Secure Work Anywhere: Mitigating Cyber Risks in the post-Covid-19 Environment

This session explores:

• Identifying risks facing organisations in the ‘new normal’
• How remote working increases the attack surface
• How home offices can be turned into criminal hubs
• Minimising risks of shadow IT - maintaining control of IT and resources
• Endpoint security - bolstering preventative protections, continuous detection and response capabilities

 

 

Transcript

The transcript has been edited for grammatical reasons

 

Steve Wright 0:04

Well, thank you very much, Dan. Good afternoon and welcome. I’m Steve Wright, and I’m chairing for this afternoon. So this is a fantastic lineup. We’ve heard some great speakers and panellists this morning, and there’s more to come.

 

So we have over 200 subject matter experts and their experiences, ideas, knowledge across more than 64 sessions over the next three days. I’d also like to just quickly thank our sponsors Microsoft and OneTrust. And I have to say I love the advert OneTrust. So that is great to music there, I was happily going along to the beat, it was great. Now, don’t forget, you can join the conversation on social media using the hashtag PrivSec Global. As I said, I’m Steve Wright and partner here at Privacy Culture, and I’m basically going to guide you through this afternoon.

 

Now we’re running a few minutes behind. So without further ado, I’m going to hand over to our next session, which again, is very topical and very front of mind for all of us. I mean, it’s a discussion on secure work anywhere. Mitigating cyber risks in the post COVID 19 environment with wonderful host, Catherine Chapman who is, as you know, cybersecurity journalist and founding board member of infosec hoppers. So I’m going to hand over to Katherine, who’s going to do a wonderful job of hosting the next panel. I’ll see you shortly. Over to you, Catherine.

 

Lesley Kipling 1:56

Thank you, Steve. Hi, everyone. Thank you for joining us. My name is Catherine Chapman. And I’m very pleased to be hosting this very timely panel on mitigating cyber risks in the post COVID-19 environment, a landscape or new normal that’s been defined by the acceleration towards remote working and bring your own devices. Let’s meet the panellists who will be taking us through this topic. First up, we have Lesley Kipling, who is the Chief Security Adviser at Microsoft FMEA. Hi, Leslie, how are you?

 

Good afternoon everybody, Thank you for having me. Yes, fine. Thank you, Catherine.

 

Catherine Chapman 2:28

Where are you joining us from again, Lesley?

 

Lesley Kipling 2:30

United Kingdom.

 

Catherine Chapman 2:32

Brilliant. After Leslie, we have Dr. Vinay Wandrekar who I believe is joining us from India and who is a business information security expert at Novartis focussed on the APAC region. Welcome, Vinay.

 

Vinay Wanrekar 2:47

Hello, Catherine. Thank you for having me on this panel.

 

Catherine Chapman 2:53

After that we have Jan, I think you’re here somewhere, Jan Van De Weerdhof, Who’s the information security awareness and education manager. Hi Jan, how are you?

 

Jan Van De Weerdhof 3:08

Hi, Catherine. Good afternoon to all of you listening in. I’m looking forward to this forum today.

 

Catherine Chapman 3:15

Thank you very much. And last but not least, because he has the most difficult name to pronounce. We have a Dr Vasileios Karagiannopoulos. Welcome Vas.

 

Dr Vasileios Karagiannopoulos 3:26

Thank you, Catherine. I know it’s challenging, but it was a good effort. So thank you.

 

Catherine Chapman 3:30

Did I do okay? I’m glad.

 

Dr Vasileios Karagiannopoulos 3:33

Looking forward to the panel and discussing with everyone else.

 

Catherine Chapman 3:37

Okay, everybody, well, obviously, this is a massive topic. And as Steve and myself said, very timely. So let’s, let’s jump right in and start by sketching out the attack lens that’s been created by COVID-19. What does this new normal look like? I mean, we’ve got remote working and bring your own devices. What does this mean for cybersecurity? Um, Jan? Do you maybe want to start us off with that?

