On Monday 19th October CIISec Nottingham, Derby, Leicester Branch collaborated with BCS Nottingham Derby to host a virtual event, “How Covid-19 infected Information Security”. The event was well attended by 64 security professionals from both organisations.
Prior to the main event, chairs Paul Stevens from BCS and Colin Robbins from CIISec, introduced their respective branches, including member benefits and membership information.
The Covid-19 pandemic has turned many business operational models on their heads, with many workers required to work remotely. This has resulted in many changes in working practices and has caused information security professionals to consider and monitor the compromises made to the security controls that enforce company security policies. The change in working practices has also identified weaknesses and gaps in the technology landscape.
The event discussed observations and experiences from a panel of information security professionals. Each speaker discussed their professional experience of navigating their organisations through the pandemic and shared some great insights and takeaways of lessons learnt.
The speakers for the event were:
David Alexander MSc SABSA LCCP SIRA IA FBCS FCIIS Senior Security Architect at Urenco, co-author of “Information Security Management Principles”.
Tony Smith MCIIS -Cyber Security Manager at Wilko; an Information security professional with over 20 years’ experience in both the public and private sectors.
Matt Mason CISSP CCSP MBCS -Technical Services Manager at Nottingham Trent University responsibilities include Systems and Infrastructure Management, Data Protection, Cyber & Cloud Security and Provision.
Darren James –Head of internal IT and Technical Lead at Specops Software with over 20 years’ experience in IT, specialising in Active Directory, Azure AD and Group Policy.
Even though each speaker has worked through the same pandemic, it was interesting to note that each experience was very different.
David Alexander began by discussing the planning process, lessons learned and operational experiences from the last 7 months. David was part of the Urenco Covid-19 planning team that developed their strategy, policy and process for moving to working from home in a safe and secure way, adding that this work had actually started in January 2020.
David and Urenco had a comprehensive plan in place, following a Plan > Test > Review > Update approach. He heavily emphasised the importance of following this approach with each stage holding its own significance.
He also stressed the importance of testing any plans that had been developed, as this would highlight any inconsistencies that would need to be rectified as part of lessons learnt. David gave previous examples of where plans had been tested, such as the Bird Flu and MERS outbreaks. Highlighting that there is no substitute for experience but on the occasions where it does not go to plan, teams need the confidence and ability to make decisions when required, and prior planning and testing will enable organisations to do that.
David also discussed the business impact assessment for Covid-19, including actions the business needed to take, from the HR perspective of staff wellbeing; proactive conversations with clients to keep them updated on business matters, and dealing with regulators, not only in the UK but also across the world. Communication was and still is key, with regular reviews being carried out throughout the duration. Concluding his presentation, David advocated that by using the plans they had carefully constructed, Urenco was able to maintain a Business As Usual approach throughout the pandemic.
Tony Smith spoke about the experience of an Information Security Professional during the Covid-19 pandemic.
He talked about how after the first confirmed case in the UK, there was already plenty of discussion within the office about working from home and whether the existing infrastructure was going to be able to cope with this change to the ways of working.
Tony also discussed his approach from the governance perspective, particularly around the existing information security policies that were in place and again that assessment of whether they were fit for purpose for the imminent change to the workforce. He also talked about the changes he had to make with regards the introduction of a new unified acceptable use policy that included the working from home aspect, either using company owned equipment or BYOD.
Tony concluded that Covid-19 had infected their information security but it survived with plenty of lessons learnt.
Matt Mason’s talk “Pulling the university from its roots in 48 hours” shared lessons learnt. Prior to Covid-19, NTU’s systems were mainly on-campus and it was no easy task to provide 34,000 students and 4,000 staff with remote learning and work capability, in addition to the inherent security implications.
Matt explained that there was a huge shift in attitude for what was a traditional university, suddenly evolving to an online model in order to deliver teaching to all students whilst having to make the necessary changes within a 48 hour period. Although the university had contingency plans in place, they were based on some form of teaching still being held on campus, so new plans had to be drawn up in order to deliver a service and protect the information security of the university.
Matt discussed some of the concessions to existing policies that had to be made in order to facilitate this rapid change to the new ways of working as the majority didn’t allow for this. Fortunately Matt and the rest of the staff were able to use the Easter holiday period as additional time to make further adjustments. He concluded his presentation by acknowledging there were many lessons learnt but also the pandemic has to an extent changed the way we will study and work forever.
Darren James discussed the challenges of working from home and gave some great insight into how we can adapt, addressing key questions such as do we have kit; how do users access data; how do we support users; how do we support our network?
Darren himself has been home based for the last 10 years, so the transition to home working hasn’t impacted him personally. However, he offered some great takeaways whilst discussing the challenges faced by many of his clients from a security software vendor perspective and how he has worked with them to turn these into opportunities.
He talked about some of the issues that were experienced such as changing of passwords, what happens when they expire, are organisations providing options for self-support/service? He discussed threats such as phishing, social engineering and theft and the importance of providing education and software to users to help mitigate threats in their new working environments.
Darren also spoke about how his company was also able to offer some of its existing toolsets to businesses free of charge to help with their transition to remote working and to ensure infrastructure security was maintained. He concluded his presentation focusing on the possible opportunities Covid-19 has presented, such as Cloud adoption, which is now more important than ever, we must look at security in depth and finally we must change in order to survive.
The key takeaway that all the presentations illustrated was that although they had all experienced the same threat, there were very different experiences and approaches. If 2020 has shown us anything as professionals, our readiness for any type of threat to our organisations will be measured by our willingness to be both proactive and reactive. We need to ensure a continual cycle of testing plans for their efficiency and incorporate lessons learnt. Our come back rate from attacks and challenges will determine our resilience in the ever growing and ever challenging threat landscape.
Author Bio – Dawn O'Connor
Dawn O’Connor is an associate of Nexor with an extensive business background across different market sectors including retail, local and central government and law enforcement. She is a member of the Chartered Institute of Information Security and co-chairs the Nottingham/Derby/Leicester Branch. Dawn holds the Certificate in Information Security Principles and the ISO 27001 Foundation certification.
Be the first to know about developments in secure information exchange