Remote-Work & Bring-Your-Own-Device€¦ · 11/05/2020 · The D-I-Y Package D-I-YRemote-Work CYBER RISK MANAGEMENT PACKAGE Remote-Work Cyber Assessment & Implementation Documentation:

Remote-Work & Bring-Your-Own-Device: Cyber Risk Management and Business Continuity REMOTE DELIVERY OPTION AVAILABLE

75% of cyber attacks are directed at remote-workers. Act now to protect your organisation!

Summary• Covid-19 is now a global pandemic. Governments are instructing organisations to protect staff by letting them work from

home. 71% of organisations worldwide are likely to struggle due to the lack of tried and tested Remote-Work and Bring-Your-Own-Device (BYOD) policies.*

• Covid-19-themed ransomware, social engineering attacks and email scams have already resulted in large-scale denial of service and data breaches over the last few weeks, given that online hackers like to focus their energy at key global events for maximum results.** These are just the tip of the iceberg. Research shows that it takes organisations an average of 6 months to realise they have been hacked and the average cost of a breach is $3.9m excluding compliance fines.¤

• Staff working from home, often using personal devices such as home Wi-Fi and mobile phones, are suddenly exposing their clients, users and companies to new Information and Business Continuity Risks that they might be unaware of. Around 60% of organisations report cyber security incidents following the introduction of Remote-Work and BYOD policies.¤¤

• Many organisations are likely to miss out on the opportunities that the COVID-19 situation presents. A well-planned short-term emergency response could be leveraged to develop long-term assets such as improved cybersecurity and compliance controls, robust future-of-work Remote Work and BYOD policies, better training and awareness, and a Business Continuity/Pandemic Response strategy.

*United States Bureau of Labor Statistics, **cybereason, ¤IBM/Ponemon Institute, ¤¤InfoSecurity Magazine

Remote-Work & Bring-Your-Own-Device: Cyber Risk Management

What has changed with Covid-19?Typical organisation Before

ON-SITEHYBRID100% REMOTE

TOTAL SURFACE TO PROTECT TARGETED HACKER ACTIVITY UP 500%+ SINCE COVID-19!

Typical organisation After


When was the last time you changed the password on your home router?

Something to think about

If you think, that, providing your employees with company laptops and mobile phones, with locked-down hardware and software, will stop them from bringing their own devices (BYOD), and new threats, into your business environment, then you might be unaware of risks like the one illustrated above. Your home router, private Wi-Fi, printer, scanner, other smart devices and Things of the Internet (IoT devices) are also directly or indirectly connected to your company devices. Often they can monitor or access confidential, corporate data movements within your home. Remote-work without BYOD is rare.

It is always interesting to see things in their proper context. Under 10% of users ever change the instantly hackable, default password on home routers, or update the router software.* Also, 95% of successful cyberattacks arise from human error, innocent or otherwise.** A recent survey by Gartner found that up to 74% of organisations worldwide think that most of their employees will stay permanently remote after the pandemic.*** If this is the “new normal”, then risks like the one above are only a small sample of what your organisation might be facing today and in the future.

*Bleeping Computer | *IBM/Ponemon Institute | *Gartner CFO Survey, April 3, 2020


Distributing employees across geographies could expose organisations to new business and compliance risks around employee safety, client-facing services and confidential data.

Threats to your organisation’s Remote-Work Strategy could be summarised broadly as follows:

*bleepingcomputer, **techrepublic, ***shred-it, ¤cyware, ¤¤cnet, ¤¤¤the register

THREATS TARGETS REAL RISKS

Spoofingprocess, file name, machine, person, role

Emails about Covid-19, pretending to be from co-workers or organisations like the WHO, trying to trick users into opening links or infected files, and steal user credentials, are on the rise.*

Tamperingdata, code, links, logs, network, configurations

Coronavirus Android Ransomware, posing as a Covid-19 tracking app, locks out mobile devices, prevents access, and often also modifies, steals or deletes the data on them.**

Repudiating logs, actions, incidents, events, liability

Over 70% of corporate executives believe the risk of insider threat increases with remote-work.*** In the absence of evidence of wrongdoing, often the culprits go undetected or unpunished.