 

Jan Van De Weerdhof 4:01

Yeah, absolutely. Catherine, thank you for that. New normal. Well, there we are. I think that is one of those things that we need to really think about. And this is post COVID. But we’re still in it. Today in the UK, where I’m based, we celebrate the first anniversary of the first lockdown. Well, can you imagine more? So the key thing that I have noticed was to take colleagues out of a social environment and making them work from home. That in itself was not only a culture shock for many, but I think it also requires behavioural changes. The lack of bouncing off of each other at the office is one of those. Sometimes you can just share things that you see or notice. And that is not if you work at home on your own. From a protective environment in the business colleagues are suddenly responsible for their own information security. Yes, they were trained, they were well trained by people like me. But in the relaxed home atmosphere, things can change. To the home approaches taken, and I think that is the total new challenge for the new normal nowadays in COVID-19.

 

Catherine Chapman 5:10

And of course, this has happened very quickly as well, we all suddenly woke up and online all the time that that’s the speed has also created a lot of new attack vectors. Is that correct? I mean, what are we seeing in terms of cyber criminal activity due to these changes in in the working landscape?

 

Dr Vasileios Karagiannopoulos 5:32

Thanks, Catherine. It wasn’t just the speed it was the abruptness of it, you know, overnight, a lot of businesses were actually forced to transition to an online environment, and you suddenly have people that didn’t really bother with cybersecurity before or were not really involved with technology as much in their particular role, having to tackle a lot of different aspects of work that were very new, apart from new platforms for communicating.

 

I don’t know about you but this is probably like the 20th different platform, I’ve used to communicate with people and do webinars and other talks, all the way to using VPNs, to having to download protective software, on their personal devices if they were working from home, when they used to do it before. And that was combined with actually having to manage the home environment and all the challenges of being at home. People were home-schooling, for example, at the same time, you will have deliveries coming whilst you’re working. And it was a very stressful, anxious, few months, until people got into the role of home working on a permanent basis. And you had to juggle multiple aspects.

 

Catherine Chapman 6:57

And so I think what you’re saying is, that’s kind of a great area for cybercriminals to exploit, right? Because you have distractions, basically and a lot of stresses, you know.

 

Dr Vasileios Karagiannopoulos 7:10

Exactly what we are, we are using more devices. So there’s more vectors for attack. And some of these devices might not be as well protected as they would be in an office environment. And then obviously, you have more opportunities, you have new types of software, that we’re using new platforms that we’re using online. And we don’t really know what the expectations are, we get emails, I mean, the very common tactic is obviously sending a phishing email that presumably comes from a platform that we are using, or a service that we are using.

 

Now, if we are familiar with the platform’s, we can perhaps tell if an email is phishy or not. But if we’re using 10 different platforms, or we’re getting registration, emails and confirmation of service emails, and updates emails, and all that, and we don’t really know how these look, because this is the first time we’ve used these types of software, then it’s much easier for cybercriminals to emulate some of these platforms, and create very convincing emails that we wouldn’t be able to spot if we don’t have the experience with these platforms.

 

Catherine Chapman 8:21

Right. So new platforms, new software, devices everywhere, data everywhere, and and also the psychological stress that the pandemic has had on, on everyone on everyone. Anything, anything to add to that, do other risks lie in this new normal?

 

Lesley Kipling 8:47

Yeah, you dropped out just a bit thick, Catherine. So no, I can’t say that we’ve seen anything new, I think to to the point of the phishing email that went up hugely, we saw a revamp of maybe old, social, you know, anything that drives that social engineering kind of approach. So big news stories, that’s always been the way. So we’ve seen that adapt, but I think initially during the pandemic, we saw sort of about 18,000 email loads a day.

 

And I think also when you’re talking about social engineering, that’s a really difficult equation, maybe to spot because, you know, these days, I think they are the traditional sort of emails that we used to have in the past which were perhaps to be misspelt. You know, these things have been well crafted and it’s really difficult to spot them so and again, you know, if I can hook it to some sort of news story, then I absolutely will so I think fishing definitely went through the roof, but as I say, not a change in the learner rather than the actual surge of attacks, if that makes sense.

 

Catherine Chapman 9:50

The the change in the lore meaning we’re seeing things about vaccine scams or unemployment benefit scams, that what’s your hitting? Vinay, what it what are you seeing from India and your part of the world in this landscape?

