June 29, 2020
As organizations begin to transition from employees working from home back to the office environment, preparation will be paramount as they reoccupy their facilities. According to BSI’s Cybersecurity Information and Resilience team, maintaining a company’s information resilience must be a key component of these plans to ensure that cybersecurity risks are managed, and data privacy regulations are not violated.
Stephen O’Boyle, Global Practice Director for Cyber, Risk and Advisory at BSI explains: “The last few months have tested many organizations of all shapes and sizes across the globe. Many needed to adapt quickly to ensure the safety and wellbeing of their employees and clients, with remote working being activated, and IT systems tested and reconfigured to remain effective.”
BSI has developed a self-assessment questionnaire for organizations which focuses on cybersecurity considerations for reopening the office. Once completed, the survey recipient will receive a report from BSI outlining their readiness to reopen based on cybersecurity and data governance implications.
Some of the actions organizations and businesses should consider include planning one-way systems, implementing staggered start and finish times, reviewing the effectiveness of safety controls and measures, and taking immediate action to improve those that are not effective. From a cybersecurity perspective this includes reassessing system networks, reviewing Shadow ITˡ activity, and bring your own device (BYOD) usage. From a data protection standpoint, this may include workstation changes, employee health data, data protection impact assessments (DPIAs), and transparency.
To further support companies across all industry sectors as they plan their reopening and develop a sustainable methodology to working in their ‘next normal’, BSI has outlined the following 10 cybersecurity and data protection essentials for consideration:
- Physical security - make sure that physical security controls, employee identification and physical media are all up to date and fully operable
- Access control - ensure credentials like multi-factor authentication (MFA) and password expiration and reset are all up to date
- Data protection and privacy - seek the advice of your Data Protection Officer or Privacy Officer on impact of changes made to existing processes or new processes where data is recorded and collated. Conduct Privacy Impact Assessments (PIAs) where relevant
- Asset management - re-evaluate bring your own device (BYOD) policies and ensure that all non-inventoried assets are correctly logged
- Network security - remote access is still important during a phased return to work, so keep network services such as Virtual Private Networks (VPNs) available and secure
- Vulnerability management - patching is a challenge even for an information resilient organization. In returning to the office, organizations must evaluate their patch posture, and where found wanting prioritization patching
- Operations security - organizations should re-evaluate any configurations they made during the work from home period to ensure that they are still the most effective
- Business continuity - it is now time to learn from recent activities – the remote working paradigm – and apply the acquired knowledge to improve the readiness of the business continuity plan
- Incident management - incident response represents the last line of defence should an attack materialize. Make sure your organization is set up in preparing for and responding to a data breach
- Security governance - risk registers should be reassessed given the newly restructured threat landscape and control plane
“While the pandemic, and the resulting changes to how organizations and their people continued to work, has provided many challenges, including the increase in cyber threats and risks, and data privacy concerns, it also provided organizations with the opportunity to customize, review, update, and improve their response planning, and enhance their business continuity plans to prepare for the phased reopening”, according to O’Boyle.
“The focus now is on opening safely and a top priority is an organization’s cybersecurity and data governance needs”, O’Boyle continued. “Those responsible for it need to be part of the planning process. Not only will this ensure that the correct protocols are adhered to and implemented, it will enable a business to operate in a more secure, safe, sustainable, trusted, and resilient manner, protecting its people, information, and reputation.”
The Consulting Services team at BSI provides a range of solutions to help organizations address challenges in cybersecurity, information management and privacy, security awareness, and compliance. For more information visit bsigroup.com/cyber-us.