Across the world, many countries are opening back up their borders and most of us enter into the ‘new normal’ way of life. However, some countries are once again activating their lockdown procedures as new cases of COVID-19 arise. Businesses can maintain their continuity despite the continued uncertainty by cultivating a remote workforce. But how do you kickstart this cultivation? What operational and security considerations should be taken into account? And how can a remote working culture be secured-by-design?
The importance of maintaining social distancing as part of countermeasures against the COVID-19 pandemic has been a consistent trend across the globe, critical in limiting the rate of infections. However, this has had adverse effects on businesses across many sectors, with Travel, Hospitality and Retail badly affected by the global restrictions over the past few months. As a result, businesses in today’s post-pandemic economy now face immense cash flow pressure from both low inflows (reduced sales and increased number of late payments) and high outflows (high overheads such as rent, payroll). Cash flow management has thus also become one of the most important topics in the world now amongst business leaders, with many understanding that business recovery is beyond just surviving, but adapting and learning from this crisis.
However, the gradual decrease in numbers has allowed partial reopening of public and office spaces, albeit operating under strict social distancing and sanitation requirements. In some countries, some businesses are able to return to normal but only to be closed again due to new waves of infections. This uncertainty has led to many emptied office spaces and becoming, in some cases, an expensive financial blackhole.
The simple, cost-saving solution is thus to go remote.
Across the world, not all services are reopened. But services that will result in the congregation of people, like restaurants and retail stores, are required to implement strict social distancing and sanitation countermeasures. In the Republic of Singapore, where Horangi and CardUp are headquartered by the way, businesses who have the capacity to ‘go remote’ are nonetheless encouraged to do so. If that’s the case, where do we ‘securely’ start?
The trick is to identify what is critical to your business continuity, acknowledge the risks associated, and implement proper solutions to continuously mitigate discovered and emerging risks.
Step 1: Identify
The first step is to IDENTIFY. As the old saying goes, ‘knowing is half the battle’. And in this case, it is all about being aware of the critical pillars that your company is built on. A simple way to look at this is through the People, Processes, and Technology approach.
To start, gather your executive and managerial teams and ask these questions in the table below - alongside their objectives and bonus security benefits.
|Process||What are the business processes that, if disrupted, can have a major impact on the company's ability to survive for the next two quarters?||Identifying these business processes can help start the process of determining critical business functions needed to continue operations. Depending on your business, these can have some variation but some core internal functions would include invoicing, Payroll, Customer Care, etc...||This also helps businesses identify which processes to protect from malicious hackers to prevent cyber attacks against their company systems and data.|
|People||Who are the people in our organisation that are crucial to the execution of our 'critical business processes'? What are the essential tools they require to deliver those processes and also, can their role be performed remotely?||Identifying who in your business performs critical business functions as a daily task can help you identify the important people to speak to for more operational details and requirements needed to continue operations regardless of location.||This also helps businesses understand the level of access employees have into company systems as part of their role within the organisation, and can help support Access Control requirements into sensitive systems under the Principles of Least Privilege. This also helps you identify the employees at higher risk of being targeted by hackers and other malicious phishing scams.|
|Technology||What are the tools and types of data needed to support our 'critical business processes'? And to stay in compliance with national/regional/international compliance requirements around data protection or privacy, what are we doing to ensure the data is properly secured?||Identifying how your important people perform the critical business functions in your company will include learning about what essential tools they need and what sensitive data they interact with on a daily basis. This helps you determine what operating equipment you'll need to procure and what security requirements you may need when moving towards a remote setting.||This also helps businesses determine what tools you need to conduct security assessments on and what data you need to protect regardless of the location of your workforce. This can help you reduce the risks of suffering a cyber attack involving the exploitation of technical vulnerabilities on your Information Technology Assets, and reduce the risk of non-compliance to data protection or privacy standards.|
What these questions do is identify your Critical Functions, Important People, Essential Tools and Sensitive Data needed to maintain business continuity in any circumstance. You can collect most of this information by simply talking to your staff. The finance department, for instance, typically receives more phishing emails than other departments. How will the shift to remote work affect the risk posture of such teams? There are also many processes that can be shifted completely online, improving not just the efficiency of how things are done, but also fully embracing this shift to remote working.
