Connect with us


The importance of information security in a post-pandemic hybrid working world

The importance of information security in a post-pandemic hybrid working world 41

By Andy Bridges, Data Quality & Governance Manager at data and insight agency REaD Group.

According to a recent survey, 75 percent of employees want a hybrid working model while another has found that one in four businesses intend to allow their staff to work from home at least some of the time, once the UK gets back to some type of normality post-pandemic.

While this may be music to the ears of many employees, it certainly won’t be for their organisation’s IT and Information Security teams. For many organisations, this means a shift from 99% office capacity and essentially managing the security of one site to managing multiple sites: that of employees’ homes. And in turn this increases the security risk, as multiple entry points to any organisation’s infrastructure are the stuff of headaches for those in charge of protecting the business.

Under attack

The internet influences both our personal and business lives so there will always be a risk or possibility that security is compromised, especially as more employees work from home and now use work laptops for personal use. Even though organisations allow this, there still must be sensible level of restriction put in place, and employees need to understand the expectations and acceptable use of company equipment.

One of the biggest and growing threats is phishing emails: the volume of phishing increased 22% this year compared to the first half of 2020, while HMRC experienced a 73% rise in email phishing attacks from March to September 2020. And of course, this doesn’t include the many other forms of cyber threats such as ransomware, crypto mining, viruses, Trojans, spyware… the list goes on.

So how can you mitigate against this and ensure employees have been given the right tools and appropriate information to spot these threats and defend themselves?

Protection solutions

Multi-factor or two-factor authentication is a no brainer, because it adds another level of protection in addition to user passwords, making it much harder for hackers to break into user accounts. In fact, the majority of company systems will now require some form of authentication, and even Google is getting in on the act to protect the personal information of 150 million users against hackers and fraud, showing the usefulness of this as a tool.

In addition, ensuring antivirus software is up-to-date and protecting every machine connecting to the organisation is good basic housekeeping. This ensures malware and other viruses can’t infect a user’s equipment.

Password or passphrase complexity is often overlooked but it is a key factor in security. The average time to crack an eight-character password is five hours, so essentially eight characters will not protect any employee. To combat this, passwords of 12 – 18 characters and upwards moves the time required to crack them into centuries.

Security frameworks such as ISO27001 – a well-respected information security standard – are good certifications that ensure an organisation’s information and data assets are secured by establishing, implementing, maintaining, and continually improving an Information Security Management System (ISMS). And it is worth remembering that information security is a business objective not an IT problem. In addition, a security standard relays trust and confidence not just to internal employees but also to an organisation’s client that the organisation has a robust ISMS and the correct procedures in place to manage information security.

The role of the employee

But it’s not just technology that has a role to play. Staff training and awareness is also a critical tool in the line of defence.

Staff awareness: The human factor is always the weakest link so it is vital employees have been trained and can spot the warning signs of a security attack. This can be done in many forms: a great start is to set up an awareness initiative or programme and to ensure this is presented at regular intervals, so it remains fresh in every employee’s mind. It is always a good idea not just to train employees on internal security practices but to also look at cyber awareness programmes. Many of these offer additional benefits which allow organisation to set up their own internal phishing test to determine how effective the training has been and, if required, where or which employees need additional training, help and support.

Remote working policy: This allows all staff to know and understand what the expectations are when remote working, by setting out purpose and scope, guidelines, technical support, security and confidentiality rules.

Incident management: This allows staff to raise what they believe might be a security incident. It doesn’t matter how minor or major it might be in the eyes of the employee: the security team needs to be made aware from the outset. This will also allow them to reduce the overall impact of incidents and mitigate against damages and access risks or security breaches with immediate effect. This in turn helps to tailor future training to the needs of employees and the organisation and ensures services continue to operate as planned.

While the new world of work will undoubtedly continue to encompass some form of in-office and remote working practices for the foreseeable future, ensuring that both technical solutions and personnel training are deployed to protect both organisation and employees should ensure that the business remains protected, wherever employees find themselves working.

Continue Reading
Editorial & Advertiser disclosure