Addressing 4 of the most common cyber security issues digital transformation has created

Many organisations now face the painful aftermath of rapid and reactive digital transformation.

Everyone rushed to adapt when Covid-19 hit. We had to make sure staff could work from home. For some, physical shops needed to be moved online. And this was the right thing to do; no question. But businesses now have unforeseen vulnerabilities that’ll need attention sooner rather than later.

Home working is very different to working from the office

There are the obvious issues like internet connectivity, setup of equipment and general access to systems and info. But there are also some very serious cyber security considerations for business leaders with newly remote teams.

What are some common vulnerabilities when working from home?

(In)secure access

It’s terrifying that so many organisations are letting employees access data sources insecurely. This might mean they’ve given no guidance to ensure their using a secure network connection… Or perhaps there isn’t a Virtual Private Network (VPN) to the office for them to use. We’ve spoken to a few businesses who just hadn’t enabled secure access to one of their cloud service providers.

Workarounds

If employees are new to remote working, there’s a high chance they’ll be implementing workarounds so they can do their job more quickly and easily. It will be tempting for them to turn of the firewall or weaken other access controls to allow ease of access. But this is just opening up the door to threat actors who will take full advantage of these newly introduced weaknesses.

Cardholder data

Many organisations have set their teams up so they can process card payments from home. However, this could end really badly without robust processes and policies in place.

Handling this kind of activity without full access to the onsite corporate systems they’re familiar with leaves room for error and deviation from best practice. Could they end up writing the details down to process later? Or might they email records to a colleague based in the office to input for processing? Such workarounds really don’t even bear thinking about.

Phishing

While most of us can guard against what might be obvious phishing emails, bogus text messages, and spoof phone calls from Microsoft, the not so obvious ones could quite easily catch anyone out.

For example, it could come in the form of bogus messages from internal IT support requesting sensitive information to enable your remote access. Or threat actors pretending to be legitimate clients and requesting payments to be made to different bank accounts. Or non-work delivery addresses being approved and sent sensitive company information or equipment.

There are some simple things we can all do to improve security

We can all play our part in ensuring we’re minimising vulnerabilities and protecting ourselves from cyber attack. We just need to implement some basic checks.

Here are my top five tips to help you minimise your vulnerabilities: 

  1. If employees cannot access your corporate files via VPN, then it might be worth looking to implement a resilient cloud solution with key service providers such as Microsoft Azure, Google Cloud, or Amazon Web services (AWS), who make it easy to implement resilient and robust cloud file sharing solutions. This can be a temporary solution or implemented as part of your business resilience solution.
  2. Ensure your team understands why your processes and policies exist. What could go wrong if they deviate from them? Educating them will massively reduce the likelihood of them using workarounds and leaving your organisation at risk. Such behaviour tends to be down to a lack of understanding rather than malice.
  3. Consider using service providers who specialise in telephone payments or ecommerce providers who can process card payments in a fully PCI compliant service and removing the risk to your individual users and organisation.
  4. If you receive a request to change bank account details or are pressed with an urgent payment request, always escalate the request to senior management, or seek conformation from your bank or finance provider before authorising any such changes. For IT matters, it might be worth implementing an internal security code or phrase that is only known to your IT support company, so that you will know it is them that is requesting certain information.

 Bonus tip: Ensure equipment isn’t left unattended or if it must be, make sure it is screen locked to prevent accidental file deletion – or worse, should it fall in to the wrong hands (eg. those of a toddler!)

If you’re still concerned

We’d be more than happy to talk through your current setup and make some recommendations that will improve your security posture. Just give us a call or fill out a contact form below, and we’ll get right on it.