By Caleb Mills, Chief Technical Officer at Doherty Associates outlines the dangers faced by finance and private equity firms when it comes to IT infrastructure in a pandemic. Caleb warns that maintaining security is critical as firms continue to work remotely in the current lockdown while making plans to return to the new blended workplace in 2021.

2020 was a year of rapid change – for the technology sector in particular. Virtually overnight, IT firms had to meet the growing demands of many businesses accelerating their technology plans in a bid to stay ahead of the new virtual business environment we suddenly found ourselves in. Covid-19 forced many organisations to automatically relax their security policies so that employees could operate in the remote-only world which followed the UK’s first national lockdown in March.

Can personal devices ever be compliant?

When the announcement of the first March lockdown was made, employees were sent home to work, and largely did so on their personal devices; home PCs, personal mobile devices or shared laptops. Compliance calls for organisational data to be encrypted and kept private, access to be audited and for its transmission to be only over secure channels. Many of these requirements are not met if the use of personal devices is allowed carte blanche – so it’s very likely that some firms are falling short of their compliance obligations.

Added to this is the fact that many employees do not want to allow their organisation to install management software, enforce policies, or limit their freedom on the use of personal devices. They may feel that their company is infringing personal liberties or ‘spying on them’. The most simple and effective (yet costly) solution is to issue company devices for all staff – although there may be some resistance from some to having two devices.

There is an option for controlling company data on personal devices that can satisfy some compliance requirements. Technologies now exist to allow organisational data to be kept in a separate virtual container on the device where policies around encryption and such can be enforced without contravening your employees’ privacy. The company portion of the device can be kept in a secure bubble, without enforcing rules or infringing on individual’s freedom with their own personal devices.

New risks and responsibilities

The accelerated adoption of remote working has meant many risk and compliance teams are still rushing to catch up. Many firms have not thoroughly identified the risks associated with remote or hybrid working, which continue to evolve as the constant demands for businesses change. Even those who have identified risks are likely only considering the ones they understand. In many cases, compliance teams need assistance from a cyber security expert who can help define the risks they are not aware they are taking. An expert will understand the wide and varied attack vectors and provide context and insight into how they could impact risk. The changing environment might call for updates to your IT use policy, cyber security policy, or other IT related policies.

Navigating risk and liability

The approach for managing risk must start by having a clear understanding of what your organisation’s risk appetite is. It is not possible to mitigate or eliminate all risks – there will always be some residual risk and it is important for your organisation to know what level of risk it is willing to accept.

When creating treatment plans for each of your risks, the business should consider the many different angles for controlling and mitigating. There are many technical controls which can enforce your policies, but often organisational controls such as processes or workflows can be just as effective. Choosing to adopt a program like Cyber Essentials can help to ensure that your organisation meets certain requirements. Even the very low bar of its framework can help you to ask pertinent questions about your organisation’s security posture.

Changing security boundaries

In days gone by, businesses took some comfort from knowing they had a secure network. They invested in firewalls to build a border around their network, and they trusted workers and the data they accessed to be protected against security threats. Now, many things have changed.

Data is no longer kept solely on servers in the office, it’s now stored largely in the cloud. And, thanks to Covid-19, many users are now operating outside of this safe and secure network too. The net effect of these two key changes is that the approach of building a highly secure boundary around your network no longer delivers the desired results. The post-pandemic workplace, even more so in finance and private equity, needs to be productive and secure from anywhere in the world.

The modern hacker is not just focused on defeating a firewall – they want to steal your firm’s data – and the way they achieve that is typically to hijack an individual’s identity. Modern security now focuses on protecting the data and the identity of workers by using multiple layers of security controls. This multi-layer, or “onion” approach, works on the assumption that a determined attacker can breach anyone or two layers of security protection. To keep your organisation protected, you should have multiple security controls in place to ensure coverage to help keep your environment safe.

Securing and supervising data rooms in a hybrid world

Data rooms provide a critical function by allowing third party organisations to securely access confidential data, so it’s important that the sensitivity of this is considered before embarking on any data room project. Appropriate policies about how the data should be accessed and used can then be enforced by the technology, and these clearly defined policies will allow for tightly configured security controls to limit access appropriately.

For example, data room guests might be allowed to view documents, but prevented from downloading them or copying and pasting content from them. Modern capabilities even include the ability to “timebomb” documents – for example to block access to documents after an NDA has expired.

Finally, consider taking Cyber Insurance. This can provide help with investigations, guidance on reporting to the ICO, help with public relations and communications, and help cover other expenses incurred as part of a cyber event.

The ongoing events of 2020 have changed the way we work forever. New risks and opportunities have continued to emerge through this period, and it’s ever more apparent that the world will never  go back to how it worked before. Hybrid working is here to stay so we need to understand the implications and take appropriate steps to ensure we meet our compliance obligations and control risk exposure through a mixture of controls to stay ahead of the game.