Newsletter & Blog

The New Normal

There are now surveys by HR consulting companies, suggesting that 60 to 70% of companies of all sizes are planning to adopt a hybrid model.  In the IT industry, particularly amongst IT consultancies, this model has been in use for many years and is well regarded, allowing the downsizing of office space and a lower cost base.

 

As organisations of all sizes begin the decision making process which allows them to seriously consider the recalibration of their operating model to adapt to the new normal, then there is a real need to re-evaluate their cyber security stance, involving policies, processes, people training and technical defences.

 

When COVID hit, many SMEs had to move very quickly in order to keep going, adopting remote working without the time or luxury of any real planning.  It was a knee jerk born of necessity and certainly not the way they would have liked to do it.  There are multiple cases of companies not having the necessary equipment, in terms of hardware, desktop, laptops etc, and allowing staff to work from home using their own home machines, connecting to both office and cloud-based systems, without any check on how those machines were configured, whether or not they were kept up to date with the latest patches, or whether they were used by other family members.  This situation is still happening today in some cases.

 

Cyber criminals have used this shift in working patterns to their advantage and their attacks have increased hugely, across the globe.  Working from home has increased the footprint of IT operations whilst weakening its defences and the scope for cyber criminals to develop new attack methods, new scams, and to generally increase their revenue, exponentially.

 

Cyber-attacks and data breaches tend to only hit the headlines when it’s a large company involved.  However, SMEs are hit every day, but for somewhat smaller sums of money and there is an argument that often these attacks go unreported to protect reputations and even go undiscovered for long periods of time.  Data breaches do get reported because of the requirement to make such a report to the Information Commissioners Office, but even then, actions taken by the ICO often fly under the radar.  For instance, this year alone there have been over 40 fines by the ICO, many to companies categorised as SME.  A finance company was fined £48k and a solicitor was fined £98k.  You can research all of this on google if you want confirmation.

 

The major cyber security companies are forecasting that ransomware is becoming more prevalent and growing in sophistication.  SMEs are subject to such attacks because they take little effort on the part of the attacker and SMEs often pay up because they have no defence against it and no business continuity plan in place to enable them to keep going in the face of such an attack.  Phishing will continue to be a big problem for SMEs as will social engineering attacks, email spoofing and other scams.  Home working being a target because being isolated, they can’t just look up from their desk and ask advice before taking some action and will often just respond to an authoritative looking email or phone call.

 

So, what needs to be done if hybrid working patterns are to continue?  Well, first and foremost comes your policies.  Do they reflect the new hybrid working model?  Have you laid down what is and what is not an acceptable use of company IT equipment if it’s being transported to a home address?  Do you allow the use of home machines, and have you laid down how those machines must be configured before they can be used for company business?  That list is not exhaustive.

 

Secondly comes user training.  Cyber awareness training for staff, along with a broad understanding of data protection principles, becomes even more important when staff are working from home.  It is a clear no brainer which many SMEs still don’t recognise as necessary.

 

Finally, technical security must be reviewed and made suitable to support a remote working model.  If an SME hasn’t moved to a cloud operating model, they should consider it without delay.