If so much home and remote working is going on, and organisations don’t want a gap between physical and virtual security, should there be one security manager, and if the physical security manager does not have as much to do, should that single security head be the CISO (chief information security officer)? That was one of the more uncomfortable questions (for some) aired at the latest, the 59th, OSPAs thought leadership webinar this afternoon.
Chaired again by Prof Martin Gill of Perpetuity Research after a break last month, the speakers were first, Richard Bach – Director at Kontago; Sachin Bhatt – Senior Associate at the law firm Schillings International LLP; and from the webinar sponsor Reliance acsn, Tarquin Follis OBE, the IT security management company’s vice-chairman.
Richard Bach, a long-time information and cyber security man, said that before the pandemic due to more use of cloud, and home working, the IT perimeter had started to blur. Over the last six to nine months, that perimeter has disappeared altogether, he argued; even in a virtual sense, a perimeter was no longer practicable. CISOs needed to view this challenge in a new way; yet with the same principles as before – where are the assets being protected, and what are they? how are vulnerabilities to the outside world managed, when much of the estate is now remote?
As he and other speakers pointed out, employers are asking staff to work from their living rooms, perhaps a laptop on a kitchen table; perhaps the same device being used for home schooling, or for online shopping, or any other use.
Sachin Bhatt referred to the pace of change, and the process of adapting to remote working thrust upon organisations, ‘by existential factors’. Whereas in a physical office the CISO had sight of most of the controls, he suggested that there is now ‘a new battleground of challenges for the CISO, where the home has become an extension of the office, but they [CISOs] have no control or very little control in the sense of devices, the network infrastructure connecting, and what users can and can’t do’.
He queried how much due diligence was carried out when organisations quickly adapted to the need for home working during lockdown, by buying equipment. While that was not to say that due diligence had been needed, this would require a stock-take, for the longer-term security required.
He and other speakers spoke of human risks – not so much of malicious insiders, who are few in number, but of employees – possibly through poor mental health – making errors of judgement, by accident or through haste, and not feeling as able to report them to a CISO or IT department as they might in a physical office where colleagues were nearby, just as in an office, an employee might be able to turn to a colleague to query a suspicious email before clicking on a phishing email.
Tarquin Follis of Reliance recalled that in the move six months ago to home working, most companies’ emphasis was on making sure their businesses could work, and to sort out the security issues afterwards. Cyber-criminals such as fraudsters saw the opportunity; hence significant rises in ransomware, email compromises leading to push-payment fraud, and scams. He agreed with Richard Bach that the IT security perimeter ‘has evaporated’. The front-line is now the server,router or modem in the home; and the ‘bring your own device’ (BYOD) of an employee, whose user security might not be up to the level of the organisation’s.
Martin Gill provocatively asked if home working might prove to be an unmitigated disaster, for fraud and insider threats, on a scale only to be seen later. The speakers doubted that; Richard Bach for example saying that hopefully 2021 would see an equilibrium struck of those returning to the office, and a ‘much more mixed economy’ of working. That was not to say – as Tarquin Follis did – that organisations were not worrying about their data – how well it’s looked after, as it’s easier to monitor in an office. Sachin Bhatt agreed that while ‘we are stuck for now’ in working from home, next year will see a ‘transition to some sort of hybrid office’.
The next OSPAs webinar, free to attend after registering, is on Thursday, October 8, about secured by design, with an Australian-British line-up of speakers: Bruce Braes – Head of Security Consulting at Buro Happold; Greg Howlett – Director at Cox Group Architects and Planners; Michael Brooke – Head of Operational Services at Police Crime Prevention Initiatives (PCPI) and Mark Hainsworth – Director at Cox Group Architects and Planners. Visit https://theospas.com/thought-leadership-webinars/.
Later webinars will cover investigations on October 13, including Gerald Moor, Chief Executive Officer at Inkerman Private Clients; and security and business on October 15; and ‘what’s in a name: security officer or security guard’, on October 20.
You can recap on past webinars at https://theospas.com/recap-the-thought-leadership-webinars/.