Discussing the cyber security implications of increased working from home and accelerated digital transformation

The cyber security implications of increased working from home and accelerated digital transformation are discussed between Securious’s Holly and Tony and Tom Dent of Inspire. The session was designed specifically for an audience of business leaders.

Here’s a transcript of the interview:

[Tom] Hi, my name is Tom and I’m one of the directors at Inspire. I’m based down in Devon and I run the Heart of the South West LEP’s Growth and Scale up Programme for Devon and Somerset.

Our mission at Inspire is to empower and educate ambitious business leaders across the south west and support them in breaking through the plateaus of growth.

Cyber security in a post-covid world

Today, I’m doing something a bit new for Inspire and I’ve invited Tony and Holly from Securious in Exeter to have a conversation about cyber security in a post-covid world.

I’m hoping that a more casual interaction might be a good alternative to the webinars and workshops that we’re seeing so much of online.

I’m also hoping that this starts a bigger conversation about the new low-touch economy that is emerging post-covid.

This will be the first of a series of conversations that the team and I will have with Inspire’s strategic partners across our network in the south west.

So, hi Holly and Tony, how are you today?

You guys are involved with Securious but you’re marketeers first and foremost. How do you see the impact of covid on the businesses that you’re seeing in the south west?

[Tony] I think, Tom, you can’t hide from the fact it’s been a really, really tough and challenging time for an awful lot of businesses and a huge amount of uncertainty.

But I think there is a lot to be positive about as well. It’s been a real catalyst for innovation and as marketing people, Holly and I are particularly interested in new things and innovation – that’s the bit that really floats our boat and I guess what we’ve seen is a lot of people, because they had to make changes, they’re really embracing the idea of going for innovation. And that’s great – they’re much more receptive to big ideas and new ideas and imagining much better futures. 

Digital transformation

And I think in two areas in particular there have been huge changes across many, many businesses. Firstly, it has accelerated the idea of digital transformation so businesses that aren’t online are getting online in a hurry and businesses already online are moving more and more of their capabilities and their offerings to an online situation.

Cyber security implications of increased working from home

The other huge change has been the shift in working patterns. Obviously, we’ve all had to change working patterns, or most of us have, because of lockdown and so on, but it looks like this is not something that’s going to go away. And again there’s a real positive, potentially, in this. It really could be a great empowering moment when people are able to work in more flexible ways that give them a better work-life balance.

Never going back to a non-remote situation

There are all sorts of hurdles, I think, that have to be overcome along the way but I was looking at some research that was done the other day amongst business leaders, and I think they interviewed 58 business leaders across a variety of sectors and none of them were essentially or mainly or even much remote with their workforces before this, they’ve all gone to a virtually remote situation and the majority of them are anticipating that they will never go back to a non-remote situation.

They’re anticipating having 50 to 60 percent of their workforce at any one time working remotely, which there was obviously nothing to stop it before but it takes something to change and this situation has changed.

So those two changes – digital transformation, working from home and just the whole embracing of innovation, I think, have been the more interesting things that have come out of it that we’ve seen. 

[Tom] How are these changes going to have an effect on the vulnerability to cyber attacks?

[Tony] Yeah. I think they have really, really huge implications for cyber security. And this is perhaps one of the, in the short term, maybe one of the downsides of what’s going on.

The perimeter of your organisation is suddenly much bigger

I think that if you think about people working from home, suddenly the whole, to use a little bit, a tiny little bit of jargon, if you like, the perimeter of your organisation is suddenly much, much bigger, you’ve got lots of different machines, people might be working on their own personal computers, they use in their own home Wi-Fi connections… they’re out of sight, they’re not necessarily following all the processes that you would normally do. So there is a huge increase in the territory we need to protect and all sorts of vulnerabilities come up because of that, there’s no doubt about it.

Cyber security needs to be baked in

And then I think with digital transformation, you’ve got a lot of new applications, a lot of new platforms, a lot of new things being done online at great speed, which I think is wonderful because we want to move quickly, we all want to move quickly. But doing a lot of things quickly, if security is not baked into those from the start, could result in a lot of vulnerabilities there. So I think in the short term people have had so much to deal with maybe they’ve got away with it more than than they might – not everybody has, there has been a huge increase in attacks and so on – but I think if this is going to become a more permanent or semi-permanent thing for businesses, it is something they need to think about

because they are more vulnerable right now.

[Tom] It does sound as if there are more vulnerabilities. Why is that?

