The radical and unexpected 2020 pandemic has likely forever changed the IT and data security requirements for Western Australian businesses, particularly small to medium enterprises and not-for-profits, as the rush for companies in 2020 to adapt to all or most of their employees working from home during the initial COVID-19 lockdown had caught business by surprise.
In the early days, and even now, organisations who did not have their own stock of laptops and other hardware had to rely on their employees to make a judgement call on whether their home computers were adequately protected.
It was like a reverse hard border for IT. The firewall was down for businesses, with heightened exposure to computer viruses and an increased reliance on public data sharing apps and tools to distribute company information.
Do an audit, the landscape has changed:
- Where are your users working now?
- Where is your data stored now?
- How is your data transferred now?
These are all questions which have renewed gravitas.
The COVID experience has also resulted in long term behavioural change with employers and employees embracing the flexibility of a work from home workforce. Businesses have had to change the way they design their IT systems to make them both accessible but at the same time more secure.
Now, more than ever, it was important for organisations to have:
- A robust password policy which enforces strong passwords internally and builds a password strength culture.
- Enforce two factor logins as often as possible especially when working from home.
- Secure file transfer systems and educate staff on the valid storage locations for the business.
- Carry out regular cyber awareness training and even conduct ethical phishing to help staff understand where attacks will come from.
- Backup data often and secure backups.
Employees are an organisation’s greatest asset but when it comes to IT security their behaviour is the most likely cause of a hack. OAIC annual report (January – June 2020) states that “Human error” still attests to 34% of notifiable data breaches.
All companies, not just those with rich revenue streams, need to concentrate on their staff and empower them to be extra vigilant and notify their IT teams of any inconsistencies or any unusual behaviour in their dealings with anything IT.
The pandemic had also provided fertile ground for scammers and hackers trying to capitalise on community anxiety and disguising their attacks in fake COVID-19 updates and information on hot button issues like a potential vaccine. Businesses need to regularly test the threat level they face and should look at tools such as ethical phishing to identify the susceptibility of their employees open or share scams and spyware.