Since the start of 2021 we have witnessed an increase in Ransomware activities in Ireland in particular targeted “double exploit” campaigns. Of note are the Ryuk and Conti variants. Conti being a newer more advanced version of Ryuk. The Ryuk variant has been used in attacks on 3rd level institutions. The Conti variant has been used in the recent HSE and Department of Health attacks.
How is access gained?
Although these attacks have highlighted the threat of Ransomware it should be stressed that Ransomware represents an ongoing threat. It is believed that the same threat actor group WIZARD SPIDER are responsible for Ryuk and Conti based attacks. In 2019 this group was able to extort approximately $60 million in bitcoin. Other Ransomware variants of note are Sodinokibi and Lockbit.
Because of the current landscape we have compiled our Top 13 Key Steps to take to Protect Against Ransomware.
Educate your c-suite and board
Deliver and confirm Security Awareness Training
Create, maintain and regularly test a cyber incident response plan, with Ransomware specific playbooks.
Perform, test and secure Backups on a regular basis.
Conduct regular vulnerability scans and address vulnerabilities in particular those on externally focused assets.
Regularly patch and update software.
Ensure devices from endpoint to cloud are securely configured.
Implement Next Generation Endpoint Protection (EPP) and Endpoint Detect and Respond (EDR) solutions.
Implement network segmentation
Implement secure remote access solutions using VPN, ZTNA and SASE solutions. Ensure all remote access requires a minimum 2FA authentication.
Implement secure mail gateways, incoming mail controls and URL click protection.
Implement a centralised security operations and management approach through a Security Operations Centre (SOC)
Secure and harden your Active Directory to minimise the risk of bad actors gaining escalated privileges to your servers and domains. Monitor administrator access continuously. Ensure your Active Directory is backed up and that at least 1 of these backups is offline and inaccessible to an attacker
Following these tips will help you and your institution stay Cyber Threat aware. If you would like more information, you can talk to one of our specialists today and you can download our Information Security Guide below.
Remote working has been a significant societal and technology trend for the last decade but has been almost fully established by rushed necessity as a result of COVID19. Whilst Remote Working offers significant benefits in terms of flexibility, productivity, business continuity the rush to establish the service and the criticality of the services and infrastructure upon which it depends means that organisations need a comprehensive incident response plan to protect the service, its users, customers and the organisation from any security incidents that might occur.
What is an incident response plan?
An Incident response plan is systemic, documented, communicated and ideally rehearsed approach to prepare for, detect, contain and recover from suspected Information or Cyber security breaches
Incident Response is a system and process that requires continuous application and needs sustainable practices in order to be continuously effective. From Ward Solutions 20 years’ experience helping organisations manage their information risk, these are the top 5 tips that help us help our clients to sustain their Incident Response programs:
So what are the top 5 tips to sustain your Incident Response Capabilities:
1. Invest in regular Incident Response Skills and Support training – building and retaining the muscle memory of incident management for the organisation is very important to the success of your incident response program. The muscle memory of skilled confident incident investigation and handling is the difference between a slick process with good outcomes versus a chaotic process with poor outcomes. A tiered and blended approach to training is required appropriate to the different incident response roles. Technical roles may require training and support is use of existing or the latest tools and technologies to investigate and manage the technical part of incidents. Business roles may require compliance, legal and procedural training on the best practices, organisational plans, procedures and legal/compliance/contractual obligations during the different phases of an incident. Ideally all team rehearse or simulate incident response regularly both individually and collectively, including inter, intra organisation and public/media communications.
2. Invest in up to date and integrated Threat intelligence
3. Automate incident prevention and response where possible – Given the scale and complexity of the data, processes, potential stakeholders and actors in an incident, technologies and services such as security orchestration, automation, response and artificial intelligence have the potential to greatly assist in incident prevention, detection, analysis, response and recovery. However these technologies only become effective in assisting incident management and response when an organisations fundamental incident management and response plan and its people and organisational capabilities are comprehensive and robust in their own right.
