This is a tale that could be told regarding many organisations, especially since COVID hit.  Names have been changed and certain other details have been omitted or masked.

Hawk Engineering Ltd is a company that provides high quality environmental engineering services to its clients, and began operations on 16 July 2019, not long before COVID hit. It’s a limited company owned and operated by Norman Jones and Rupert Smith.  Mr. Jones and Mr. Smith both left their respective jobs to specialise in environmental engineering consulting to small and medium sized businesses.

The company was set up to target small to medium sized companies and government organisations within the UK.  They have managed to secure several contracts and have grown from the original 2 man team to 8 consultants/engineers and 3 support staff, housed in a serviced building where they rent 4 rooms, one for the admin staff, one for the consultants, another for the 2 partners and a small conference room.  The support staff cover finance, HR and general admin duties.  The building shares a reception area and a cleaning contract.  The cleaners operate out of hours, cleaning after everyone has left for the evening.  The consultants are provided with laptops, tablets and smart phones whilst the admin staff use desk top PCs, and all are connected to a large printer.

Rather than ramp up its permanent staff too quickly, they use relevant qualified consultants when necessary.  These consultants are given an email address and access to the data they need to work on projects.

The 2 partners are aware that they now hold a growing amount of personal and corporate data, not just about their own staff and systems but also about their clients.  They are aware of the Data Protection Act 2018 and GDPR but are not sure about how much this will affect them.  They have a local IT management company under contract and up to the start of COVID had an onsite server which stored their data and an email server providing mailboxes to the staff and contractors.  At the outbreak of COVID, this caused an issue.

In terms of policies, they have very little that references the DPA 2018 and/or GDPR.  Their website does not contain the necessary privacy statement or statements regarding the use of Cookies.  They don’t have an overarching security policy or a cyber security strategy in place.

But everything in the garden was rosy, the company was doing well, it was in profit and had a relatively full order book, at least for the foreseeable future.  And then along came COVID and everything changed.

At first it wasn’t a problem, we all remember how the UK ramped up relatively slowly, with lockdowns coming after those in other countries, but come along they did. The full implications of not being able to work in the office only started to become apparent after the office was out of bounds.  They couldn’t claim any sort of immunity because they were simply not in an industry that required such immunity, so the office closed.  The consultants used laptops and they could continue to work, but not securely.  They didn’t have a remote access system in place as consultants worked on client site and tended to use client networks through which they could connect.  Not optimum but cheap and cheerful and cash flow was everything to a small business.  The real hit was on the admin staff as they used desktop PCs which they had left behind when they went home.

So initially the admin staff were the priority to find a solution for and the first issue was to be able to find machines they could use at home, and then connect them to the office file and mail servers, the latter applied to consultants as well.

I’m sure most reading this will remember the issues as many of you will have faced the same problems.  So long story short, the problem was to establish as near to normal operations as possible and they ignored security as firstly, they didn’t grasp the implications, and secondly, they didn’t know what to do about it.  Their IT management company wasn’t a lot of help in the latter regard simply because they were firefighting issues for all or most of their clients and didn’t have the time or resource, and frankly, didn’t really have the skill set either.

In many respects recovering an operational capability in that instance, wasn’t much different in recovering from any natural disaster and much of the planning required for a disaster recovery and business continuity situation, would have applied, with perhaps the difference that the office would continue to be out of bounds.  So, plans could be adapted, assuming of course you had a plan in the first place, and they didn’t.

What they were able to do was to set up a contract with a cloud provider and as their IT support got some bandwidth, they migrated their data from the office based server to the cloud storage and at the same time migrated their email.  Getting staff to connect to the cloud was an issue and some found it easier than others as that had to be done remotely and some were more IT savvy than others.

It didn’t solve the desktop PC problem though and staff continued to use home PCs, the same PCs their kids were gaming on, to connect to the company data.  A recipe for disaster.  Of course, this was solved by purchasing and shipping laptops which the IT support set up before shipping.  But by then their data could easily have been compromised via the home PCs.  There is no way of knowing whether or not they were compromised and if this is a problem which could come back to bite them.

Work-from-home employees are at much greater risk than those in offices. Since home connections are less secure, cybercriminals have an easier entry into the company network.  Furthermore, the explosion of various online tools, solutions, and services for collaboration and productivity tend to have the bare minimum of security default setting, and updates from third-party vendors can change security preferences and be easily overlooked.

Phishing becomes an even greater threat to home workers, often because, in an office environment, they have access to colleagues and managers, who they can approach for advice and guidance.  This is much harder to replicate with remote workers, especially those who may not be particularly tech savvy and who may not wish to become ‘burdensome’ to their co-workers.

Ransomware also enjoys an advantage in the work-from-home model.  If their connection to the company is blocked, it is more difficult for workers to get assistance from the right experts and authorities.  And since trust levels are lower when working from home, some workers will be concerned that they have “done something wrong” and so may be more reluctant to seek help. While this risk can be addressed by increased training, as well as messaging that vigilance and involving IT support will be rewarded, it can still be an uphill battle.

The company has now evolved further, and expanded a little, and has adopted the hybrid method of working, saving money on floor space, fuel and light etc.  But this has come with problems of its own which we’ll look at next week.