some companies may be already faltering here. Be honest, you too? Keep reading, but remember that if you want to build skyscrapers, you have to spend a long time building the foundations.
The strategy for success is to take it “step by step”
Anything worthwhile takes time – or, to put it another way, take it one step at a time. That's because quality before quantity is also true here! Right now, you should be devoting yourself to doing the following jobs:
Cyber Security is a top priority for bosses
Cyber security should be at the top of the agenda, not just in the IT department, but also for senior management. Firstly, this is because cyber attacks can affect the entire company; even bring it to a standstill. Secondly, because this level of management is where the resources and main responsibilities are defined. Effective cyber security needs to have sufficient resources, particularly specialist staff. Data protection is also more important than ever, and not just because it is a legal requirement (keyword here – GDPR/DSG etc.). Furthermore, don't forget to keep the board of directors informed and to submit regular reports to them.
Discover your weak points
The point of entry for cyber criminals is often via known vulnerabilities, which of course should not exist. Increasing complexity in IT (security) contributes to this, making regular checks even more important. These include vulnerability scans, penetration tests or breach detection audits, carried out on a regular basis. This is the only way to find and eradicate potential loopholes.
Clear up the COVID chaos
Setting up systems on an ad-hoc basis without checking that they are secure, skipping documentation, neglecting routine tasks like installing patches, etc. – sound familiar to you? No wonder in such stressful times. But don't forget to deal with the chaos! Check the new systems, document the new system components and put them into proper operation or remove them completely. You are bound to come up with some points that need to be revised.
Get your basic structure into shape
No matter how good your strategies maybe, if the foundations are not solid, at some point everything just collapses. That’s why it is important for not only your IT infrastructure and technology in general to always be top-notch, but also your security architecture. In an earlier article, you can learn how to build a secure foundation for your IT security.
Of course, this also includes making technical preparations for the latest conditions and technologies and how to use them – the keyword here is digitalisation (mobile working, home office, cloud computing, IoT/IIoT etc.).
By the way, in our checklist you will find the most important points and tips for implementing “secure” remote working in your company – not just from a technical point of view, but also at management and employee level. Click here for a free download:
Cyber defence – a necessity right now at the very latest
That is why it is important to take cyber defence seriously and fully implement it within your cyber security strategy. Because these days, every company has to assume that its own systems have been – or will soon be – infiltrated. That's why it's important to take cyber defence seriously and implement it as part of your cyber security strategy.
You and your team must be able to rapidly identify and respond to cyber attacks (detect & response) 24 hours a day, 7 days a week. We are well aware that the expense and effort involved is huge. As well as the cost of setting up your own cyber defence center with dedicated analysts, there is also the option of outsourcing this task. In a previous blog article, we have summarised the most important points to consider when making this decision, as well as in a “Make or Buy” guide:
Humans are also vulnerable to viruses
However, cyber security involves much more than just technical components. Something that many people are not aware of is that cyber security starts with people. There are probably very few of your employees or colleagues in the company who are aware of the cyber risks that are lying in wait for them every single day. Not to mention understanding what is required for the “secure” use of PCs, e-mail, the Internet and so on. Unfortunately, one false click is enough to potentially infect the entire network. This makes targeted employee security awareness even more important – especially when working on the road or in home office. On our website, we have comprehensively summarised exactly what this means and the best way for you to deal with it going forward.
Business continuity management – staying equipped through the crisis
Business Continuity Management (BCM) is essential in order to be able to guarantee business processes in times of crisis (or simply in the event of a business disruption) and/or make them available again as quickly as possible. This involves primarily the development of relevant crisis scenarios and emergency plans to make it simpler to manage incidents. With a tabletop simulation, you can identify any stumbling blocks long before the situation becomes critical. There will be more information about BCM in a separate blog article, coming soon.
Expertise in security in times of crisis
None of us can be a “jack of all trades”. Cyber security has become a huge, highly complex field, one where experts are in huge worldwide demand (keyword lack of specialists). You get what we're saying, right? This is why you should be collaborating with external experts in areas where you lack the necessary resources or skills. When things are a bit quieter, seek out a reliable partner with extensive expertise – if only to have the right number to hand in an emergency.
Reform your cyber security
COVID-19 has really shaken us up and has definitely exposed some of the areas you need to tackle. So now, take a step-by-step approach. Involve your team, use your employees' talents and skills, work with cyber security experts, be a motivator and build something important. See these work areas as an opportunity to build something new, something better. And because, as Winston Churchill apparently said, “never let a good crisis go to waste”.
You haven't got a cyber security partner yet? Then take a look at our website, or contact us right away! We have more than 150 members of staff who are experts in the fields of auditing, consulting, penetration testing, architecture and the integration of leading network and security solutions. We also provide comprehensive cyber defence services from our ISO 27001 certified cyber defence center. Are you interested? We look forward to being able to work together with you on your cyber security!