A summary of the second installment of the GRC 'virtual' Supper Club trilogy (the 17th event overall), which took place on 28 May, 2020
This collaboration tool – and the remote working culture it breeds – has the potential to become the ‘new normal’ for many businesses long after the Covid-19 pandemic has been consigned to history. But what about the potential risks?
With this in mind, we decided to ask our three esteemed speakers: will companies start to embrace the ‘Zoom’ work culture and how will this impact their risk environment?
Stelios Valtzis – Group CISO, SaarGummi Automotive Group
The concept of remote working is often hamstrung by a lack of cybersecurity knowledge and experience amongst the workforce, for whom a normal working day previously meant going into the office. The Covid-19 pandemic has forced organisational change – most notably homeworking at scale – in a rapid and often unstructured way, opening the door to cybercriminals.
These ‘bad guys’ prey on uncertainty. So, imagine their delight when overnight millions of people who had never worked from home before were suddenly forced to do so fulltime. In April, Google reported they had captured 18 million phishing emails in one week. This was around the same time that easyJet was hacked and the personal details of 9 million customers were compromised.
To overcome these challenges, Stelios highlighted the importance of striking a balance between continuously evolving cybersecurity threats and the obvious lack of resources; while at the same time preparing the organisation for what might come. Businesses should accept that a major security incident will occur at least once and will result in a financial loss – and that Zoom culture will increase this threat.
To use cloud-based collaboration tools securely, organisations must:
Chris Phillips – CEO of The International Protect and Prepare Security Office (IPPSO)
Most people (58%) said yes. However, Chris stressed that far too many business continuity planners have failed to put sufficient measures in place, including those in the government – despite a pandemic being near the top of their list of potential threats prior to the outbreak.
How might the pandemic impact the future and what will the ‘new normal’ be? Whether it’s shopping online more than ever before or working from home full-time, the global health crisis has changed how we live our lives in the blink of an eye. Chris reinforced the notion that because criminals thrive on confusion, they will be rubbing their hands together at the opportunities enforced homeworking presents – and the potential for it to become the norm. Consequently, social engineering threats like phishing attacks could become an even greater threat than they already are.
Homeworking poses many questions in terms of a business’s duty of care. For example, when does its responsibility to remote workers begin and end during the working day? What happens if they’re working from home and suddenly require first aid? These types of issues must be addressed as soon as possible to ensure a safe and effective homeworking environment. Businesses must, therefore, provide employees with the knowledge, support and equipment required to achieve this.
Any business’s weakest point is its people. So, what about insider threats? Employees are suddenly accessing sensitive company data at home from various devices. The amount of information people can access on their PCs/laptops needs to be considered and controlled differently if working from home. The rise of homeworking could also see a shift towards remote offices, where people will be accessing sensitive data within the vicinity of people external to the organisation.
Sean Freidlin – Director of Ethics & Compliance Learning, SAI Global
Interestingly, SAI Global’s research also revealed a 50/50 split between businesses that are relying less on ethics and compliance programmes in the current climate and those that are speeding up their use of this valuable function. While this is a concern, plenty of people (58%) believe the pandemic has made their organisation stronger and is bringing its employees together, despite being apart physically.
How will the events of today impact the way regulators view our compliance programmes? It’s dangerous to assume there will be leniency or flexibility going forward. Compliance programmes shouldn’t compromise their integrity just so they can meet the challenges of the moment.
The risk posed by bribery and corruption has been elevated by the Covid-19 pandemic. People are still under pressure to perform from home. Unfortunately, some might choose to compromise their integrity and values to achieve their goals, because of a lack of oversight in the home working environment.
The fall-out from Covid-19 has meant teams are being reduced in size, budgets are being slashed and investments in technology are being paused – but the risks still exist. These conditions mustn’t compromise the hard work that has gone into developing and implementing strong anti-bribery and corruption programmes. By using Covid-19 as an excuse to pause these efforts, businesses will expose themselves to increased risk.
Ethics and compliance programmes must focus on data privacy: training, awareness, relaying best practices and reframing them from a homeworking context. The decisions that organisations make today will impact their culture for months or years to come.
The usual three-course meal might have been off the menu, but there was plenty of food for thought.