Five information security rules for the new world

The worldwide switch to remote working happened so quickly that you’d be forgiven if there were a few things you overlooked, sidelined or turned a blind eye to.

But now as businesses think about how to support remote working longer term, perhaps permanently, important things must be addressed.

Things like information security.

Because while there are positive benefits to remote working, it’s not without increased risk. There has been a dramatic surge in cyber incidents and data breaches since the world’s workforce went remote, with businesses in the financial services sector particularly vulnerable to threats. The reality is, attacks like phishing, ransomware and data leaks will continue to get more frequent and sophisticated.

But before you launch into full ‘lockdown’ mode by introducing tighter controls and stricter measures, a word of caution; make them too restrictive, and people will find workarounds which only increase risk.

So what can you do? I've got some practical advice to help keep your business protected and productive. And just like our working days, it starts at home.

1. Keep home and work separate

The home or remote working environment simply isn’t as secure as a managed workplace and we should all view our home/work environment differently. In most cases, people do their best to manage this separation and businesses are trying to support this logical separation. However, standard security practices such as updating computer software, using or configuring antivirus through to more specific security aspects such as WiFi security may be more relaxed, or non-existent at home.

Where possible, people should continue to use their work provided equipment. If it isn’t possible, they'll need support and guidance in how to set-up and manage their computer and WiFi more securely, configure virus scanning and endpoint protection software, as well as help keeping installed software updated with the latest patches.

People are still the primary risk to data loss or an information security breach, so keep up the training and education particularly around fraud and social engineering, and reinforce the care required around unknown emails, fake emails or websites.

2. Use a password management tool

We’re all using more software and systems, and that means more passwords. If a study by Nordpass is anything to go by, we already have 70-80 passwords to remember, so it’s not surprising most get reused. Over 50% of people admit to using the same password for multiple accounts - including home and work - and that’s a significant security risk. If an attacker can steal credentials and gain access to one account, it opens a pathway to accessing every other account that uses the same password.

Tools like Dashlane and LastPass make password management easier. They “remember” your login credentials, can help you create strong passwords, and also provide a secure place to store them. Password management tools work across devices reducing the need to “send” passwords or other sensitive data across the Internet. While not a perfect solution, used well, they can significantly reduce risks (and not having to remember passwords is a great thing!). I strongly recommend using one.

3. Choose Multi-Factor Authentication every time

The use of Multi-Factor Authentication (MFA) (where users have to present multiple forms of verification to gain access to a system) is increasing.

Often these options aren’t selected by users due to the perceived inconvenience it brings. Still, the inconvenience is insignificant when compared with what happens in a data loss or ransomware event.

If you’re still using Two-Factor Authentication (2FA), you should look to implement or enhance your systems to take advantage of MFA. Using MFA best practice for accessing systems is one of the simplest things you can do to improve data security.

4. Think cloud-first and cloud-native

Choosing technology involves trade-offs, but security and data protection should never be one of them. As businesses move forward with their strategic investments and look to support remote working longer-term, consideration must be given to how new technology is selected and implemented. The approach should, by default, consider cloud-first and cloud-native strategies over “installed” software.

Cloud-native and cloud-first providers will have developed their software to operate over the Internet so security is a primary consideration. Security wasn’t such a primary concern for installed (typically more dated or legacy) software because it wasn’t designed to be accessible from “the outside”. However, remote work now means access from “the outside” is occurring, even though the software may be installed in the office, opening the door to potential intruders. Good security practices can help mitigate the risk, but it exists.

5. Trust no-one

At the moment, VPNs (Virtual Private Networks) are central to many businesses that need to provide remote access to systems and provide a level of protection and segregation when connecting from home. But Zero Trust (ZT), which has progressed over the past few years, takes things a step further.

I predict Zero Trust Architectures and Networks will pick up pace and eventually remove VPN altogether.

Andrew Todd
Chief Technology Officer

Whereas VPN trusts internal users by default, Zero Trust trusts no-one whether inside or outside the business. Far from being another barrier to getting your job done, a ZT delivers tighter security with a better experience. It only gives users as much access as they need and uses automation and AI to verify the person requesting access without too much hassle.

Things are heading this way, and moving quickly, especially given the switch to remote working. I predict Zero Trust Architectures and Networks will pick up pace and eventually remove VPN altogether, working hand-in-hand with the continued increase in the use of cloud services.

Small steps go a long way

With remote working comes increased risk, so if you’re still doing things the same way as you always have, it’s time for your information security to level up. Don't worry, levelling up does not need to be a burden and small steps can go a long way.

Information security for the mobile and remote workforce is a balancing act. It’s about giving people the access they need to work flexibly and securely, without compromising productivity.

And it’s about trust. Because, ultimately, people are still your best defence against the increased risk that remote working brings. Help them to work more safely by considering some of the points outlined above and if you’ve got a question about any aspect of remote working, talk to us.