- Almost half of all organizations are ill-equipped for impact of ‘shadow IT’
Research by the cybersecurity and information resilience team at BSI shows that over a third of organizations are unprepared for a cyber incident, with one in six highlighting that they have experienced a COVID-19 related data breach and cyber-attack in the past six months.
The BSI research was conducted as part of a readiness to reopen and new hybrid office dynamic campaign to understand the levels of cybersecurity preparedness in the current environment. Respondent sectors covered banking and finance, food and retail, ICT and telecoms, manufacturing, and engineering as well as pharma/healthcare and medical devices, transport and logistics and professional services.
Across the globe organizations are adapting their working structures, staggering teams in the office, or working from home to adhere to government health guidance regarding physical distancing and employee wellbeing. This hybrid working model, a mix of office and home, presents a range of challenges, most notably around cybersecurity where the threat landscape continues to increase.
Stephen O’Boyle, Global Practice Director for Cyber, Risk and Advisory at BSI, explains: “Today, it’s not a question of whether a breach will take place, it’s a question of how the business can manage it when it happens. Incident response is a critical component of defence should an attack take place, so making sure you are prepared is essential for the continuity and sustainability of the business.”
Readiness to reopen
Considering the changes to the way many organizations do business now, and when asked how cybersecurity ready organizations are to reopen the office, the following responses were highlighted:
- Physical security – 66 per cent prepared
- Business continuity – 74 per cent prepared
- Operations security – 73 per cent prepared
- Network security – 75 per cent prepared
- Security governance – 75 per cent prepared
“Organizations should re-evaluate system changes to security operation functions that they may have made suddenly to get the business operating remotely when work from home was first required, and now determine whether those changes are still appropriate,” says Stephen.
“This includes network security as well as identity and access management (IAM) configurations. Similarly, security governance covering risk registers and corporate policies will need to be updated to align to the new operating environment, in the office and at home or an alternative remote location.”
“Business continuity and sustainability are areas where we are seeing growth in our consulting practice. COVID-19 has highlighted just how vital it is to have a robust plan in place that anticipates low likelihood or high impact eventualities and how best to deal with them. While 74 per cent of our survey respondents are prepared to react to a disaster event, that left 26 per cent who are not, and we would advise those companies to address this quickly,” says Stephen.
Managing business continuity helps to ensure operational, information and supply chain resilience. By mitigating continuity risks, organizations gain resilience over their ability to deal with disruption consistently. Simple steps like defining roles and responsibilities for co-ordination, makes a response effort more efficient. Returning to operational capacity quickly also builds client confidence and often reduces the financial impact of disruptions should they occur.
Hybrid office and Shadow IT concerns
While the hybrid model is seen as a flexible solution to allow employees efficiently perform their daily duties while keeping them safe, it also generates potential cybersecurity risks if left unmanaged. Risks in this scenario are primarily based around loss of visibility of employee activity and data, employee susceptibility to phishing attacks, and employees using shadow IT.
BSI’s research found that almost half of all organizations are unprepared for the implications of ‘shadow IT’ on their business in a hybrid office scenario. This is when an employee uses an unsanctioned cloud service, device, or software, for their work, which can often lead to an increased risk of a data breach. In a rush to enable the business to work remotely, IT teams may have put solutions in place that did not go through normal security governance lifecycle processes.
Stephen explains: “We are witnessing cybersecurity risks and threats mounting daily and working from home may be causing additional employee fatigue, leaving potential for poor judgment when it comes to identifying risks and deciding whether to click on a potentially malicious link or attachment. The lack of governance and the haste to empower remote users creates opportunities for hackers as traditional security mechanisms can often be absent.”
“There is potential for data leakage through cloud services as well as the use of BYOD (bring your own device). The assurance over the security of the BYOD can be lost, and potential questions arise over ownership and access to data. Approved corporate devices are advisable that traditionally provide encryption, patching, web filtering and anti-malware. For these reasons it is important that IT managers educate about data management and clarify shadow IT and BYOD policies.”
“We encourage employers to carry out regular awareness training and education around cybersecurity risks. All levels of an organization need to be aware of cybersecurity risks, especially senior management. The current environment we are living in has exacerbated the threats, meaning cybersecurity needs to be at the core of business decisions now more than ever,” concludes Stephen.
The Consulting Services team at BSI provides an expansive range of solutions to help organizations address challenges in cybersecurity, information management and privacy, security awareness and compliance. For more information visit bsigroup.com/cyber-ie