[Holly] Yeah, so if you look at why there are vulnerabilities in a business, normally in a normal pre-covid world, they kind of fall under three core areas really: the people, the processes and the technology. And actually, if you look at those principles and the impact of covid, everything there has changed so, you know, you’ve got your people now working remotely…

You can’t see what they’re doing

They’re based at home. You can’t see what they’re doing. You’ve not got that direct line of communication – if they click on a dodgy link it’s, at least as they perceive it, easier for them to hide mess ups or whatever if they do do something that puts your organisation at risk. And then you’ve got the processes and policies which, ultimately, are just guidelines for what you need your people to do. But again, it’s very likely that most of those aren’t necessarily relevant right now. It probably isn’t the top of mind for business leaders to have sorted them out in the midst of covid – they were probably too busy trying to get everything set up and make sure it works, not necessarily trying to make sure it’s best practice. 

Holes in policies and procedures

So you’ve got holes in these processes and policies, which again is just throwing up all sorts of room for people to do things that put your organisation at risk. And for instance, it might be they’re looking for workarounds, their internet is really, really slow, having to connect to the company network is a bit of a pain and they figured out that actually they can just use Dropbox to send things between each other.

But then you’ve just got data in all sorts of different places. You, as a business owner, have no idea where any of that data is or what it is, how sensitive it is and what it’s at risk to. So that’s another danger.

So, for instance, our CTO last week went to buy something and he called them up to process his payment and suddenly became aware that he was obviously talking to somebody who was working from home and he asked just to make sure the payment had gone through properly and they said ‘oh no, no, I‘ve just written it down, I’m going to sort it out later’. And he’s sat there, like, what?! You’ve just written my credit card details down on a bit of paper in your house that might be shared with who knows who. How do I know as a customer what’s going to happen?

Reputational issues

And then you’ve got a really interesting kind of reputational edge as well because suddenly, issues in your systems and processes and policies have become visible to the consumer. It’s not just hidden in an office. You’ve got people working from home that tell the customer they just written their details down and will process it later.

So you’ve kind of got the actual risk and then you’ve got a risk of kind of what the hell your customers think hearing such things.

And then you’ve got the technology itself and again, you know, you’ve got people working from home, they might have a really great laptop that they decide actually works way better than the company one. It’s a personal computer, but it’s way quicker, everything’s all set up to the home printer and everything, that makes way more sense.

And again, you’ve got the same issue. You’ve got people doing things on devices that don’t meet your requirements as a business, are not necessarily technically secure. They haven’t got their firewall sorted and you’re just opening up a whole world of risks within these kind of key areas.

[Tom] So sometimes when I speak to business leaders out there in the south west, you mention cyber security and they sort of freeze up… They get a little bit scared. Why do you think that is? What puts them off?

[Tony] I think I would say we talked about amongst ourselves lots of reasons why it’s been quite hard to sell something that is so important for so many businesses in the past I reckon the biggest thing actually is inertia. The fact that they have not had a cost line for cyber security in the past and they’ve got away with it.

So as long as there’s no one telling them that they have to do it or they have a breach. then to some extent that inertia has meant it’s just an issue that, you know, everybody running a business has got so many things to think about and everybody is desperately trying to make a profit and investing spend in an area that doesn’t immediately deliver a return, if you don’t have to, is not something that people are going to be overly keen on.

People pay attention when things go wrong

They change their tune very quickly if something does go wrong and suddenly the cost of putting it right is way more than it would have been in sorting it out beforehand. Or if they’re in a situation where commercial pressures require them to have a certain accreditation, for example, it changes then and those things are growing and they were growing anyway, there’s no doubt that there’s been more and more interest in people upping their game. It is becoming much more common.

And I think that inertia has still been the biggest issue and that’s what I think, and I know Holly agrees with me on this, this change has shattered inertia. Because all businesses are having to change so much about themselves and they recognise it’s… you don’t need to know anything technical to appreciate that a home working or remote-working situation, there are more vulnerabilities in your system than there were before and you probably need to get those sorted.

So I think inertia has been the problem. I think that’s moved out of the way and there’s an opportunity now for people to stop and reassess and they’ve got new environments, new situations, and actually you get the security right for those situations now.

[Tom] Brilliant. So how do you typically work with businesses on cyber security? You know, what does it look like? How do you make it easier for them to embrace this new world?

[Holly] Yeah, so we don’t believe in one size fits all approaches, every business is different, so it’s hard to answer that but I’ll try because we do follow a similar kind of process with our customers, even if we look at different products and solutions.

So to start off we like to help with the strategy and try and do some of the thinking for our customers. Like it doesn’t really work unless everybody understands it either. So for us all to kind of sit around a table, figure out as a kind of a group where we want to get to and how we’re going to get there.

