Over recent years, and particularly after the impetus of pandemic response, remote working has become increasingly prevalent across the economy. In parallel with this evolution has been a drive towards the ‘cloud’ as the basis of IT infrastructure.
Whilst this combination brings tangible benefits, security threats can get overlooked. In the ‘old’ world, physical IT networks were set up behind cyber security defences and users were generally only able to access those networks from the organisation’s PCs, equally secure behind those defences. Where remote access was facilitated, it tended to be on dedicated laptops, securely configured and remotely managed by the IT function. The Bring Your Own Device (‘BYOD’) model was actually prohibited by most information security policies for the simple reason that the IT function could not ensure minimum standards.
The picture today can be very different. Remote workers are, in some sectors, not full-time employees but ‘external consultants’ and, as such, are not provided with IT equipment. Their employer has taken up residence on the ‘cloud’ and allows those externals to connect to its systems from BYOD end-point devices.
While user authentication technologies are used, and the cloud environment itself will doubtless be secure and resilient, the BYOD devices owned by individuals are more than likely to have inadequate security if any at all, potentially creating a direct route through defences. They are, in effect, the ‘Trojan Horse’ that could allow bad actors to install ransomware or exfiltrate sensitive data.
The implications, should this threat become a reality, are clear and potentially devastating. Loss of access to systems and data create disruption to normal activities, compromised client confidentiality and personal data breaches cause reputational damage and bring with them the danger of legal and regulatory sanction.
If this technology model is one your own organisation employs, have you considered and minimised these risks? To do so needn’t be particularly complex nor expensive and, if basic steps have been taken to address risk, as opposed to simply ignoring it, the potential legal and regulatory consequences are less severe.
Whatever the size and nature of an organisation, the approach is broadly similar;
· Conduct a non-technical risk assessment. What data do you have, what are the most feared consequences of a breach? If personal data is a significant element, have you conducted a Data Privacy Impact Assessment to establish how the remote-working model sits with privacy compliance?
· Assess how the IT systems deliver your processes. Are you vulnerable to external, unmanaged devices? If so, consider implementing technical and policy controls that will bring the risk profile to an acceptable level.
The new ‘ways of working’ model shouldn’t become a ticking time-bomb under your organisation, and the least you should do is to seek sensible, professional advice.
by Michael Brunker CISM CIPP/E
Collaboration Partner – The Brooke Law Group
(photo source: Freepik)