SECURITY IN THE VIRTUAL WORKSPACE: Managing Cyber Risk in the New Normal

Risk Management is undergoing an evolution as we respond, reimagine and reform the operating model. At the forefront of enabling the new ways of operating, lie employee safety and ability to provide secure technology solutions to keep up with the new norms of working.

Working from home has changed the threat landscape for cyberattacks. Social engineering and vectors like phishing are rapidly on the rise. Malware delivery has accelerated as internet has become less restrictive with increase in use of BYOD (bring your own device).

Unlike the older days, where Business Continuity would typically be thought through at a building, facility, state or at a country level. With the new working situation, the new continuity plans may morph to have working from home as the normal business operating state.

Dynamics of business relationships and partnerships would need to be re-thought along with third parties and vendors to maintain a resilient supply chain.

As workforce refocuses from dealing with here and now pandemic situation towards adapting new norms and ways of working, communicating creatively and often with focus and guidance on what to do, would be helpful. Increasing awareness of social engineering is going to be a key topic alongside, reiterating incident reporting and response protocols.

Organizations should rapidly review infrastructure and policies to support the new norms. Some of these aspects will play a critical role in creating a resilient workforce and ensuring availability of systems, which are needed to stay productive and help workforce embrace the new way we work.

Challenges arising in Virtual Workspace

The impact of the COVID-19 virus is being felt by all businesses around the world. COVID-19 is affecting every element of business – from the robustness of supply to the availability of the labor force to the threat of rapidly waning customer demand.

However, there is no denying that it is also acting as a catalyst for change – economic, societal, personal, and corporate - on a scale not seen since World War II. And for all the uncertainty about what the future will look like, it is already clear that it will be digital. This pandemic has peaked the work-from-home trend. Millions of people have been transformed into remote workers overnight. Done right, remote working can boost productivity and morale; done badly, it can breed inefficiency, damage work relationships, and demotivate employees.

As organizations find ways to tackle the immediate response to this pandemic through processes re-alignment, controls framework, delivery structures and client expectations, there are some imminent risks that may not be easily apparent but require a risk management lens. “Predicting the unpredictable: dealing with risk and uncertainty” has always been a key mantra, and this holds true today with the emergence of COVID-19. There are many associated risks which are result of COVID-19, for example: cyber and fraud risks, reputation risks, supply chain risks, health & safety, to name a few. 

There are some key challenges:

1. Dealing with cyber threats arising from work from home including threats like phishing, malware, ransomware, etc. and making an organization prepared to handle cyber incidents while working remotely.
2. Maintaining compliance with regulatory and governmental requirements, communicating changes and underlying decisions to stakeholders, financiers, regulators and staff.
3. Ensuring that capacity of collaboration tools and remote-working solutions copes with exceptional demand and adaptation of delivery team to new operating model and technologies.
4. Customer and employee personal data is safeguarded from leakage, theft and corruption even while working remotely and continuous compliance to data privacy regulations is maintained.
5. Addressing the need of individuals to feel safe, connected, engaged and motivated in order to continue working effectively. Further establishing robust communication mechanism to increase collaboration, transparency and build upon employee trust.

Let’s get, in a little more depth, into the most important aspects of virtual workspace, through the lens of managing risk. They are:

1. Cyber Risk
2. Regulatory Resilience
3. Privacy
4. Technology and Collaborative Platforms
5. Operational Efficiency
6. Role and Context-based Service Enablement

1. Cyber Risk

While organizations are moving towards a virtual workplace to maintain service continuity, there is a need to ensure an adequate security posture is maintained and compliance is monitored. Security experts have found that large-scale remote working has led to a surge in phishing scams and other cyber threats for both individuals and organizations.

Key objectives are:

• Empowers employees to work securely from anywhere and on any device
• Reduce risks of data breaches and ensure compliance with regulatory requirements
• Enhance cyber resilience so that organizations can quickly respond to and address cyber security threats

Let’s look at the priorities.