4. Maintain Executive support and interest – active ongoing executive support and interest is key to effective incident management. Executive are not only key actors in the incident management process and thus need to be skilled in it, they are also leaders, sponsors and advocates for Incident prevention, detection and management within their functions. As budget and resource holders they are also key to providing the time, personnel and financial resources to sustaining the program. Remind your executive in subtle ways that they are the key beneficiaries of effective incident response, in that organisational revenue, brand, profits, shareprice, their liberty and bonuses are protected through effective incident response. Their ongoing interest needs to be nurtured through active engagement, reporting and communication of the incident management and response program. Communicate occurrence of relevant incidents and outcomes. Don’t forget to deliver the good news as well – prevention of or substantial mitigation of incident. As always tailor the communications to the appropriate, levels, format and frequency for your audiences.
5. Operate continuous improvement – find opportunity to implement a mind set of continuous improvement. Perform regular assessment of your risks, threats, likelihood of occurrence and impacts. Perform regular audits of your processes and controls. Perform after action review of incidents, big and small as well as near misses. Update your incident management processes, procedures, controls, tools, skills etc as appropriate. Effective Incident management and response is a continuous journey, not a once off destination.
An Incident response plan is systemic, documented, communicated and ideally rehearsed approach to prepare for, detect, contain and recover from suspected Information or Cyber security breaches
So from Ward Solution experience in a wide variety of sectors these are our top 5 tips to putting in place an effective incident response plan:
1. Cyber Incident Response is a whole of business issue – A cyber event usually impacts significant parts of or whole of business. Organisations that relegate cyber incidents to being a technical issue to be dealt with by IT or the CISO risk a rude awakening and a very ineffective and costly impact to the organisation. Business needs to treat cyber risk and cyber incidents as a potentially critical whole of business risk and devote the necessary focus, resources and time to risk assessing, mitigation planning and incident planning and rehearsing. The IR team needs a reflective set of business and technical resources empowered to make decisions and take the necessary actions to manage the incident. When an incident occurs the business needs to react in a coherent, orderly, structured uninhibited way that can only occur when the entire business is highly familiar with their roles, responsibilities, processes, obligations and tools that comes from a well thought out, documented and rehearsed incident response plan.
2. A pint of sweat is worth a gallon of blood. This is a maxim attributed to General George S. Patton, one of the most effective Word Ward II Generals. Putting in place proactive incident response plans and rehearsing them across the business via table top exercises, red or purple teaming exercises seems like unnecessary sweat and toil from the calm collected vantage point of business as usual environments. Trying to invent and operate incident response roles, processes and playbooks in the middle of a real life critical incident is a sure-fire way to cost the organisation a lot of money, customers and often threatens businesses viability or survival. Putting these planning and rehearsal activities on the long finger or short changing them usually means that an incident creeps up on an organisation before they are ready or when they are complacent that they have the processes in place when they actually lack the robustness that is required.
3. Make sure the incident response plan is systemic . Ensure that you use a recognised, best practice incident response lifecycle of the following typical stages:
Preparation – prepare the plan in advance, identifying roles, responsibilities, processes, procedures, escalation matrices, resources including service providers and partners
Prevention – put in place preventative measures to either prevent an incident occurring in the first place or minimise the impact of an incident once it occurs
Detection – put in place measure to detect as early as possible indicators of an incident or the actual incident occurring – in order to minimise recovery time and shorten exposure time of the organisation to the incident
Analysis – put in place the tools, resources, services to analyse incidents and offences to determine if real or simply false positives. Once an incident occurs have the tools and capabilities to determine what has/is happening so that you can respond appropriately.
Containment – ensure you have the data, tools, resources and skills to contain the incident, preventing it spreading, escalating, inflicting further damage
Eradication – again ensure you have the data, tools, resources and skills to eradicate the incident. Eradication timelines range from instantaneous to weeks, depending on the nature, scale and complexity of the incident
Recovery – recover your services, data to normal or as near normal as possible operation
After action review – review the origin, nature and impact of the incident. Review controls and mitigation to prevent or minimise these incidents reoccurring or the impact reoccurring. Also review how your incident response processes and protocols performed during the incident, using the opportunity continuously improve.
4. Put in place the proper resources, tools and partnerships – you need a rich set of tools and capabilities to be able to respond to and manage the wide range of incidents that may occur whether accidental or deliberate. Most organisations cannot afford the costs or focus to put in place, own and manage all of the specialised skills required. Selective outsourcing and partnership of capability, services, resourcing etc makes sense provided these outsourced or partnered resources or service match the responsiveness that may be required and are backed by service levels etc.
