As the scale of the Covid-19 epidemic became clear in the opening months of 2020, governments around the world began considering draconian restrictions on everyday life in order to contain the spread of the virus and ultimately limit the death rate as a result of it. However, in countries with a mature and functioning democracy, this wasn’t just a knee jerk reaction, rather a legislative instrument that balanced the need to protect society with the need to protect individual freedoms. In the main, most western countries appear to have struck an appropriate balance. But what does this look like at a corporate level, and why may we be storing up problems in the future?
Companies don’t make laws but they do make policies, and for all intents and purposes they are the same: A set of rules forming a tangible representation of the beliefs of the company. Just as a democratic government needs well considered laws, a company needs well considered policy. The difference is that if a government attempted to restrict the freedoms of the population without a law, the courts would swiftly place a halt to such attempts. Within a company these checks and balances don’t exist, and gives rise to the possibility of ill-considered decisions, that are not documented, not time limited, and set precedents with the potential for serious repercussions in the future.
In the UK, on Friday 20th March 2020, the government declared that many companies in the retail sector should close, and wherever possible, employees should be working from home wherever possible. At this moment, companies across the country found themselves in one of three positions:
- They already had home working set up and available for their staff;
- They had the ability to allow home working, but had not put the necessary arrangements in place; or
- They could not conduct their usual business from home.
Companies in the first and last group were fine – they were in a clear position and were set up accordingly. Companies in the second group on the other hand faced a dilemma, but why?
Just because we’re in a national crisis, the rest of the laws pertaining to how we conduct ourselves and run businesses have not been put on hold, the General Data Protection Regulations (GDPR) still apply, as does the Financial Services and Markets Act covering financial services; and as do regulations relating to other protected industry segments. As such, any change to the way in which staff work has to remain compliant with these regulations. This requires an understanding of the risks such a change generates; policies and standards focusing both on staff behaviours and technical controls; and effective assurance to ensure those controls are working effectively. Did some companies finding themselves in that second category do all this – probably, but many didn’t and this is why we’re storing up problems for the future.
When Travelex were breached on New Year’s Eve 2019, it was via a flaw in their perimeter VPN that they had known about for months prior. As a result the company was unable to function normally for over a month and ended up paying a multi-million dollar ransom in order to recover their operations. Any company that has hastily implemented a VPN without assuring that it is secure; implementing a policy governing its use; or implementing a procedure to keep it up to date is inviting criminals to put them in the same position as Travelex. Over the next 18-24 months, we’re likely to see reports of data breaches enabled by poorly considered measures to allow staff to work from home, many of which will be punishable under GDPR.
The issues seen with Zoom over the past 6 weeks are anther perfect example of this. The poor security around Zoom meetings means there is a significant risk to the confidentiality of data if it is used for sensitive discussions; yet its use has exploded as staff reach for any tools they think can help them do their job from home easier, regardless of what the IT department say.
However the biggest problem is that of setting a precedent. If the organisation gets into a mindset of “In a crisis you can do what you want” then it becomes easy the next time around to declare a minor situation to be a crisis and put the security of the company’s information at risk through an ill-considered decision.
So, what’s the solution for when you’re faced with a major change to working practices?
- Have a good understanding of your risks. Practically this means they are periodically assessed and stored in a risk register.
- Have a crisis management group with appropriate membership. This should not just be the executive, but business unit leads, IT, Information Security, Risk and Governance, and staff performing the day to day work. (It’s not enough to just have the head of customer services in the group, you should have someone that actually sits on the phones all day.) For a small company, this could therefore be an all-staff group.
- Understand what changes to working practices are needed. This is why you need a broad cross section of the organisation on your crisis management group.
- Evaluate these working practice changes against your risk framework and register: Do they introduce new risks, or push any of your current risks outside of the company’s risk appetite? If so, can the risks be managed, or does the organisation need to adjust its risk appetite? If the answer to the second question is no – the risks can’t be managed to an appropriate level and the company does not want to adjust its risk appetite, then the change should not be made. (If you continue at this point, the company’s risk appetite is incorrectly stated, or the company is being negligent.)
- Define the new people, process, and technical controls necessary to implement the changes.
- Create or amend your policies, standards, and processes to reflect these controls. Approval should then be fast tracked. The approvers for your documents should be members of the crisis management group, so already be familiar with the changes.
- If the company needs to purchase new software, services, or equipment to deliver the changes, this should be centrally procured and not purchased by individual staff members. Due diligence should still be conducted including a review of terms and conditions, contracts, and the security posture of any third parties (there are tools to do this, but a Google search will work in a pinch.)
- When the changes have been made, you should test them to ensure they work as expected. That means have staff test the people and process controls to check they’re workable as implemented, and use a combination of internal and external testing on technical controls, such as vulnerability scans and penetration tests.
- Finally, continue to meet as a crisis management group, on at least a monthly basis to ensure that the controls remain effective and appropriate.
- After the crisis, an executive decision should be taken whether to roll back the changes, or formalise them as part of business as usual. If the latter is chosen, it should be treated as a new piece of work and follow your company’s governance processes.