After the largest transformational event in decades, which ripped the corporate rulebook up and forced organisations beyond the firewall and into home working and the Cloud, we are emerging into a new way of working after implementing 10yrs worth of corporate change into a couple of months.
Just how useful was your compliance during COVID?
When I presented on a webinar recently, I asked a simple question – How useful was your compliance in guiding your reaction to the pandemic? Over 65% of participants said that their compliance wasn’t consulted in the move to home working. This begs a question – is compliance actually delivering value to UK plc?
Compliance is getting more complex
Since 2018, we have had a raft of obligations in the Cyber Security and Data Protection space within the UK. We now have to comply with the (now UK) GDPR/DPA2018 and others such the Network and Information Systems Regulations and the NHS Data Security and Protection Toolkit (DSPT). Despite many of these originating from the National Cyber Security Centre (NCSC), none of these are modular, few are interoperable and, some are subtly contradictory.
Successive breach reports from the Department of Culture Media and Sport (DCMS) show that less than 5% of organisations consult the guidance from the NCSC or the Information Commissioner’s Office (ICO).
Is the board perception matching the operational reality?
Now, it may well be felt that the guidance from the NCSC or ICO is too basic for today’s organisation and that a more robust compliance and certification regime is needed. To that argument I would like to draw on the last DCMS breaches report:
- 80% of organisations stated that Cyber Security was a board priority
- 38% had Cyber Security policies
- 37% had assessed their Cyber Security risks
- 25% had remote working policies
- 15% had reviewed their supply chain
Even before I point out that the current state of affairs prior to the pandemic meant that the ‘reassuringly robust’ compliance regimes addressed less than 12% of the NCSC 10 steps to Cyber Security. It is clear that the confidence of the board is misplaced and creating a false sense of security.
Time to go back to basics
“Because COVID” has been an acceptable excuse during the past year to maintain businesses from going bust, businesses are waking up to the need to return to work and pay their debts. It is time to regroup and start the process of creating governance approaches that actually deliver value and which are integrated into the corporate fabric.
I covered off how to do this last March at the start of first lockdown and it is still just as valid today. Learning how to engage with the board is an area where the Cyber Security professionals need to improve. If their curated compliance approach with a raft of certifications behind it wasn’t used as the aide memoire during the reaction to the pandemic, then it has failed.
So what should be done now?
So, hindsight is a wonderful thing. You may now be thinking that hindsight is always 2020 (no pun intended) but what do you do now if you haven’t done anything yet?
I would recommend:
- Identify why you weren’t able to use your ISMS or BCMS to guide you and capture the actions to address the gaps.
- Identify all company data being upload to, and processed by, Cloud services.
- Consider what physical security and internet connectivity is available from the remote working environment and whether any further action is required to manage risks (i.e. how much do you rely on central systems in the office locations that aren’t there at the remote working location).
- Consider if changes are required to security policies.
- Consider what control you have over the data on personal devices and how much control you wish to have over the device (and what impact that might have on staff if you wipe the entire device).
- Ensure that you can extract the company data held within the Cloud services and you can obtain evidence that it has been deleted.
- Ensure that the company data held within the Cloud service isn’t used for anything other than your own purposes.
- Assess the endpoints and remote working solutions (i.e. Cloud, VPN etc.) against the GDPR 12 steps guidance for data protection.
- Assess the endpoints and remote working solutions (i.e. Cloud, VPN etc.) against the NCSC 10 steps guidance for cyber security.
- The above assessments will give you 30 areas to assess against, which you should be able to assess your gaps as they stand in your use of remote working today and create plan of action to address the gaps.
- Look to ensure that all endpoints you use for processing company data are supported for the latest security updates (i.e. not older than an iPhone 6s or iPad Air 2 and with iOS 14 installed for iOS devices, any Android device earlier that Android 8.0 – Oreo, and really any Windows device not running Windows 8 or above).
- Ensure that any endpoint not running iOS has anti-malware installed which updates daily).
- Ensure that all endpoints have the latest updates applied.
- Ensure that you follow NCSC password guidance.
- Ensure that you are using two factor authentication (sometimes called Multi-Factor Authentication) enforced on any Cloud service you are using.
What should I consider for the medium term?
Dependant on whether you intend your move to the Cloud to be permanent, the following guidance areas are very useful:
- GDS modern network guidance is very good for considering the risks to be considered from the use of Cloud services, even though some of it is specific to the public sector.
- The NCSC has great guidance on Cloud service security and end user device configuration.
- The NCSC and ICO have published GDPR security outcomes which define the security of processing under the applied GDPR, and this should be viewed as the next step after complying with the GDPR 12 step guidance.
Summary
Even though organisations had to act fast, it should be an opportunity to move from mere reactive compliance to proactive governance and change the working behaviours safely for the 21st century.