5. Incident response doesn’t end when the incident ends – a lot of focus on incident response is the restoration of normal service as soon as possible. A lot of organisations want to breathe a sigh of relief, sweep up the incident detritus and move on with business as usual. However a structured after action review of the origin, nature, artefacts and outcome of the incident offer an organisation the opportunity to continuously improve their risk register, threat intelligence and their incident handling and response processes.
Remote working has been a significant societal and technology trend for the last decade but has been almost fully established by rushed necessity as a result of COVID19. Whilst Remote Working From Home (RWFH) offers significant benefits in terms of flexibility, productivity, business continuity the rush to establish the service and the criticality of the services and infrastructure upon which it depends means that organisations need a comprehensive incident response plan to protect the service, its users, customers and the organisation from any security incidents that might occur.
secure remote access blog
What is an incident response plan?
An Incident response plan is systemic, documented, communicated and ideally rehearsed approach to prepare for, detect, contain and recover from suspected Information or Cyber security breaches.
Proactive versus Reactive incident response
“A pint of sweat is worth a gallon of blood” – General George S Patton.
Planning, anticipating the threats and risks to your organisation and putting in place mitigation plans in advance is good practice. Documenting these plans and your incident response protocols is even better. Communicating and rehearsing these plans with relevant stakeholders is best practice. If you rehearse the key members of your organisation and partners they will have “muscle memory” when a real incident occurs. You are not winging it, hoping it will somehow work out due to the brilliance or luck of your team. The cyber security landscape is littered with case studies and youtube videos of how not to manage an incident response. It is fair to say that a lot of the organisations involved did not have best practice incident response planning or protocols in place prior to or during the incidents involved.
So what are the top 5 reasons you should have an incident response plan
1. How an organisation responds to an incident determines the impact and progress of that incident. The Ponemon Institute Cost of a data breach report 2020 cites the average cost to an organisation of a data breach, just one of the many types of cyber security incidents that might occur, at $3.86M globally. The same report identifies that the highest cost saver to an organisation in the event of a data breach was having an Incident response team in place with a tested Incident response plan. This action saved about $2M in overall incident costs for an organisation that has this team and a rehearsed incident response plan in place versus an organisation that doesn’t. In plain English – having an effective incident response team and plan in place saves you significant money, time and collateral damage when an incident occurs.
2. Your customers expect you to have an incident response plan– The Ponemon Institute Cost of Data breach report estimates that lost business as a result of a data breach accounts for 39% of the overall data breach cost to an organisation. A Forbes Insight report found that 46% of organisations had suffered damage to their reputation and brand as a result of a data breach. B2B customers increasingly are doing due diligence, risk and compliance assessments on their supply chain either at on boarding stage or as part of routine supply chain assurance for existing suppliers. Having a mature incident response plan as part of an overall information security management system helps win or retain your customers.
3. Your board and shareholders will expect you to have an incident response plan A severe cyber security breach for a typical FTSE 100 company equates to a market capitalisation loss of on average 1.8% or an average of £120M, according to an economic study from Oxford Economics. Your organisations board and its shareholder obviously expect that an organisation is doing its utmost to protect shareholder value. Financial analysts, venture capital firms and credit rating agencies are factoring in cyber security readiness into the methodologies by which they assess, recommend and score firms. Incident response planning, rehearsal and activation are foundational to any cyber security readiness, operations and cyber maturity assessments. Having a mature incident response plan as part of an overall information security management system helps protects your shareholders and your organisation.
4. Your insurers will expect you to have an incident response plan – Your insurers are one of the ultimate arbiters of risk. Their assessment backed up by industry data is how they decide whether to insure you and how to price your policy. Most B2B insurers now have detailed assessment of your information security and cyber security maturity not just for specific cyber risk policies but also for your general insurance policies. In a lot of cases your level of cyber security maturity are some of the determining factors in whether they will offer your organisation cover, for what occurrences, at what levels and for what price. A key element of that assessment is whether you have appropriate disaster recovery and incident response plans in place as well as assessment of information security incidents that have recently occurred. Having a mature incident response plan as part of an overall information security management system helps you get, retain and utilise economic levels of insurance.
