Cyber security – lock it down

Effective internal controls around information technology, cyber-risk and data management are about more than passwords and firewalls. There are a whole range of behavioural and technological activities that threaten data security and the controls need to be as effective at 1000 makeshift kitchen table workstations as they are under the organisation’s roof. A few of these are worth thinking about in detail to look at if/how they translate to the home environment.

When Police Scotland presented at a Scottish PMI Regional Group seminar on cybercrime, everyone in the room was struck by how successfully criminals could access an office environment to target organisations and identities. The office is always on the lookout for tailgaters, but a friendly contract cleaner with a camera phone could surreptitiously photograph documents on desks as he made his way through the room, gathering up member and banking details in his wake. 

Living under lockdown, most offices will now be both people and paper free, but that doesn’t mean the physical access risk goes away – it just shifts to those 1000 kitchens, 1000 recycling bins and whatever a motivated data miner is able to find there. If staff can print member data at home, they can also leak it. Maybe people have shredders, maybe they don’t, maybe people with shredders will routinely shred every document, maybe they won’t. Either way, the organisational control has been taken out of the equation.

Faced with so much potential risk in such uncertain times, the absolute best control is to lock the system down, with no at home printing, no memory sticks, disks or other removable media. Only those staff with a legitimate and pressing business need should be granted controlled access rights to plug-in devices such as home printers and then only in very limited circumstances. There’s a convenience cost, but it’s one worth paying.

A recent estimate quoted social engineering, ‘the act of manipulating or tricking people into certain actions including divulging personal or financial information’ as being behind 98% of cyber threats under Corona. Basically, these are boom times for cybercrime. IT may be manning the firewalls but the vigilant cyber-hygiene and collective good sense of the office quickly crumble in a crisis situation. People are at home, keeping calm and carrying on, but all the time hungry for news and comfort. Bugs, malware and ransomware are lurking in official looking Covid-19  updates and websites. Social media is rife with links appearing to offer distraction and reassurance. People are much more prone to taking online risks as their offline world shrinks. It’s a perfect data security storm.

Again, the best control is a system lockdown that breaks the link between the remote workstation and the wider world – social media and open browsing are incompatible with data security. An effective lockdown approach on systems leaves your IT security systems free to focus on your business and your clients rather than the non-stop assaults of the dark web.

This is what it all comes down to. Data, large and small, still needs to move between organisations, IDs need to be verified, payments authorised, and communications issued. In current circumstances, the months and years of planning that go into data interface policies are necessarily condensed into weeks, and policy is converting to practice in real time. 

At the practical level, where large-scale data is exchanged with employers, insurers, payroll, etc, secure exchange mechanisms are already in place across the pension and wider financial industries and these translate fairly seamlessly to the home working environment. That level of interface security is just the day job. The more challenging aspect is likely to be around exchanging data with individuals so that benefit administration keeps moving, and this is going to call for immediate online solutions.   

Most TPAs will already have member online options in place but take-up can be challenging, especially for DB schemes where data is more static and there’s often a trustee attachment to ‘how things have always been done’. Part-paternalistic and part-protective instincts towards members, the ‘little old lady factor’ and a worry that the all-important ‘personal touch’ will somehow be lost, have all traditionally played a role in the relatively slow adoption of online services.