Security alert as work from home becomes the norm in NZ

Analysts call on CIOs to review security arrangements to support remote working.

bucket leaks breach hacked cybersecurity

As New Zealand moves to the highest alert level for coronavirus, organisations are mandated to implement alternative arrangements with all staff who can work from home.

Therefore, industry analysts point out organisations need to consider the cybersecurity implications of the shift to this new work model. “Organisations face challenges to continuity of operations as employees are stranded in various locations with uncertain return dates,” note Gartner analysts Sandy Shen, Owen Chen, Arnold Gao, Deacon D.K Wan, Lily Mok, and Julian Sun.

In a recent report, the analysts call on CIOs to review security arrangements to support remote working.

Organisations need to establish remote working policies and extend remote working solutions to employees who usually work from the office, they state. “Post guidelines, implement monitoring, and advise employees to refrain from sending business-sensitive information over interim solutions. As users are likely to work from public network connections and use personal devices, CIOs should deploy endpoint security management onto user devices,” they further advise.

CIOs, they state, need to work with identity and access management (IAM) solutions to ensure secure access to applications and data.

Small enterprises face a big challenge from work-at-home

“Most SMEs [small enterprises] will not have experienced a disruption to their business of this magnitude, and while technology has enabled more flexibility to connect in a virtual environment, many businesses will not have the knowledge or capability to implement such a significant change quickly and safely,” says Ingrid Cronin-Knight, MYOB NZ country manager.

ingrid cronin myob photo MYOB

Ingrid Cronin-Knight, MYOB NZ country manager: ‘Most SMEs will not have experienced a disruption to their business of this magnitude.’

“Alongside the technical challenges of scaling up their work from home operations, are the risks — potentially very large — of securing these businesses against cyberattacks.” She says small and medium-sized enterprises, in particular, need to address cybersecurity as they implement this new working model.

She says the latest MYOB Business Monitor survey of 1,000 New Zealand small enterprises finds almost a third (29 per cent) of businesses have been the victim of a cybersecurity breach in the form of malware, online scam, hack, phishing, or ransomware attack.

There are several actions that small enterprises can take to protect themselves online, she states. These include updating all software with the latest security upgrades and patches, installing and updating firewalls on home services, and using technology to enable password protection, such as two-factor authentication.

In addition, it is important to educate other home users — such as children — on the risks of scams, malware, and phishing attacks that could infect devices. “Don’t store customer data without adequate security,” she adds. “Keep staff informed of all incident response procedures as they apply to remote working.”

The National Cyber Security Centre (NCSC) also provides a series of recommendations that can be used as a starting point in addressing cybersecurity risks that arise when staff work from remote locations:

  • Foremost is for organisations to be cognisant of the risks and mitigations associated with flexible worksite arrangements.
  • Be aware that bring your own device (BYOD) solutions utilised by staff may not have the same protections as corporate devices, the centre points out.
  • Businesses should liaise with the ICT department to provide staff working remotely with advice on the correct security settings for their devices.
  • Furthermore, it notes the use of unauthorised software for official purposes, also known as shadow IT, can increase when working remotely, raising security, and privacy risks.

“Ensure staff are aware of the policy, privacy, and legal obligations that apply to your organisation’s information,” the centre states.

Resilience and multifactor authentication

Forrester analyst Sean Ryan points out the spike in home workers is raising questions around resilience of multi-factor authentication. “Stronger authentication and VPNs that used to be required for a subset of employees at any given time now become the point of entry for your entire workforce,” he states.

So, what happens if your multi-factor authentication (MFA) provider’s infrastructure goes down? He lists four areas to consider as organisations develop an MFA resilience plan:

  • Ensure that you have high availability in place for MFA and that it is turned on and configured properly;
  • Factor in differences in vendor support for cloud versus on-premises applications. The latter may require you to invest in additional infrastructure, depending on your MFA vendor;
  • Get service-level agreements in place, or other written assurances, from your MFA vendor for uptime, including for extreme cases such as a pandemic; and
  • Rolling out a backup MFA system from a separate vendor is expensive and difficult. “Therefore, identify your most critical apps and users — those that would have a significant impact on your business if down for days or even hours — and build MFA redundancy for those.”

Copyright © 2020 IDG Communications, Inc.

7 inconvenient truths about the hybrid work trend
Shop Tech Products at Amazon