5. Your regulators and auditors expect you to have an incident response plan – very few organisations operate in unregulated environments. Most regulators expect and increasingly mandate that their regulated entities have mature information security systems in place. Financial Auditors have obligations and standards to assess the true performance and financial nature of organisations, including the application and operation of financial risk management and financial controls. A key part of this Information Security Management System (ISMS) will be disaster recovery planning (DRP) and incident response planning (IRP) to safeguard the customers/consumers that these regulated entities service and in numerous cases to ensure ongoing safe service provision to these consumers/customers. Having a mature incident response plan as part of an overall information security management system helps you become more financially secure and compliant with general, industry specific and financial compliance obligations.
When I was in primary and secondary school, I struggled with maths. I was told consistently by grown-ups in my family that this was to be expected; my whole family struggled with maths. I listened, believed this and always saw spending time on anything mathematical as a waste of energy. I steered clear of any optional subjects that involved figures while in education. I figured I just did not have the aptitude for it. It was genetic. How could I possibly fight genetics?! So I became a barrister and did my absolute best to avoid anything that required “an ability” for maths in my professional life.
In 2019/2020, I undertook a business and innovation course (a new departure for me!) and as part of the reading, we were advised to read Mindset: The Psychology of Success by Dr. Carol S. Dweck. I had never heard of the book or of the author but I am not exaggerating when I say the content of that book entirely changed my perception of my own ability and capacity and that of everyone around me. For those who have not read this book, very briefly, Dweck argues that people have, broadly, one of two mindsets – a fixed mindset or a growth mindset. Those with a fixed mindset believe that your traits and abilities are fixed and you are either born smart or talented (generally or in relation to a specific area) or not. People have no capacity to change their abilities. Those with a growth mindset, however, believe that ability is not static and can be improved with effort, through failure and learning.
Dweck suggested that fixed and growth mindsets spanned a spectrum and most people would not fall entirely within either camp across every facet of his/her life. As I listened to this book however, I realised that with respect to my professional abilities and educational abilities, I very much had a fixed mindset. I believed I was good at certain things but would not and could not succeed at other things. Again, how could I fight genetics?! When I scratched the surface of that persistent truth however, I realised I had not even thought to generate a counter argument – something lawyers should be able to do in their sleep! Fair enough, I did not like maths, but that was not the same as having no ability. In addition, when I looked at my siblings I realised that two of them run successful businesses (something that indicates to me they must be good with figures) and another is actually studying for a financial qualification. Really interestingly, Dweck suggested that failure is something that those with a fixed mindset fear and I have always hated to fail – so much so that I would just not take on challenges that I did not think I could succeed in (Ward’s Head of People and Talent wrote a fantastic piece about learning to fail through Olympic weightlifting earlier in this series!). This was certainly more pronounced during my adolescence and early twenties but I won’t deny it, I still hate to fail at something!
Since finishing the book and in both my personal and professional life, I have consciously made an effort to challenge my inclination towards a fixed mindset. I have two young daughters, one of whom recently started school, and I find myself trying to ensure that I never tell her she is has no talent (or conversely, she has bundles of talent) for any of her subjects. Rather, I try and encourage her for just trying, for failing and trying again and for putting effort in.
This is more difficult to do for myself and at work! I am the sole legal counsel in an information and cyber security company and therefore, I can be a bit a sea sometimes when some of my more technical colleagues start talking! Instead of passively listening now however and assuming that I cannot and will not ever understand what they are talking about because “I’m just not technical”, I ask them to explain or I take notes and later look up terms that were used during meetings and conversations. As a result, I have learned a huge amount (relatively speaking) about the technical sides of this business that do not necessarily impact on my specific legal function. In an earlier blog by my colleague, Alicja Quinn, she advocated for people to embrace change and become a “change champion” and I suppose, this is my quiet way of doing just that.
So what is my point? First of all, if you haven’t come across Dr. Dweck’s book, I would highly recommend it! If nothing else, it is a really interesting read. Secondly, as my growth-minded colleagues suggest, embrace failure and change in both your personal and professional life. Easier said than done perhaps, but try small changes at first. Finally, allow yourself to believe that you can be something different than what you are today or have been in the past with a little bit of effort, hard work and trial and error.