 

Vinay Wanrekar 10:09

Okay, I like to add something new to this, there was a study on ransomware conducted by sofas globally. And they found out that 51% organisations worldwide were hit by ransomware. And in 73% of the cases, you know, that data is encrypted. But in India, the numbers were very high, 82% of the organisations were hit by ransomware. And they found that in 92% of the cases the data was encrypted. So, you can see in Asia and especially in India, the problem of ransomware is very high. So, we cannot take it lightly. And since people are working from home, we have to increase security awareness and make sure that people know how to work from home securely. So, this is only one of the things and as my co panellists have said, since the number of devices have also increased, and people are working from home, they are actually notaries sharing of computers, and that is why it is creating a lot of problems. So, we have to be very careful how we deal with these problems.

 

Catherine Chapman 11:21

Thank you. And I love how you mentioned security awareness and training, because we’ve all been sort of pushed into this environment, where cybersecurity which is always pushed to be at the table and be a priority is now kind of seem mandatory, has as the pandemic kind of made us more secure, and potentially pushed cybersecurity to the forefront of conversations, or are we still not there? Jan, I know that this is sort of your expertise, do you want to jump in here.

 

Jan Van De Weerdhof 11:52

Not only expertise, but I’ve got a very big opinion about that. I think that we have lacked the investment in cyber security within the pandemic, I think it was more infrastructure. That was a problem for us. The post of doesn’t do it anymore, you can put a poster in the kitchen, where people have their cup of tea, but it doesn’t work. Because you can send a poster out, people don’t read up, people don’t act on it, and you certainly cannot measure it that happens, the whole basis of education, training and awareness or awareness, behaviour and culture whatever way in audio say that has to do with a behavioural aspect of it, people need to behave in a certain way to be secure. We have trained well within the business, but now they’re at home, we don’t have that anymore. And we can’t send 12,000 people an email. Well, we can what’s not the best way of doing that. We can use platforms, and we’ll talk about it later probably what can be done and how we can teach and learn. And I think that that has been a massive development not only for educators like me, but also for the those who provide those platforms. And let’s not forget the connectivity.

 

Catherine Chapman 13:05

And Jan, I think when we were speaking before, one of the things that you mentioned was what seems to be a recurring problem is that consumers think that they’re not big enough to be attacked by cyber criminals. Do you want to talk a bit about that because now effectively every consumer is representing their organisation at home?

 

Jan Van De Weerdhof 13:27

Yes, indeed. We got suddenly those 11,000 organisations at home. It forms one big group of people who are being attacked and it is so much easier to attack someone at home because I think we let our guard down. When at home you get as I said earlier, you get the people at the door, you leave your computers open, you do all sorts of things. Although you think nothing can happen in the home.

 

My cat is very good on jumping on my keyboard. Yeah, and sits on there and loves to sit on the my desk lamp but they press buttons for some reason and the whole thing is open so it may be miscued on something that happens. But Vas mentioned going to the door but I think that is also a risk for us because not only was it the delivery but also scrupulous people who work on behalf of the NHS, not, on the health services, not, and suddenly people become then aware of, Hey, there is something else happening here we need to protect. But I don’t think that as companies we have done enough to say yes, we are going to protect everyone.

 

Catherine Chapman 14:35

Yeah, I like your point about the cat. I feel like the pandemic has made us all the BBC Dad with someone jumping in behind our screen. Leslie, let’s go to you because you bring up an interesting point about this all happened all overnight and some of these people might not be tech savvy. Correct.

 

Lesley Kipling 14:55

And I think that’s one of my pet hates actually young, but that’s fundamentally is trying to take people, your security professionals and turning them into security professionals. Because I know that although we talk about them as being the last mile at Microsoft, of course, we’ve got a huge amount of security investment into training. But really, what I want to get through to is the fact that the platform is transparent, you know, I can train my mum until the cows come home, but she isn’t ever going to turn into somebody who is a security professional. But the net result is, is that she won’t use the tech in a way, that means that she gets the benefit of that tech, because she’s too scared, because we fight them to the point that she, you know, she just won’t use that.

 

Now, in terms of the overnight thing, I think at Microsoft, we were well prepared. And this wasn’t something that we’ve really struggled with, but they were a technology company. And I think the potential to maybe consider kind of that cloud first, I think you’d like trusted, verifiable applications and services that you could use, essentially means that, you know, not trying to overlay again, a bunch of different agents on top of things which impacts people’s user experience, which I think is a bad thing.