Short-Term

• Ensure security operations teams are able to work remotely
• Impart awareness and knowledge on cyber risks such as phishing, malware and ransomware (provide coordinated cyber security advisories and announcements)
• Ensure active monitoring of the user behavior in the virtual workplace for security threats

Mid-Term

• Adopt zero-trust architecture in managing user identity and access
• Ensure cyber risks from virtual workplace are addressed adequately in the recovery strategies and crisis management plan
• Perform cyber risk assessments and revisit the cyber security strategy
• Establish detailed guidelines on securely collaborating, interacting and sharing sensitive data across various channels
• Enable security technologies around access, networks, end user, data security like DLP, SIEM, IDAM, PIM, etc.

Long-Term

• Automate cybersecurity operations to handle increased threats in order to avoid overloading security analysts
• Test and improve the robustness of established cyber security posture, including response to cyber threats such as advanced persistent threats, phishing and ransomwares

2. Regulatory Resilience

Regulatory resilience is the ability to continuously comply with applicable regulations even when working remotely. While establishing a virtual workplace, organizations should pay special attention to applicable regulatory requirements.

Key objectives are:

• Ensure compliance with applicable sectoral and regional/country regulations even in the face of a disaster
• People, process and technology that enable compliances to regulations are available seamlessly

Let’s look at the priorities.

Short-Term

• Being diligent in keeping up with updates from regulatory bodies
• Identifying applicable sectoral and regional/country regulations and establish a process to comply the same
• Establishing appropriate communication channels for disseminating regulatory announcements or government advisories

Mid-Term

• Review current facility setup from a health and safety perspective and ensure that it meets applicable requirements from the regulators/government agencies
• Review employment handbook, contracts and health insurance coverage to ensure compliance with regulatory requirements as well as contractual obligations towards employees

Long-Term

• Revisit the audit plan by continuing to maintain and demonstrate regulatory compliance, thus reducing the potential for scrutiny from regulators, which may interfere with or slow down business activities
• Review cross border contracts and transactions and the impact of regulatory changes in other countries
• Analyze process to comply with regulatory obligations under events which are beyond organization’s control and considered as force majeure

3. Privacy

Teleworking requires several technology solutions. These tools are used to share and store personal information, confidential information and information towards which organizations have contractual and/or legal obligations. To enable a virtual workplace, there is a need to consider how to collect, use and disclose personal information about employees/personnel in a privacy compliant manner.

Key objectives are:

• Increase the focus on data protection and ensure compliance to relevant data protection regulations
• Enabling and protecting access rights where personal information resides

Let’s look at the priorities.

Short-Term

• Ensure that all communication channels offer adequate security for the protection of data being accessed and shared by moving to cloud VDI environment
• Consideration of just-in-time notice to allow employees/personnel to make an informed decision as to whether they want to provide the information requested
• Implementation of privacy by design for all new/ changes in technology, process and applications
• Restrict download of confidential information on personal devices
• Provide role-based access to employees to avoid misuse of personal information

Mid-Term

• Storage limitation- all personal data collected for the lawful purpose should be securely disposed or anonymized, and archived as per statutory/ regulatory requirements
• Collect and store personal and sensitive personal information in a structured digital format, which will increase reusability of the data
• Implement data leakage prevention technology on all systems where personal information is accessed and stored

Long-Term

• Transfer of sensitive personal information within the country or abroad to be only permitted provided the receiver ensures the same level of data protection
• Adopt technologies to anonymize/pseudonymize personal and sensitive personal information
• Automate activities such as personal information linking, breach notification, data discovery, consent management and vendor risk management

4. Technology and Collaborative Platform

Technology collaborative platforms form the core of a virtual workplace that enables employees to connect, collaborate and create more efficiently. Organizations have started acknowledging the need to invest in technology and infrastructure to support teleworking and virtual collaboration capabilities.

Key objectives are:

• Provide technology platforms that are simpler to adopt and easy-to-use to collaborate and connect
• Automate routine tasks of project management to help improve overall productivity
• Access to the knowledge base of the organization that enables employees to leverage existing information

Let’s look at the priorities.

