Firms urged to consider cyber risk as offices reopen

BSI has offered businesses advice on cyber security as offices prepare to reopen. It warns that a company’s information resilience is a key element of these plans to ensure that cyber security risks are managed, and data privacy regulations are not violated.

Stephen O’Boyle, global practice director for Cyber, Risk and Advisory at BSI explains: “The last few months have tested many organisations of all shapes and sizes across the globe. Many needed to adapt quickly to the restrictions to ensure the safety and wellbeing of their employees and clients, with remote working being activated, and IT systems tested and reconfigured to remain effective.”

“While there were many challenges, including the increase in cyber threats and risks, and data privacy concerns, it also provided organisations with the opportunity to customise, review, update and improve their response planning and enhance their business continuity plans to prepare for the phased reopening.” 

“The focus now is on opening safely and a top priority is an organisation’s cybersecurity and data governance needs. Those responsible for it need to be part of the planning process. Not only will this ensure that the correct protocols are adhered too and implemented, it will enable a business to operate in a more secure, safe, sustainable, trusted, and resilient manner, protecting its people, information and reputation.”

Organisations are currently reviewing guidelines such as planning one-way systems, implementing staggered start and finish times, reviewing the effectiveness of safety controls and measures, and taking immediate action to improve those that are not effective.

From a cybersecurity perspective this includes reassessing system networks, reviewing Shadow ITˡ activity, or bring your own device (BYOD) usage. While for data protection the focus will be on workstation changes, employee health data, data protection impact assessments (DPIAs) and transparency.

Focused on supporting companies across all industry sectors to plan their reopening and develop a sustainable methodology to working in their ‘next normal’, BSI has outlined the following 10 cybersecurity and data protection essentials for consideration:

1. Physical security - make sure that physical security controls, employee identification and physical media are all up to date and fully operable
2. Access control - ensure credentials like multi-factor authentication (MFA) and password expiration and reset are all up to date
3. Data protection and privacy - seek the advice of your Data Protection Officer or Privacy Officer on impact of changes made to existing processes or new processes where data is recorded and collated. Conduct Privacy Impact Assessments (PIAs) where relevant
4. Asset management - re-evaluate bring your own device (BYOD) policies and ensure that all non-inventoried assets are correctly logged
5. Network security - remote access is still important during a phased return to work, so keep network services such as Virtual Private Networks (VPNs) available and secure
6. Vulnerability management - patching is a challenge even for an information resilient organization. In returning to the office, organizations must evaluate their patch posture, and where found wanting prioritization patching
7. Operations security - organizations should re-evaluate any configurations they made during the work from home period to ensure that they are still the most effective
8. Business continuity - it is now time to learn from recent activities – the remote working paradigm – and apply the acquired knowledge to improve the readiness of the business continuity plan
9. Incident management - incident response represents the last line of defence should an attack materialize. Make sure your organization is set up in preparing for and responding to a data breach
10. Security governance - risk registers should be reassessed given the newly restructured threat landscape and control plane