 

Catherine Chapman 16:07

Vas, any thoughts on that? I mean, how is the pandemic Lesley started mentioning their change security budgets and investments, from your area.

 

Dr Vasileios Karagiannopoulos 16:21

It is really interesting, I couldn’t agree with Lesley more and in terms of, we shouldn’t be trying, and we shouldn’t be hoping to turn every employee into a cybersecurity expert. I think, even if we don’t have the method, and this also links with what Jan is saying as well. We do need to find better ways of educating staff. And the money is not necessarily always the problem. Yes, obviously, you need the budget, in order to create something that is consistent and gets updated and is efficient. And obviously all that is important. But if we don’t really communicate in the language that people can understand, and obviously an employee in Microsoft would be able to perhaps understand things differently than an employee at a small pub that is sending in a micro business or even a sole trader.

 

So I think, for me, the most important thing is not spending more money. But spending more time with the staff and trying to find ways of communicating these messages, using a language that they would be able to relate with. There’s a lot of advice out there, and there’s a lot of advice out there for a lot of different organisations, is not necessarily advice that people can digest easily. It can be jargonistic, it can be complicated. And the main problem we see from our research is that people find that the advice is not relevant to them, because it is perhaps expressed at a higher level. And they feel well, this is not something if we are talking about the information policy, they sounds too high level for a micro business to implement. Yeah, we need to start small and then build on that.

 

Catherine Chapman 18:17

Yeah, so what are we hearing is that the pandemic has presented a lot of new issues related to cybersecurity, but it’s also a lot of the same old problems as well that were particularly around, how do we communicate these issues and make everyone more secure? Vinay, we’ll jump to you because we haven’t heard from you in a bit, anything to add about investment in cybersecurity?

 

Vinay Wanrekar 18:46

Okay, okay. There are two things I would like to mention. Since you mentioned investment to cybersecurity, there are opposing views. Maybe some time ago, there was a survey carried out by Ernst and Young, and when they interviewed a number of US security officers or CISOs, they said that they were expecting at least 79% of them said that, you know, they were expecting a reduction in their security budget. So, that was the main concern.

 

On the other hand, last week only I moderated a panel discussion on the same topic, and the CISOs all of them said that now, budget shouldn’t be a problem, because since the dependence on cybersecurity for all the business is very high, the CFOs and in our top management will easily sanction the budget. So, that is one thing I would like to say and secondly, Vas mentioned about security awareness Now, what I feel is not only to help you carry out security awareness set greater frequency, but there should be separate universe awareness training for the common users, the separate training for system administrators and separate training for say project managers separate training for top management etc. so that they understand this and it becomes more effective.

 

Catherine Chapman 20:12

Thank you very much. What I’ve noticed, and I’d like to hear from the panellists, if they feel the same as that perhaps we’ve maybe seen a speedier approach to incident response do due to the pandemic. And when I think of a platform like zoom, who very quickly made security changes when they realised that people were zoom bombing or stealing credentials and a whole bunch of things. Do you think that companies are responding to security incidences quicker because of the pandemic? And the fact that we’re all online? Jan?

 

Jan Van De Weerdhof 20:51

Yeah. But it all has to do with a lot of things really? Clarify exactly what you want to hear, because that is, it’s such a broad topic.

 

Catherine Chapman 21:07

And Jan is a wealth of information and doesn’t know where to start. I I wonder if you think that I mean, we’re, we’re still talking about whether companies are taking security more seriously during the pandemic, of course, data breaches are still happening all the time, regardless, and I’m wondering if they’re being quicker to respond to the issues and mitigate the issues, because of the fact that we’re all online all the time.

 

Jan Van De Weerdhof 21:37

I think most of the analysts who look after us, system wise, will have a quick response time. They’re less distracted from the normal business of day to day runnings, they can look at their screens, the end user is totally different. Are they pressing that phish reporting button? Are they doing that well enough? And I think there’s a lot of roles to play here, or pick up to Vinay what he said earlier that you have to have different levels of education. Unfortunately, that is the case. That means that people like me, as pure educators within the group, they have a problem, because that is my job, I need to separate that out, I need to make sure that at every level, everyone understands the clear language, what is required. And that is why I’m hired to do the job that I do. Unfortunately, that was not in the pandemic, seen as the highest urgency. And many of my peers and including myself, we went on furlough, we couldn’t work for the companies, because we didn’t have anything to bring in any further. So we were on furlough for some time. And in the end, we were even made redundant, many of us. So there is an issue that companies have to see that education is very valuable. Constantly.