Alternatively, you can:
- Conduct Business Impact Analysis to determine the business critical processes. This is usually performed as part of a broader Business Continuity Preparedness and supplements the development of a Business Continuity Strategy and accompanying plans. For more information, take a look at ISO 22301 – Business Continuity for an internationally recognised standard on business continuity best practices.
- Performing Data Discovery Exercises either through employee interviews or conducting technical reviews can help you determine what types of data flow throughout your business. This is where an updated Network Diagram, Logical Data Flow Map and Workflow Diagrams come in very handy. If you haven’t updated or created one, start now. Alternatively, you can also use different Endpoint Scanners to help you gain a better understanding of your technological footprint and layout. What connections are flowing into and around your organization? Where do those connections go? Employing Endpoint Scanners, Traffic Monitoring and Security Incident and Event Management (SIEM) tools can help you map out your digital kingdom.
- To determine what Information Technology (IT) Assets your company owns, review your Inventory Lists. If you don’t have one, consider starting one. Not only is this a requirement under different security standards such as ISO 27001 and NIST 800-53, it’s also good practice to know what you’ve spent your revenue on.
And as with all the questions recommended, the added security bonus is that you’re now more aware of what data, technologies, processes and people to secure as part of your cybersecurity program!
Step 2: Acknowledge
The second step is to ACKNOWLEDGE. Knowing what you need is not enough, you need to also be truly aware of the security and operational risks associated. And by ‘truly aware’ we mean cataloguing the risks with proper metrics to help you manage it later on. Then, and only then, can you claim to acknowledge the risks to your Company and continue with implementing solutions to mitigate them.
A simple means of acknowledging these risks is to collate them into one place using a Risk Register. A risk register is a document used as a risk management tool and acts as a repository for all risks identified with additional information about each risk (ie. nature of the risk, reference and owner, mitigation measures). This may seem daunting, but it can be as simple as an Excel spreadsheet.
The value of creating and maintaining a risk register is to become more aware of the potential negative events that can occur. Within the context of cultivating a remote workforce, this tool will be very useful in helping you determine the reality of threats against your business and what actions can be taken to reduce their impact, be they security or cash flow-related. When looking to risk mitigation, there really are just two ways. You either reduce it or transfer it. We’ve created a simple table below to help you understand what these mean.
|Reduction||Measures to reduce the frequency or severity of losses, also known as loss control.||Properly educating your staff can significantly help reduce their risk of phishing attacks by making them more aware of the different threats that increases their risks to phishing attacks and other scams.||On the Procedural level, the implementation of different processes around Passwords Access Control, Information Management, Acceptable Use, and Incident Response can also help set the parameters to ensure your employees operate in accordance with security best practices||Approaches that companies can use on the technology front is to use anti malware solutions, cloud security tools, SIEMs, etc... All these measures can help reduce the technical risks associated with your IT Assets.|
|Transference||Measures that involve the contractual shifting of a pure risk from one party to another.||
You can consider engaging Business Process Outsourcing (BPO) providers that effectively helps you manage all the staffing and processes needed to execute the functions you need it to.
In some cases, like Hong Kong, IT Outsourcing is a very common practice, and effectively allows a company to transfer most of its risks associated with its People and Processes to external Third-Party Vendors. At this point, the only thing a company needs to look at are their Vendor Management Processes.
|Use Third Party platforms and combined solutions. There are multiple Platform-as-a-Service, and Software-as-a-Service solutions out there that, with some proper configuration, transfers the risks associated with the use of those solutions.|
Step 3: Implement
The third step is to IMPLEMENT. Now that you know what you need and the risks against them, you now need to put this information into action and start the cultivation of your remote workforce.
At this point we have identified which processes can be performed remotely and which processes cannot. We would’ve determined the mandatory requirements of your local government on Remote Operations from cybersecurity, insurance, employee rights, data privacy and anti-COVID standpoints. We should have also identified the IT Assets, both Hardware and Software your employees need to execute their tasks, in addition to the risks associated with each process and technology. Along with these identified risks, we should have a list of risk mitigation measures with accompanying tools and/or processes.