Many organizations use virtual private networks (VPNs) that function like a tunnel back to the company network, but relying exclusively on a VPN has security risks. Even after the pandemic ends, CISOs are going to need a better strategy for supporting telework because it’s likely that many employees will continue to work remotely at least part of the time. Given the limitations of VPNs and the dynamic and distributed nature of today’s networks, it’s clear that a better solution is needed. Zero-trust network access (ZTNA) is the evolution of VPN remote access. It simplifies secure connectivity, providing seamless access to applications no matter where the user or the application may be located.
54% of employed adults say that they want to work from home all or most of the time when the coronavirus outbreak is over.
The recent rise in remote working has put a spotlight on the limitations of virtual private networks (VPNs). For years, VPNs have been the de facto method of accessing corporate networks, but they have some serious drawbacks, particularly in terms of security.
The biggest issue is that a VPN takes a perimeter-based approach to security. Users connect through the VPN client, but once they’re inside the perimeter they often have broad access to the network, which exposes the network to threats. Every time a device or user is automatically trusted in this way, it places an organization’s data, applications, and intellectual property at risk.
In addition to the issues using a VPN for remote access, network operators are looking for a better way to secure applications. Having some applications on the cloud and some on-premises makes it difficult to deliver a common method of control and enforcement, particularly when some users are on-site and others are remote. Deploying applications to the cloud can expose them to probes from unwanted actors and increases risk.
Going Beyond the VPN
Zero-trust network access (ZTNA) offers a better remote access solution that also addresses concerns related to application access. The term zero trust means exactly what it sounds like. With this security model, the assumption is that no user or device is trustworthy, and no trust is granted for any transaction without first verifying that the user and the device are authorized to have access.
Because ZTNA starts with the idea that location does not grant a level of trust, where a user is working becomes irrelevant. The same zero-trust approach applies no matter where a user or device is physically located. Because any device is considered to be potentially infected and any user is capable of malicious behaviour, the ZTNA access policy reflects that reality.
Unlike a traditional VPN tunnel with unrestricted access, ZTNA grants access per-session to individual
applications and workflows only after a user and/or device has been authenticated. Users are verified and authenticated to ensure they are allowed to access an application before they are granted access. Every device is also checked each time an application is accessed to ensure the device meets the application access policy. Authorization uses a variety of contextual information, including user role, device type, device compliance, location, time, and how a device or user is connecting to the network or resource
With ZTNA in place, once a user has provided appropriate access credentials such as multi-factor authentication and endpoint validation and is connected, they can then be given what is known as least privileged access. The user can access only those applications that they need to efficiently perform their jobs and nothing else.
Access control doesn’t end at the access point. ZTNA operates in terms of identity rather than securing a place in the network, which allows policies to follow applications and other transactions end to end. By establishing greater levels of access control, ZTNA is a more efficient solution for end-users and provides policy enforcement wherever needed.
Although the ZTNA authentication process provides points of authentication, unlike a traditional VPN, it does not specify how that authentication takes place. As new or different authentication solutions are implemented, they can be seamlessly added to the ZTNA strategy. New authentication solutions may do things like help eliminate issues related to weak or stolen passwords and credentials, address challenges due to the inadequate security of some Internet-of-Things (IoT) devices, or add extra levels of verification to access sensitive or confidential information or critical resources.
ZTNA vs. VPN
For users, ZTNA is easier to manage than a VPN. Users no longer have to remember when to use the VPN or go through the process of connecting. There’s also no risk of tunnels accidentally being left open because someone forgot to disconnect. With ZTNA, a user simply clicks the application and immediately gets a secure connection whether the application is on-premises, in a public cloud, or on a private cloud. This tunnel is created on-demand, transparent to the user. Because the network is no longer a zone of trust, the same tunnel is created if the user is on the network or off the network. The encrypted tunnel happens in a transparent manner, providing security in the background.
On the application side, because the user is connecting back to the enforcement point and then proxying that connection to the application, the application can exist on-premises, in a private cloud, or in a public cloud, all while hidden from the internet. The application only needs to establish a connection with the enforcement points, keeping them safe from prying hackers or bots.
“Gartner predicts that by 2023, 60% of enterprises will phase out traditional VPNs and use a ZTNA model.”
ZTNA and the Future
Adopting a zero-trust approach to cybersecurity is a process that touches many systems and may take years for many organizations to fully implement. But addressing remote access is a good first step toward implementing a complete zero-trust solution. As companies transition their approach to remote access, they often have a mix of VPN and ZTNA. Many vendors providing ZTNA services are doing so in conjunction with SASE services. This service-initiated approach makes it easy to control cloud applications access from cloud security, but it can incur expensive SASE charges and maybe limited in the types of applications it can support.
