VENDREDI 25 DÉCEMBRE 2020 BIZWEEK ÉDITION 322 SANJEEV JHURRY, Head of Information Security Bank One 100.00% 75.00% 50.00% 25.00% 0.00% Afnca Asic Austre lia Su rave North South America America Work from home, the new reality As many countries are dealing with the re-opening and, in some cases, re-closing of their borders in the wake of the Covid-19 pandemic, the concept of remote-work or Work from Home (WFH) is garnering more interest from organizations. Faced with the new reality, both employees and entrepreneurs are resorting to WFH or telecommuting to push their way through 2020 and beyond. According to a Global Workplace Analytics survey carried out among 3,000 employees working remotely during the pandemic, it was noted that 73% are very successful when working from home, 86% say they feel « fully productive » working from their home office and 76% want to continue working from home at least 2.5 days per week, on average. A separate study conducted by www.owllabs.com showed that employees prefer remote working as they spend less time commuting to and from work, and the work-life balance has made them more productive and focussed as shown in the graph below : Other Don't work s remote fle Save money No commute Family/Work-Life Balance Less stressful Increased productivity/botter locus New reality means new challenges for Cybersecurity Adopting WFH encapsulates some challenges as it exposes companies to greater risk when it comes to cybersecurity – they are more susceptible to phishing and malware attacks, thus exposing their business to multiple cyber threats. The following are the different cybersecurity threats/challenges that companies are currently facing : The surface of attack has greatly increased with more users connecting to the network from outside the company – the network is no more closed. Also, there has been increased cybercriminal activity, as evidenced by a 131% growth in virus attacks and about 600 new phishing attempts every day when the pandemic started [source  : https://threatpost.com/]. Cyber Attacks are also evolving in size and sophistication  : In the beginning, POST SCRIPTUM THOUGHT LEADERSHIP PIECE the number of phishing attacks were directly related to COVID-19 (including ones purporting to be from the Centres for Disease Control & Prevention). Later, these attacks centred on stimulus packages and unemployment insurance, before evolving into subjects like vaccines and the stock market. They are not only usingemail for these attempts but also online ads, mobile apps and other tactics. Most companies have stringent security testing to make sure that their corporate network is secure and the required security expertise, systems and tools to check for and protect from suspicious network traffic. Conversely, many home networks are setup by the end-users themselves, using the router supplied by their Internet Service Provider without any advanced security system. This means that the home network is typically not securely configured as it does not encompass the safeguards available on the corporate networks. So, how can we mitigate those risks ? Proposed Solutions It is of utmost importance for companies adopting WFH to implement solutions based on people, process and technology in order to protect them from the increasing cyber risks and threats. Process From a governance perspective, companies should create a remote working policy. This willassist them in guiding staff through the challenges of working remotely, reducing the risks and ensuring the impact on productivity in minimised. With the shift to an expanded Work from Home environment, the risk surface has radically increased for most companies. These changing circumstances justify a reassessment of the cyber security risks in order to prepare the IT and response teams for reprioritizing their efforts to keep company data safe. A comprehensive risk assessment exercise should, therefore, be conducted to re-evaluate the company risk profile based on its work force moving to a WFH environment. Devices issued by the company are generally setup to be very secure and when staff work remotely using company computers, the risk is lower than using their own devices, as long as all security settings remain in place and software continues to beupdated regularly. Work devices incorporate strict security settings, good antivirus and safe software that is approved and pre-installed. Finally, it is critical for the company toupdate and test its incident response procedure [and playbooks]. Companies need to specify know how to react if an employee working from home has a laptop that is infected with a malware such as ransomware – what should the employee do ? Should he/she shutdown the laptop ? Or wait for someone from the IT department to collect and examine the device. All these are possible scenarios and responses must be defined beforehand and detailed procedural steps have to be clearly spelled out in the manuals to mitigate the consequences of attacks. People Ongoing security awareness training must be conducted to keep employeesupdated about the security risks they are exposed to and help them understand how these risks can impact business continuity and ultimately the company brand image. Below are a few topic suggestions for the security awareness sessions : Using a private home network as opposed to a guest network ; New types of Social Engineering like phishing and vishing ; Best practices foremail and web behaviour ; and Home network device security. Lastly, testing the effectiveness of awarenessis very important, and the undermentioned processes tend to buttress same. Underneath are a few suggestions for reinforcing security awareness : Performphishing simulations ; Monitor the number of reported anomalies from users ; and Test awareness of guidelines for safe web browsing. Technology In terms of technology solutions, different controls can be implemented based on the following scenarios  : 1. Employees using their own devices to access the business environment. 2. Employees using corporate devices to access the business environment. 3. Employee using their own or corporate devices to access the company Cloud environment. For scenario 1 (i.e. employees using their own devices to access the business environment), the suggested solution is to implement a Virtual Desktop Environment. The latter willaccommodate for an increasing number of remote workers. The user gets a desktop designed as per his/her individual profile with access to only required applications. Also, this system should have Multi-Factor Authentication (MFA) enabled. This implementation represents numerous advantages such as : User Accesses are tightly controlled ; Propagation of malware is more difficult ; and It is easier to contain incidents. For scenario 2 (i.e. employees using corporate devices to access the business environment), the suggested controls are as follows : Access must be given only through Virtual Private Network [VPN] with MFA enabled ; Install Mobile Device Management Cont’d on page 6 5