The last step is to implement these security solutions and processes you need to protect your assets and employees when they are out of the office. Depending on your budget and other resources (ie. Specialists), it would be a smart move to prioritise tasks based on their security and operational importance using the simple table below to help you add some metrics to determine what should come first.
|Focus||Critical (4)||High (3)||Medium (2)||Low (1)|
|Security||The security solution must be implemented within 24 hours to ensure business continuity, and is critical to the survivability of the organisation.||The security solution must be implemented within 48 - 72 hours to ensure business continuity, and has a high level of importance to the survivability of the organisation.||The security solution must be implemented within 1 week to ensure business continuity and can cause some delays to various functions in the organisation.||The security solution must be implemented within 2 weeks to ensure business continuity with minimal effect on the survivability of the organisation.|
|Operational||The business operation must be implemented within 12 - 24 hours to ensure business continuity, and is critical to the survivability of the organisation.||The business operation must be implemented within 36 - 72 hours to ensure business continuity, and has a high level of importance to the survivability of the organisation.||The business operations must be implemented within 1 week to ensure business continuity and can cause some delays to various functions in the organisation.||The business operation must be implemented within 2 weeks to ensure business continuity with minimal effect on the survivability of the organisation.|
The value of security importance + operational importance is a simple formula you can use to help place some metrics around the prioritisation of tasks based on their importance. The timings and metrics we’ve suggested are estimates, and can be adjusted based on your realities for implementation.
Maintaining Remote Security
After determining who and how your employees are to work remotely, you also need to ensure that they follow procedure. Depending on how your organization is run, and the leadership culture, you can choose to set up different countermeasures that can help secure your remote teams. Using the People, Processes and Technologies approach, there is a lot that companies can do to secure their remote workforce while maintaining productivity levels.
Outline and implement new Processes to heighten security awareness of all remote staff. This can range from increasing the frequency of network log reviews and refreshing the principle of least privilege of critical databases on a Quarterly basis. Think of this increased frequency as equivalent to adding more patrols around office buildings, and thus reducing the windows of opportunity for attackers to exploit weaknesses in your operating procedures.
Also, you can set up reporting protocols of access to databases and other systems which can be reviewed on a Monthly basis – which provides the added benefit of helping you determine what tools your staff are REALLY using and if there is a need to continue spending money on them.
Your employees can either be your greatest asset, or your weakness link. But one thing's for certain, is that they are here to help your business thrive. You can subject each department, or the entire company, to periodical Phishing Drills to maintain their vigilance, In addition, you can also have each department participate in a security training seminar, where they can explore their questions about security and what it means to their department.
Along the same tangent, you can also provide employees with a 'Work-from-Home Checklist', that provides them the technical and procedural reminders when operating remotely. This is something we have already seen implemented at security-forward thinking businesses like CardUp, and spearheaded by their very own CTO.
Example the implementation of new event management solutions. This can range from the implementation of SIEMs and other Log Management and Anomaly Detection Tools that can help increase your visibility on the technical domain.
Alternatively, you can migrate your business and internal operations onto a Cloud environment, so your broader workforce can work remotely and also opens your business up to skilled professionals from across the world. Just remember to concurrently procure a good cloud security tool when setting up your clod environment, to ensure that your configurations are set up in a secure fashion.
Secure Your Start to Secure Your Future
Here, we’ve only just scratched the surface of what it means to cultivate a secure and remote workforce. Using the 3-step cycle we’ve shown you, you should be able to get a good start on learning more about your organization and acquiring the right tools to properly secure your organization. For more information on what tools you can use really depends on how you want to migrate your IT assets and the nature of your business.
But remember, going remote securely is NOT a one-and-done. It's a continuous process that you should review on a regular basis once started to ensure that your remote workforce is properly protected.
CardUp is increasing support for businesses affected by COVID-19. Get lowered fees starting at 0.8% (u.p. 2.6%) on your rental and 1.45% on your payroll, supplier invoice and business tax payments. These support initiatives will help businesses with cash flow, and allow them to tide through this period of time. Learn more here.
A version of this post first appeared on the Horangi blog.