 

Catherine Chapman 22:58

Thank you Jan, and Vas, where do you think that businesses are struggling to implement their security policies that may have been adjusted or created to fit in with this new normal?

 

Dr Vasileios Karagiannopoulos 23:15

Yeah, that’s a really good question, Katherine, I think, obviously, education is is quite a challenge, because no one is in the office. So how do you communicate that new knowledge? As Yun said, beforehand, you could have the poster in the kitchen where people get the tea. And perhaps they could see that now, if you send an email to 12,000 people and it’s just a generic, be careful about cybersecurity, do X, Y, and Z email? They wouldn’t, they wouldn’t probably really don’t pay that much attention to it.

 

We’re all a bit tired of zoom sessions and zoom trainings and webinars. So designing webinar trainings in relation to cybersecurity can also be a challenge. How do you make this interesting? How do you get people to engage with it, and find it rewarding and, and practical? So I guess, in this respect, you know, the education and the awareness is challenged in the same way that we have been challenged in the university, for example, to come up with new innovative ways of providing education online. We weren’t doing that beforehand, obviously. But now it needs to be done much more extensively. So how do you keep the interest and the efficiency to the high level that you want to keep it? I think that’s one of the main concerns.

 

Catherine Chapman 24:37

Lesley, is there anything that organisations should be thinking about when dating their security policies or procedures to fit in with a remote working environment?

 

Lesley Kipling 24:50

Yeah, kind of complicated. Because I think partly the problem that I saw and certainly when I talk to my customers, is the productivity balance. If you Because it went through the roof. I don’t know about you guys but it you know, furlough 16 hour days that kind of thing. And then again, of course trying to do home schooling from for children at home. So I think it was a really complicated thing and to other panellists point is that you get the different modalities, right of education.

 

Where I think, to pick up on a point that Jan made, which was thinking about the analysts problem, certainly one of the big things that we saw was this huge jump in signal because now everybody’s working from home now outside the perimeter of what the organisation is used to do, or dealing with, I saw customers trying to push all of that information down VPN, so you know, all goes to the cloud, and then they bring it down to VPN, back down to on prem, for security optics perspective. I think when you’re looking at policies and governance, of course, that’s key, especially if you’re talking about multi cloud, whether you’re talking about on prem hybrid, the fact is you want to have one place where you can do those policies and procedures. So I don’t know that they’ve changed dramatically, I would say that, if we’re thinking about Native security controls, maybe that’s a good thing, and not trying to layer security controls on machines, because an example being where we saw organisations who couldn’t go out and get new hardware, because I think hardware became a premium. Asking the employees to basically use their own hardware, but would you mind just layering on these, you know, nine different agents.

 

So that made the productivity and again, the user experience, which I think actually COVID is really tried to bring to the forefront, which is, you know, let’s think about what that user experience is. And how we can make it easier for our employees, our people to be able to do their work while still having security embedded. So as I would always, you know, recommend maybe the native security controls, and then thinking about how you can do those policies and procedures governance kind of platform from one place, rather than have to redo them. Depending on what you’re trying to achieve from that multi cloud hybrid environment.

 

Catherine Chapman 27:11

That makes a lot of sense, unless I’m going to stick with you for a minute, because we’re talking about changes or no changes. I mean, do you think that COVID-19 and what’s happened to our digital work environment, will it spark change to any global computer law or data policy legislation? Do you think?

 

Lesley Kipling 27:32

I’m not certain about that and honestly, I’m not the right person to really answer that. I will say that, is this the new normal? Certainly, I know that from a Microsoft perspective, we are being very careful about opening backup offices, and we’ve actually gone on record stating as if you want to work from home, even if the normal comes around again, then you can do that. So like anything when you’re talking about regulation, and laws, unless you’re trying to push it through very quickly, which maybe means that you don’t get that visibility, or that due diligence approach from that perspective. You know, I think you could end up in a position where you’re trying to retrofit something potentially, as I say, may not be fit for purpose, if that helps. But no, maybe one of the other panellists have got a better answer to your question there, Catherine?