Building a complete zero-trust network access solution requires a variety of components: a client, a proxy, authentication, and security. Often these solutions are provided by different vendors and the components often run on different operating systems and use different consoles for management and configuration, so establishing a zero-trust model across vendors can be difficult or impossible.
By selecting integrated and automated tools, CISOs can overcome the key challenges of implementing ZTNA. Using an integrated firewall-based and SASE approach, they can employ ZTNA capabilities with simplified management using the same adaptive, application access policy whether users are on or off the network. ZTNA can be applied to remote users, home offices, and other locations such as retail stores by offering controlled remote access to applications that is easier and faster to initiate while providing a more granular set of security protections than traditional legacy VPN
Only 15% of organizations have completed a transition to a zero-trust security model, which does not automatically assume that anyone inside the network perimeter is trusted
Secure Remote Access With ZTNA
With the increase in remote work, the limitations of traditional VPNs have become clear. The more people move and work from anywhere, the less secure a traditional perimeter-based approach becomes. Every time a device or user is automatically trusted, it places the organization’s data, applications, and intellectual property at risk. ZTNA solutions are a better way to secure remote access than traditional VPNs and also improve controls around application access.
Download more information on_ Secure Remote Access with Ward & Fortinet RQ
Organisations are subject to ongoing risk, whether from their remote working systems or process, from the implementation of new systems such as a cloud based ERP, to changing business or economic environments, e.g. the risks associated with COVID19
Take our remote working risk assessment today
Risk Management is a system and process that requires continuous application and needs sustainable practices in order to be continuously effective. From Ward Solutions 20 years’ experience helping organisations manage their information risk, these are the top 5 tips that help us help our clients to sustain their risk management programs
So what are the top 5 tips to sustain your remote working risk management program
Treat this remote working risk assessment as a small part of a larger journey not a destination – A one off risk assessment and remediation project is of very limited value. You need to position your remote working risk assessment as one part of a bigger and more comprehensive, continuous risk management program and process. Risk Management is a continuous process of assessing risks, tracking and managing your remediation program(s), verifying your controls are in place and working, reassessing already identified risks, looking for new risks, fixing noncompliance, performing after action reviews to incident. Keep your risk register alive, up to date, and accessible.
Embed Remote Working Risk assessment into your overall Risk Management system and onwards into your SSDLC – Your remote working risk assessment and risk management exercise is just one part of and needs to fit into an overall organisation risk management system. Whatever systems development model you use Waterfall, Agile, DevOps etc. – you need to embed risk assessment and risk management into this lifecycle. Conceptualise that you have an SSDLC Secure Systems Development Lifecycle – Sec Dev Ops. Embed risk and security management activities and process into every stage appropriately – secure design at the design stage, security and risk management requirements at your requirements stage etc. Follow your standard ISMS lifecycle of Plan Do Check Act (PDCA).
Communicate, communicate, communicate – really strong and proactive communication of your risk management program is key to sustaining momentum and buy-in to your risk management program. Tailoring the message and the relevant parts of the risk program to relevant audiences is also key. You will have a different and higher level message for your executive and a more specific and perhaps operational message for e.g. your grass roots remote worker teams. Even within those teams you might have a different ask or update for remote sales teams vs remote finance or customer support teams. Formatting the message to successful remediation’s, progress, wins areas for continuous improvements is important rather than “shouting at the wind” with a list of failures, unaddressed risks, controls failures also sets a better and more encouraging tone.
Test, Test and After action review – don’t assume that the controls you implemented continue to operate or even to operate as designed. It is important to continuously validate your controls and remediation’s with a series of audits and tests to verify compliance with their design. You should also design your tests to challenge continued effectiveness of the control. New threats and vulnerabilities may have emerged since you designed the control. New controls may have emerged that are more effective or easier to operate. Users may have adapted the control based on business process or operations. So you need to challenge the effectiveness of the control as well as its continuous operation. You also need to review controls in after action reviews of incidents and events to see how those incidents occurred and whether the control was applied and was effective. It may be that the control was in compliance but now additional controls are required.
