Why You Should Address the Security Deficit?
The COVID-19 pandemic delivered a seismic shock to the working model for almost every business across the World. In the rush to survive almost all increased their digital reliance and accelerated their digital transformation, the usual checks on security and privacy controls had to play a back seat role.
For larger organisations this change was often led by in house resources with detailed knowledge of the tech estate its capabilities and requirements. For many SME business, this change was delivered by senior management sometimes alone or in conjunction with an external IT support provider.
Unsurprisingly, security and privacy considerations came second to simply staying in business.
We now know these changes are not just a temporary blip, but a permanent upheaval in the way we operate, there is therefore no going back. The changes implemented in order to adjust to this new reality need to be evaluated and appropriate controls put in place. This security priority is even more urgent in the SME market where change was potentially implemented in more of a hurry without the technical back up that large organisations can muster, this has left thousands of SME businesses exposed to cyber risk as a result of simply trying to survive the crisis.
In order to secure your technology estate you must start by understanding your assets. It is highly likely that your organisation’s digital environment will have grown significantly over the pandemic as part of measures to transition to remote working.
Staff sent home to remote work with new technology and/or devices will have configured these to suit their own home networks and preferences. They may have downloaded unknown software to assist with home working, often without appropriate controls. In short your IT estate no matter how big could be in a bit of a muddle.
To evaluate the situation start by speaking to department heads/or individual staff depending on your organisation’s size. Look at running detective and discovery tooling and review any procurement documents. You need to understand if any new software solutions were procured by business teams for use during remote working; what new cloud services were used and whether there were any new endpoint devices (laptops, mobiles, hard drives, etc.) given without your knowledge. In addition there could be future licencing costs signed up to, but not budgeted for.
Once you understand what the new business tech environment looks like, the company will need to work with IT providers and security teams to review the controls of new and old infrastructure alike and understand if they’re compliant to policy, and to the organisation’s risk appetite. Consideration needs to be given to the range of the estate and its integrity from a cybersecurity perspective. As gaps in compliance begin to show through, work with the business to remediate them.
When reviewing security and control it is all too easy to only concern ourselves with the internal consequences. However, in the post COVID-19 World consideration should be given to your suppliers and customers and their interaction with your tech estate. Have your security procedures for new suppliers been circumvented by the pandemic, is customer data protected as rigorously as it was before lockdown? These reputational risks will multiply as customers and suppliers make their own reviews and greater emphasis is placed on cyber trust between organisations. i.e. only transacting with companies that you deem safe.
Wherever you take action or implement change, document your procedures, should you suffer a cyber attack and consequential loss insurers and regulators will want to know that you took this seriously and had a well-considered approach.
Give consideration to the Cyber Essentials & Cyber Essentials + accreditations, investing in these now will demonstrate to clients and suppliers that you are investing in the future of your business and that you take the risks of cybersecurity seriously for your sake and theirs.
At Melius Cyber we specialise in cybersecurity solutions for the SME business, as part of the roll-out of our groundbreaking MELCaaS product (Cybersecurity as a Service) we are offering discounted rates to work with clients to obtain cyber resilience and Cyber Essentials accreditation. Click the link below to contact us and book a demo.
Book a call for a 20-minute chat or demo.
Richard Brown-CFO Melius Cyber