 

Catherine Chapman 28:27

No, I think you’ve given us a lot to chew on there. And thank you very much for those comments. Vinay, any thoughts on changes to the global legislative environment? Because of COVID-19?

 

Vinay Wanrekar 28:42

Yeah, definitely. Because when these, most of these privacy laws were made, they were made, like before the current pandemic came into effect, and that is what now what is happening is most companies, they are collecting information related to COVID with respect to their employees, so when they collect this information, then we have to think about the privacy issues so, we can share only this confidential information, you know, about COVID related to the employees only within the appropriate law enforcement officials. And if you want to share it within the company you should make sure that you share only on the need to know basis. So, you have to consider the privacy impact, which maybe was not considered maybe a year or two ago. So, definitely, the privacy laws will have to be updated in the near future.

 

Catherine Chapman 29:35

Thank you very much. We have a bit of time left and then we’re going to jump to some of the amazing questions that the audience is sending in so keep them coming, everyone watching. Jan, any final thoughts and maybe best advice you would give consumers and organisations about being cyber safe in this post COVID-19 environment

 

Jan Van De Weerdhof 30:00

Cyber safe starts with us. Cyber safe starts with wanting to protect the company from harm, is about recognising the signals, is about thinking about what can we do as an individual. And I think the social environment of businesses has become far more individual. And that is the problem that we encounter. jobs that I have is to inform at every level of the company that they’re still wanted, that are respected for what they do, that they’re partaking in protecting the company. So we send out regular contacts, we send out regular newsletter for everyone to read, we have activities that I can pick up with 1, 2, 3 minute videos. And that is just for people to be engaged, keep people informed, keep people engaged, because that is the key to a more secure environment.

 

Catherine Chapman 31:03

Thank you very much. And Vas, any final thoughts? Before we jump to audience questions? I mean, are we are we more secure today, as COVID-19 brought us an opportunity.

 

Dr Vasileios Karagiannopoulos 31:19

I’m not really sure we are more secure today. But COVID has certainly brought in an opportunity for us to start thinking a little bit more about these issues, and perhaps not in a pleasant way has forced people to consider some of these issues more, not just for their businesses, but for themselves. When I deliver Cyber awareness sessions, a lot of people and these relate to someone’s business, they come back and they say, Well, I think this is very useful for my organisation. But also, on a personal level, I think I can use a lot of this advice. And I think this is the important thing, especially when we see the personal and the professional blending a lot now in the new environment. So yeah, I think I think it’s a great opportunity, I think we need to make the best of it. And progress as much as we can and try to find better ways of doing cybersecurity in the future.

 

Catherine Chapman 32:22

And the best advice that you would give to an enterprise or consumer and being cyber, say, post COVID 19? I mean, is it is it going back to the make sure you have a password manager, make sure you have a password strategy.

 

Dr Vasileios Karagiannopoulos 32:35

You know, I mean, this is this is a very common advice. And it’s very useful. That’s why it’s so common. I like a message that relates to a government campaign. And it’s the take five campaign. And I really like this message, because I think a lot of what happens in terms of compromises in cybersecurity breaches happens, because we don’t really take five minutes to think about whether we should be responding to an email whether the message we got is legitimate, whether we have the updates in place, and there’s the cybersecurity and the antivirus is in place. And I think taking five minutes to think a little bit more about our actions before we do them online, is a great piece of advice, on top of useless caring about passports and so on.

 

Catherine Chapman 33:29

Thank you and which government runs the Take 5 campaign?

 

Dr Vasileios Karagiannopoulos 33:32

The UK Government.

 

Catherine Chapman 33:33

The UK Government. Okay, I say we jump into the audience questions, because we have about 10 minutes left and a lot to get through. So the first question we have is, what is your advice on risk posed by sharing devices for official work and personal activities while working from home to ensure data is compromised? Any recommendations? Lesley?

 

Lesley Kipling 34:04

Don’t pick on me for a moment. I would say my quick responses. So rather than use a password manager go multi factor authentication, right? Because if you can put two factor authentication on all of your stuff, and I’m talking about PayPal, and eBay and all that sort of good thing, you’re in a much better place. And so in terms of devices, I think this is something that Microsoft’s working on, which we talked about from the point of view of Azure, which is confidential computing.