Download more information on_ Remote Working Security Assessment
Performing a remote working security assessment is important. Remember the goal is to effectively identify, quantify and remediate prioritised risks. The methodology of formal risk management is important. However, Ward Solutions experience of helping organisations successfully manage risk for over 20 years is that there are a number of other “softer” skills and considerations that are key to your risk assessment success.
Take our remote working risk assessment today
So from Ward Solution experience in a wide variety of sectors these are our top 5 tips to performing an effective remote working risk assessment:
Identify the correct scope of your remote working processes andinfrastructure – In order to assess the risks to your organisation from remote working, you need to correctly identify the key information assets, infrastructure and processes that you wish to assess. Your scope needs to balance all relevant processes and infrastructure of your remote working services. Be careful not to open the scope too wide encompassing vaguely relevant or irrelevant assets or process. A bloated scope of risk assessment increases time and cost of the engagement and making the output less relevant with a reduced likelihood of success.
Ensure stakeholder buy-in and participation. Work hard to identify your key stakeholders in the risk assessment. Key stakeholders are usually a select sub-group of senior management as well as heavily reliant middle management and function owners. Your most important stakeholder may be a representative group of impacted or highly relevant grass root end users. Their engagement in terms of input to the risk assessment and commitment to the output and recommendations from the risk assessment typically make or break the project. As with scope, focus on quality and relevance of stakeholders rather than quantity.
Conduct the risk assessment systemically and objectively – ensure you use experienced risk assessment professionals and follow a recognised risk assessment methodology such as NIST 800-30 to conduct your risk assessment. Ensure that you surface, and quantify appropriately all relevant threats and risks.
Be transparent and upfront whilst positioning and managing your findings – Ignore the temptation to downplay risks of vested, difficult or personal interests. Be transparent and honest with the organisation. Otherwise the engagement is bogus, the organisation will not gain value and your integrity is questioned. If you are worried about vested or difficult interests being exposed, then deal with this at the buy-in stage. Stress the importance of a “warts and all” approach. Outline upfront to stakeholders that most organisations typically will have the type and nature of issues likely to be uncovered. Help the organisation recognise how it got here – e.g. perhaps an accelerated adoption of large scale remote access and cloud adoption in response to COVID19. Consider socialising and positioning your findings with impacted stakeholders in advance so they are not blindsided. Allow them to have the time to reflect and position their response, before the final report of findings, public presentations etc. Focus on the benefits of unearthing the issues and having the opportunity to remediate rather than ignoring or hiding the issue and then being forced to respond to incidents as they occur.
Build and focus on a SMART remediation plan. Remember the goal of the risk assessment is to allow the organisation to manage the risks you have identified and quantified. Too many risk assessments focus on the risks and issues – not the remediation. By focusing on the issues only you can either paralyse the organisation with fear, uncertainty or alienate stakeholder from future or ongoing risk management exercises. The goal is for organisations to agree the risk register and buy into the prioritised remediation plan. Your remediation plan need to be SMART:
Specific – a very specific plan of what, where, when, how and whom
Measurable – it should be possible to very clearly determine if the element of the plan has been implemented and if and how successfully
Achievable – there is no point in having a plan if it cannot be implemented economically, technically or organisationally
Relevant – the plan must fit the organisations goals and ambitions and obviously should address the risks identified in a prioritised way.
Timely – the plan should be capable of embracing and delivering both the quick wins and the longer term high priority complex remediation’s. It needs to be done in timelines that means that a higher priority risk are addressed without unnecessary exposure time to the organisation. It also needs to address program fatigue – the notion that protracted projects without definable progress and wins loses support and enthusiasm over time.
Read our follow on article about our top 5 Tips for sustaining your remote risk assessment program:
Top 5 Tips for sustaining your remote risk assessment program
Remote working has been a significant societal and technology trend for the last decade, but has been almost fully established by rushed necessity as a result of COVID19. Whilst remote working offers significant benefits in terms of flexibility, productivity, business continuity the rush to establish the service did not allow for necessary comprehensive assessment of risk or appropriate mitigation planning and implementation of controls.
Inevitably given the rushed and disruptive nature of this rushed implementation the remote worker, their endpoints, home networks, remote access and the hybrid on premise and cloud services that they are using are vulnerable have all been the subject of significantly increased security incidents and targeted attacks.
So what are the top 5 reasons that you should perform a remote working security assessment?
