Remote working was undoubtedly one of the biggest success stories of 2020. Organisations adapted incredibly quickly, thanks to IT teams working extremely hard to make things happen, and no doubt many people will continue working this way in the longer term.
However, by being forced to make the changes so quickly organisations may have opened themselves up to new information security risks. Some of these are relatively easy to spot: most of us will have seen the phishing emails, and an unlucky few may have had personal Zoom calls hacked. Other risks may not become clear until much later. As Warren Buffett points out: “Only when the tide goes out do you discover who's been swimming naked.” While he was referring to financial companies over-extending themselves, the principle is just as relevant in this context. And it may be a useful analogy when explaining things to less technical colleagues!
With remote working being the norm for most of us, we need to consider whether systems and processes rolled out in haste have the appropriate safeguards in place for long-term production use. Organisations need policies and processes that will provide assurance that data is secure, maintain customer trust and protect the organisation’s reputation. These need to be integrated across all channels to ensure nothing slips through the gaps.
The key point to remember is that while we’re talking about information security risk, this isn’t just an IT risk but a business risk. So IT leaders have to explain to their senior management why it matters, and get their buy-in for the work (and budget!) needed to develop an appropriate risk management strategy and embed it in policy and practice.
Getting this right is a fine balance between mitigation and agility. Being too risk-averse can be extremely costly, but too few controls can put an organisation’s reputation, and potentially its very future, in jeopardy.
When large organisations suffer an information security breach, it makes the headlines, but the majority have the scale to recover. When it comes to reputational damage SMBs often fare worse than larger organisations. A recent article highlights a 60% failure rate among the SMB market within 6-12 months after a company discloses a breach, which is attributed partly to confidence issues and partly to recovery challenges.
To help organisations tackle information security risks, we’ve developed a White Paper. This covers the principles of assessing information security risk and putting appropriate governance and compliance in place, as well as offering some practical tips. My colleagues will be blogging more about this in the next couple of weeks, or you can download the paper directly here.
If you're looking for another great read, here's one on Helping your staff to work securely while remote.