 

So in reality, it’s thinking about how we can make that I don’t want to say sandbox, but we can make that decision about what data is considered to be potentially high, highly sensitive versus data that isn’t considered to be highly sensitive. And then making that determination from the point of view of how we handle the operation from the operating system perspective. So can we put guards in place. So things like Credential Guard to stop people from being able to steal that information. I know that’s not data specifically, but these are all mitigation techniques that are built into the operating system that potentially prevent somebody from getting access to data that’s considered to be more sensitive. But I certainly, you know, I understand the problem in terms of using personal devices, especially where we’re now allowing our agents to be able to allow that device to meet corporate security standards, when there may be an exposure of your private data. So I think that’s a, that might be something that changes actually going forward. Um, but yeah, I hope I answered the question somewhere in there, Catherine?

 

Catherine Chapman 35:45

No, brilliant, I think so I think that it seems like using tools to make the job easier for for companies. The way that you describe using a sandbox to make sure something like access controls and sensitive information stays where it should and, and with who it should be when they anything to add to that in terms of how do organisations ensure privacy sensitive processing, because all their staff are working from home?

 

Vinay Wanrekar 36:18

I think Lesley has covered most of the points. One more thing I would like to add is you can rewrite some of her policies. Now, since people are not working from home, for example, the Access Control Policy. So that is something we have to see, another thing you can do is you look at create separate VLANs, so that not everyone can access a given application. And finally, you can have multi factor authentication. So, I think these are some of the ways you know, we can ensure that, you know, we can maintain a proper security in the company.

 

Catherine Chapman 36:54

Brilliant. Let’s jump right into the next question. Thank you, again, to all the audience members for sending these in. This question says, what would the three key recommendations to ensure information security in the remote work model be? What would be the core transactions actions in the system that you would recommend to have restricted? Jan any any thoughts on this question, three recommendations to ensure information security.

 

Jan Van De Weerdhof 37:27

Because educators chair, I still think that whatever system we have in place, it is the behaviours of people that can’t, within the usage of the behaviours, when they earlier used the word policies is great to have good policies, you need to have good policies. But if people don’t read the policy, you will not have any action on it. So that needs to be trained out. And therefore you need to act on something that is valuable. Because people always say, What’s in it for me? What do I do? And why do I do it? So the policies are great, we need to train them out.

 

And the benefits support from a technical point of view, yes, I’ve got my phone running here, I work on my desktop, I’ve got my work laptop next to me, there are lots of devices that interact with my company. And I think that Lesley is totally right to have that, from the zero point of view, totally spot on, to have those protections in place to have that. But it is a people thing. It is still about people. I’m glad that you mentioned take five campaign, I do something like just think just click campaign. So don’t just click, just think. That sort of thing. You need to make it simple, make it accessible. So there’s my my view on that.

 

Catherine Chapman 38:50

Thank you very much fast. Vas, do you want to jump in with any other thoughts on that?

 

Dr Vasileios Karagiannopoulos 38:55

I agree with Jan. And I think even if you restrict platforms on the network, people will especially if we’re talking about homeworking, and especially if we’re talking about people using personal devices, people might find ways around you accessing what they would want to access anyway. So I don’t think putting too many restrictions in place sends that message as well. I think the important thing is to communicate why people don’t have to access particular platforms, why they should avoid particular activities, using work computers and work devices, and why they should follow particular advice.

 

I think it is important to communicate what is in it for them why they need to do it and not just for the sake of not getting fired. I think you know, the main message, I think, from a policy perspective is that if you make a mistake, just report it as quickly as possible. And it’s a mutual kind of problem. And it needs to be dealt with very quickly. So creating this environment of restrictions and bans and penalties, I think is not very positive because it makes people want to avoid the restrictions and go behind the scenes and even hide certain activities that might compromise the network. And then obviously, the compromise can fester for a longer period and it can become bigger.

 

Catherine Chapman 40:33

Yes we definitely have a..

 

Jan Van De Weerdhof 40:34

As apposed to education I am going to the point of view of praise. Praise people for what they do well. it is not about punishment. If I was marking books in my old science class or physics, I was marking in a blue pen, not the red one, and I could put and I could put lines underneath ”you haven’t put your name at the to of the page”. Okay, but that is a negative comment. So why not turn negative in to positive. Exactly the same words. It’s an educational thing.