You need to know where you are

So we would start off generally by looking at the current state of their cyber security. It just makes sense. You don’t know where on earth to go next if you don’t know where you’re at right now.

So you’ve got a range of products: it might be an audit or a penetration test. But basically we assess the current status of the organisation. And then we’d look to help them make things better and we’d create a plan with them. We’d work to their budget, or at least recommended a budget if they’re not sure what kind of level they should be looking at, which is another issue we often encounter – people just don’t know what they need to be spending. So we work collaboratively there trying to trying to get the best solution for them for the right price. 

And then once we’ve helped them make things better, we can look at helping them gain accreditations because you want to be able to go out there and shout about the fact you’re doing things right and you care about security and the best way of doing that is by achieving accreditations. So whether that’s a Cyber Essentials certification or an ISO 27001, it really helps open doors for our clients. 

[Tom] It certainly helps with competitive advantage, that’s for sure I guess the most important question is. What do businesses need to do? 

[Tony] I think there’s a lot they can do, Tom, but we’ve also got to be realistic and appreciate that people at the moment are struggling to adapt in all sorts of ways and the last thing that we want to do as cyber security people is jump up and down and say that all they need to be thinking about is what we’ve got to do. You asked earlier on about the traditionally the issues has been and I sort of suggested maybe inertia, but there’s also the ‘getting started’ thing and how do they get going and not wanting… appreciating this an issue, but also not wanting to open a can of worms.

Making it easy for them to get started

So we’ve got to try and make it easy for them to get started. But I think the biggest thing that I would say to people is if your environment has changed then doing nothing is a really, really bad choice. That status quo that kind of gave you some comfort, maybe false comfort, but it did give you some comfort before, no longer applies because, as Holly explained, the situation with your people has changed, your processes need to change if they haven’t already and your technology needs to change. So much change – all of those three things are fundamental to the security and cyber security of your organisation so that they need to do something.

It doesn’t need you to spend lots of money

You don’t need to automatically go out and spend lots of money. You don’t need to buy lots of new products. That’s not what good cyber security is about. The best thing is to try and understand those risks and make common-sense decisions with a bit of guidance from experts to sort them out. 

I mean, we would give three ways of getting started on this, I think. We’ve got a lot of free resources available on the Securious website that we started putting together when the whole lockdown situation occurred to help businesses through that.

There are also a lot of free resources on the National Cyber Security Centre website because they’re taking this as you’d expect very very seriously as well and they’re trying to make things available for people.

And then the third option is, if you want some professional input, then Securious is always willing to help and we’re trying to make it as easy and accessible for people as possible.

We’ve just launched a new Health Check Audit, which can be carried out remotely so that people can get a sense of where they are. Because again, as Holly said, knowing where you are is the first step to being able to start a journey of sorting things out.

[Tom] Absolutely. So the other day I was on LinkedIn clicking through and I came across ‘Holly and Tony Do Cyber Security’ – What is that all about?

[Holly] It’s a bit of a funny one, really, it’s just our personal space for Tony and me, as marketing people, to talk about cyber security and the things that we’re learning and the thoughts that we’re having and any breakthroughs we have.

Like we are marketing people first and foremost and we’ve recognised actually a massive connection between cyber security and what we do on the daily because ultimately we both care about brand reputation, you know competitive advantage, building trust in customers. Like we’ve got that beautiful intersection and I am yet to meet, really, marketing people that take it into account and it seems like a massive, massive wasted opportunity.

So yeah, I guess it’s us kind of stumbling through cyber security at the beginning and hopefully becoming a lot better as we go and trying to translate it into language that marketing people like us understand. And actually see value in and want to take ownership of and actually start looking at seriously within their own businesses and organisations.

[Tom] It looks like you’re having a lot of fun whilst you are doing it as well, which I think is really important. That kind of energy translates and is infectious, so carry on doing it – it’s amazing!

So thank you. This is the first time we’ve had this kind of conversational interaction online and I think it’s gone really well. It’s been really useful for me anyway to learn a little bit more about what you do and what’s going on out there. If you want to find out more about Inspire, please go to inspirebiz.co.uk and use our new ‘Ask the Expert’ function and one of our team will be able to answer any questions you have.

Tony and Holly, if you want to get in contact with these two, what are your best connections? What’s the best way of getting hold of you?

You can find us both on LinkedIn and you can have a look at hollyandtony.com

[Tom] So everyone watching, thank you very much and Tony and Holly, again, brilliant. Thank you very much. We’ll do it again soon.

Our pleasure. Thank you, Tom. Bye