Short-Term

• Ensure that remote working capabilities are scaled up to handle a large number of devices
• Ensure that new policies and procedures are established, and resources are trained adequately to utilize collaboration platforms for remote working
• Review helpdesk capacity for responding to queries from users
• Adopt holistic solution for collaboration

 Mid-Term

• Leverage technologies such as cloud to enable flexible capacity planning
• Make use of intelligent technologies like self-healing platforms, etc.
• Define procedures and controls to ensure 24-hour platform availability for employees
• Provide adequate mobility to employees by enabling access via mobile applications (productivity and integration suites) and BYOD devices

Long-Term

• Automate helpdesk services utilizing process automation techniques
• Provide automation capabilities in knowledge management leveraging RPA techniques
• Review and reprioritize strategic technology investments and accelerate change programs that actively support resilience
• Embed data-driven culture to adapt and provide insights into changing customer needs
• Leverage augmented reality/ virtual reality to help collaborate better

5. Operational Efficiency

The paradigm of virtual workplace is all about improving the user experience through creating seamless and well-tuned workflows and generating efficiency benefits unparalleled in comparison to traditional workplace models.

Key objectives are:

• Addressing the need of individuals to feel connected, engaged and motivated in order to continue working effectively
• Meeting the operational needs of business even when facility is not available, delivering quality and meeting changing expectations of the customer
• Easier workflows to enable faster turnaround time

Here are the priorities.

Short-Term

• Standardize and centralize operations through digital solutions improving operational efficiency
• Understand where demand has fallen or increased and adjust workload across the workforce accordingly
• Implement agile models to adapt operations to the virtual workplace
• Focus on low hanging automation opportunities
• Accelerate RPA for routine tasks

Mid-Term

• Establish comprehensive metrics to measure and manage the efficiency of the digital workplace
• Integrated user management, IT services management and operations that work seamlessly to improve efficiency in the digital workplace
• Evaluate processes that can be automated to enable faster operations
• Build chatbots or self-service solutions that improve the efficiency of operations

Long-Term

• Reskill and/or upskill resources to enhance their versatility across different functional capabilities
• Continuously improve the operations by leveraging data and analytics
• Revisit the design of the employee remote experience to account for the new normal

6. Role and Context-based Service Enablement

In the work from home model, it becomes very crucial that employees have access rights to only the information/information systems that they require to do their jobs. Further, other contextual parameters like location, time of the day should also be considered while providing access rights.

Key objectives are:

• To safeguard the organization from fraud and data leakage by ensuring access is provided only on a need-to-know basis considering the business role of the employee and location
• Effective governance management to monitor and restrict any malicious access

Let’s look at the priorities.

Short-Term

• Standardize roles and associated responsibilities
• Define rules for granting access rights in a virtual workplace, including establishing contextual parameters that should be considered, such as location, role, and time of the day

Mid-Term

• Evaluate and redesign processes to enable role-based access
• Update architecture to align with redesigned processes to ensure role-based access
• Perform role-based access rights reconciliation and identify discrepancies

Long-Term

• Automate role-based access and tagging of users to specific business functions
• Making use of user behavioral analytics tools like UIBA to identify fraudulent behavior and accordingly reduce/remove privileges

Managing Risk in Virtual Workplace: Need for a Holistic Approach

Resilience in the current scenario is a vital necessity as businesses need to act on broader resilience plans as the shock begins to upturn established industry structures, resetting competitive positions. In order to effectively recover from the crisis and embrace the business opportunities that may arise from disruptions caused, organizations should focus on the following critical areas:

• Realign Cyber Resilience: Realign cyber posture to enable Anytime, Anywhere Workforce. Enhancing programs to identify, detect, protect and respond to the cyber threats in a zero-trust security model.
• Resilience: Meet the operational needs of business even when facilities are not available, delivering quality and meeting changing expectations of the customer. Authorized personnel can access the right technology from anywhere, anytime with any device to remain productive.
• Focus on Regulatory Compliance: Maintaining trust through global disruptions by building confidence in business to respond to changes in regulatory and contractual requirements.
• Privacy by Design: Increased focus on data protection and ensure compliance to relevant data protection regulations. Enabling and protecting access rights where personal information resides.
• Digital Transformation: Provide technology platforms that are simple to adopt, easy to collaborate and connect. Drive efficiencies by enabling technologies like cloud, AI, machine learning and data analytics.
• Culture and Employee Wellbeing: Recalibrate the culture to thrive in the new normal. Encourage a people-positive approach through collaboration and teamwork.

The author is CISO, HCL Technologies