 

Catherine Chapman 41:08

Thank you very much. Okay we have a couple minutes left, this one I am going to throw to the panellists and just give a wave if you’d like to respond or jump right in. Where are the real challenges with cloud platforms such as Office 365 for file sharing and so on? Anyone want to talk about the challenges of working with cloud and file sharing platforms during Covid-19? Lesley?

 

Lesley Kipling 41:37

I’ll go first because the mentioned O365. It’s interesting because I’m not sure what they mean by challenges. I think the way that we look at thing for example if your thinking about disaster recovery, if you’re thinking about resilience, certainly there’s a lot of ransomware so, we mentioned ransomware right at the beginning and that is a big concern industry wide but there is ransomware protection worked into those platforms that you wouldn’t necessarily have at home, OneDrive for example.

I think in order for data to be used securely then the protection needs to follow the data. So the fact is we are in a position today where we are working with other businesses, we’re working with other people, we need to share that data for us to become useful if you like. But if we can’t share that data because there’s always that thing about putting so many controls around something nobody can use it’s back to the usability point. Then again, your not being effective.

 

Catherine Chapman 42:51

Thanks very much Lesley, thank you for jumping in there. Does anyone else have anything else to add to that about file sharing in the cloud. Jan?

 

Jan Van De Weerdhof 43:01

Sometimes people don’t know what they fear and who to. And it is very complicated and suddenly you can’t ask your colleagues next to them, you sit on your own and suddenly you have pressed a button and you share something and it ends up in teams somewhere and you’ve shared to the wrong team and there’s 130 people watching you. That is scary moment for how do you do that and have they been trained enough to use those sharing platforms. It is again, training.

 

Catherine Chapman 43.33

No, I think that people in your position have to keep saying it until everyone is cyber security masters. We have to wrap up very shortly but I’m just going to ask Vas one more question because we’ve been talking, education has come up a lot. Vas, you said you don’t know if we are more secure than we were but how do we take this sort of rigour of being more secure remote working and transform it back into regular working conditions? Do you think we’ll be able to transfer what we’ve learned during this remote working COVID-19 back into the office?

 

Dr Vasileios Karagiannopoulos 44:11

I think you might be scaring some people Catherine here, because I think we are not going to go back into the full office reality that we were in before and I know half the people want to go back and half don’t. So, I think we are looking at a new reality here and this is really important to realise. I seriously doubt the majority of organisations will go back to the standard of what we had as normal working hours and normal working style before covid. We have seen benefits in terms of productivity for example as Lesley mentioned and other benefits in terms of costs for organisations, so I don’t think we are going back.

I think we are going to go into a more blended environment, and this will probably create a new set of complications as we get use to that sort of blended reality that is transitioning from the full home working. We do have a lot of learning to do and a lot of revision in terms of policies and practices and I think every organisation will need to find its own balance. We have learned a lot from how things were happening before COVID and what was working and what was not and how things have been happening during covid what is working and what is not, so now its a matter of blending this together in the new post covid environment and finding the best way forward.

 

Catherine Chapman 45:48

Well, I think that is a positive note to end on. I wish we had moe time to keep this discussion going but unfortunately, we have to move on. So thank you to Lesley, Vas, Jan and Vinay for joining us and bringing their amazing insights on this panel Mitigating Cyber Risks in the post-Covid 19 environment. I hope you all enjoyed the session and learned something and thank you very much. Let’s throw back to Steve.

 

Steve Wright 46:27

Thank you, Catherine. Absolutely fascinating and I was jotting down some of the comments that the panel have made then. I couldn’t agree more with the new norm, I think this is definitely going to be the new norm going back to the office. Certainly, for a lot of us it just seems inconceivable so a really good debate.

And that reminds me, there is actually an ebook available on the PrivSec Library which highlights ”13 recommendations to improve your cyber security for remote working” and you can download this ebook of course by visiting the PrivSec Library.

 Now next up, in under ten minutes in fact, I hope you’ll join us, we have a panel discussion led by Richard Merrygold, on “Data Ethics - Is Health Data Under-regulated?” so join us in a few minutes, stay tuned for “Data Ethics - Is Health Data Under-regulated?”

Look forward to seeing you shortly.

 END