Identify and quantify the risks that your organisation and your remote workers face – once you identify the risk you can assess their potential impact on your organisation and likelihood of occurrence.
You will review your existing remote working policies and controls to ensure they are adequate and up to date– use our experience and expertise to objectively determine the effectiveness of or any gaps you may have in your existing policies and controls for remote working.
You will determine your current level of security and identify vulnerabilities and configuration weaknesses – analysis of your remote access infrastructure including authentication and encryption, Endpoint configuration and vulnerability analysis
You will produce a prioritised mitigation plan for identified risks for remote workers and remote working infrastructure and processes.
You will communicate you risks and remediation plan in a coherent way to relevant stakeholders in your organisation – gain buy-in commitments, sponsorship, resources and your plans that you need from management and functions within your organisation by outlining the risks you face, their potential impact to your organisation and your plans to remediate.
Track progress on risk emergence and mitigation – use the output of the risk assessment to track and demonstrate progress on your remediation plan.
If you are eager to check on your remote working risks, you can take our assessment today. It is a short assessment that will provide you with brief feedback on improvements. You can also talk to our specialists today about how we can help over come the issues identified.
Take our remote working risk assessment today
Read our follow on article on our top 5 Tips performing an effective working Risk Assessment :
Top 5 Tips performing an effective working Risk Assessment
Changes are happening every day, improvements are the reason for change. External and internal factors force us to make changes, for example famous C****-19 (the thing we dare not speak about!), has changed the way a lot of companies do business, how a lot of teams work, how you interact with your clients, how shops, schools and hospitals operate on day to day basis.
It was hard for some of us parents to adjust to working remotely and home schooling but if you look at positives for me, and some of us
I’ve learned a few Irish words (in case my name didn’t give it away I’m a native Polish speaker!), my daughters vocabulary has increased, and when I ask if we can do something her replies are:
“I need to check my calendar”, “let’s compare calendars and let’s recheck when we are both free” or “I am busy! I am on the conference call”
very useful I have to say for a 5 years old 🙂
Her school takes the kids outside more often than before the pandemic struck and they are planning to introduce more outdoor classes which provides a lot of fresh air and alternative approach to conventional learning.
What about the commuters who spend less hours on public transport or less hours being stuck in traffic? Remote working does have its challenges but there are some great benefits also.
The new hybrid model of remote and on premises work will allow some of us to relocate or work from the areas in Ireland where companies would never traditionally look for talent. The location of the office HQ is not the key element anymore when looking for work.
C***-19 also catapulted digital transformation for businesses to the top of their agenda.
So let’s talk about why we’re so averse to change??
When change is inevitable why are some so resistant?
Evolution is fundamental to humans so why do we deny it sometimes?? We all know change won’t go away.
You know the saying, “If you can’t beat them join them!”
New year’s resolution: BECOME A CHANGE CHAMPION
Let’s look at what your options are if you wish to become one
Embrace the change and be the change advocate
Work with the change driver on the solution that will work better for you, your team, and your clients. What I mean by this is: If you don’t agree with the change but you know it needs to happen try to work with all stakeholders on the solution which is the easiest to live with or to work with.
Carpe diem! Just try it! Seize the change and after a period of time you might see it was needed and worked, or after the change rollout if you still can’t cope with that change suggest future improvements and be the change driver thenJ .
You can’t talk about change without Continuous Service Improvement (CSI).
When you make changes you work on incremental improvements, you might end up back where you started…But what you learn on the way is priceless. It may seem like you are going backwards but you are definitely not. All the adjustments and lesson learned played a key and valid role in your progress and you will end up in a revitalised state.
A key thing to remember is that changes can bring a lot of negativity but we need to be able to highlight the positives and the new opportunities that can arise as the result of it.
Don’t forget ALWAYS to look at the bright side!
At Ward we work with our clients to deliver what they need based on their current situation. We support our clients through the changes and adjustments on their side. We advise and suggest changes if there is a requirement for it. We learn from our past changes and make improvements. Every department in Ward either Finance, Sales, Operations and the Customer service team always look at how best to supply the client with the tools and services they need.
For All Change Champions:
You will never be able to win all the audience when making changes but if you get people engage, let them suggest adjustments, work with them to make it easier to live the change, help them to see the positives rather than the negatives and then your battle is won.
News