Disclosing Information

data, metadata, financials,trade secrets

Win32.Bolik.2 Trojan hiding in VPN software downloaded from legitimate- looking, fake websites promoting Covid-19 remote-work tools, intercepts data flows, hardware configurations, user information and keystrokes.¤

Denying a service

data flows, services, critical processes

The US Health and Human Services Department had a recent Denial of Service attack aimed at slowing client-facing systems by overloading them with traffic.¤¤ Full impact unknown.

Elevating Privileges

networks, access management, devices, iot

In the midst of the Covid-19 crisis, millions of Dell PCs were found to have a bug that can potentially allow unprivileged users to gain administrator level acess to the devices.¤¤¤

The Remote-Work Threat Model


Major Risks and OpportunitiesAre you a small or medium-sized organisation that relies heavily on centralised business and IT infrastructures?

Or are you a large organisation with many critical Tier1 and Tier2 suppliers who have a lot of remote-workers?

Perhaps you are a medium-large or large company with hundreds or thousands of remote-workers?

If so, have you already considered the following Top 5 Business Risks and Opportunities from Remote-work?:

TOP FIVE RISKS

1. DATA LOSS AND BREACHES

2. EXTORTION AND RANSOMWARE

3. ACCESS TO CLIENT-FACING SERVICES BLOCKED

4. SOCIAL ENGINEERING

5. INSIDER THREATS

OPPORTUNITIES

1. IMPROVED SECURITY

2. COST-EFFECTIVE BYOD POLICY

3. COST-EFFECTIVE REMOTEWORK POLICY

4. IT BUSINESS CONTINUITY PLAN

5. TRAINING & AWARENESS


Your weekly Covid-19 Strategic Checklist

AREAS WHERE EXPERIS

CAN SUPPORTYOU

1. Proactively and clearly communicating your organisation’s:

• Employee-first business strategy

• Business Continuity Plan

• Remote-Work policy

• Bring-Your-Own-Device (BYOD) policy

2. Identifying critical business functions and role

3. Defining a clear budget and lock-off funding

4. Managing Risks by evaluating:

• Remote-Work and BYOD cybersecurity and business impact

• Tolerance levels and mitigation controls

• Regulatory compliance impact

5. Preserve contractual, legal and regulatory obligations

6. Protect your core supply chain

7. Engage in relevant creative marketing

Can your product or service solve any aspect of Covid-19?

8. Iterate: Stop. Measure. Assess. Pivot. Restart from item #1 above.


How Experis can secure your organisationWe have developed simple and effective solutions for helping you overcome the remote-work cybersecurity challenge strategically without negatively impacting business performance.

Our services aim to leave you:

SWIFT.

EFFECTIVE.

COST-EFFICIENT.

UNCOMPLICATED.

REALISTIC.

END-TO-END.

DYNAMIC.

Quick and visible results.

Mitigate most Remote-Work & BYOD risks.

Very convenient, cost-efficient options.

Light services. Minimal business impact.

D-I-Y and Remote delivery options available.

Practical services with practical deliverables.

Available immediately. Agile. Scalable.


SMALL COMPANIES

SMALL-MEDIUM COMPANIES

MEDIUM AND LARGE COMPANIES

D-I-Y PACKAGE

5-DAY SERVICE

Below 250 employees

Above 250 employees

Below 250 employees | Ideal for below 50 employees

TAILORED SERVICE+

SUPPLY-CHAIN RESILIENCY SERVICE

Remote-work Cyber Risk Management options


The D-I-Y PackageD-I-YRemote-Work

CYBER RISK MANAGEMENT PACKAGE

Remote-Work Cyber Assessment & Implementation Documentation:Staff Training Deck10 Things to Do Poster10 Things to Avoid PosterRisk Mitigation GuideDamage Control and Disaster Recovery Action SheetBoilerplate policies:

Remote-Work PolicyBYOD PolicyBusiness Continuity & Pandemic Response Policy

Remote-Work Cyber Assessment & Implementation ToolsTop-Down Cyber Readiness Gap Analysis, Implementation and Tracking ToolBottom-Up Work-flow Disruption Assessment, Implementation and Tracking Toolset:

Accounting & Finance FunctionHR FunctionIT FunctionLegal FunctionProduction FunctionPurchasing FunctionSales Function

Top-Down Cyber Readiness Gap Analysis, Implementation and Tracking Tool

Tutorials:VideosPrintable/Digital documents (PDF)

2 Links to Cybersecurity quiz (pre- and post-assessment) (based on an analysis of the 25 most successful remote-work cyberattacks)

Access to 10 hours of customer service via our ticketing desk

Client purchases package

Client receives package

Staff remote-work cyber-readiness status and improvement report: After client uses both quizzes (pre- and post-assessment), we will provide a statistical report based on the quiz results.

The client has the option to extend customer support hours by purchasing additional credits.

The client has the option to engage our remote or on-site consultants for further support, especially during implementation. A separate quotation will be sent for such services

1 year of updates to documentation and tools provided (based on R&D)

Client conducts self-assessmentand implementation activities at own pace

Below 250 employees | Ideal for below 50 employees


The 5-Day Service

DAY 1

DAY 2

DAY 3

DAY 4

DAY 5

5-Day Remote-Work CYBER RISK MANAGEMENT SERVICE

Service delivered remotely by our consultant.

Staff Cyber-readiness Quiz 1 (Pre-workshop)*

Staff Remote-Work Cybersecurity Training & Awareness Session

Assets shared with client: Staff Training Deck10 Things to Do Poster 10 Things to Avoid Poster

Staff Cyber-readiness Quiz 2(Post-workshop)*

Day 2 Report:Staff remote-work cyber-readiness status and improvement report

* Both quizzes are based on an analysis of the 25 most successful remote-work cyberattacks.

Further Risk Mitigation Activities

Quick Re-assessments to measure improvements and residual risks:

Top-Down AssessmentBottom-Up AssessmentControls Assessment

Assets shared with the clients:Top-Down Cyber-readiness Gap Analysis, Implementation & Tracking ToolSet of 7 Bottom-Up Work-flow Disruption Assessment, Implement ation & Tracking ToolsRemote-Work & BYOD Control Assessment, Implementation & Tracking ToolBoilerplate policies:

Remote-Work PolicyBYOD PolicyBusiness Continuity and Pandemic Response Policy

Project Report: with gaps found, mitigation achieved and residual risk mitigation strategy.

Client purchases packageand agrees on delivery agenda and stakeholder access

Top-Down Cyber-readiness Gap Analysis

Bottom-Up Work-flow Disruption Assessment:

Accounting & Finance FunctionHR FunctionIT FunctionLegal FunctionProduction Function Purchasing FunctionSales Function

Day1 Report:Risk Analysis Report and Mitigation Strategy

Remote-Work & BYOD activities:Control Assessment Risk Mitigation Strategy Selected Risk Mitigation

Assets shared with the client: Risk Mitigation Plan

and Priority List Risk Mitigation Guide Damage Control and Disaster Recovery Action Sheet

Below 250 employees


NOTES:All scope limited to chosen departments and locations, and to Remote-Work and BYOD cybersecurity.All assessments and implementations aligned to standard Enterprise Risk Management Frameworks (COSO and COBIT 2019) and to International standards (ISO/IEC 27001 Information Security Management and NIST 800-46 Telework & BYOD).

The Tailored Service

Client purchases package Stage 1: Assessment

Stage 2: Assessment

Stage 3: Training & Awareness

Stage 4: Control Implementation

Stage 5: Progress Management &

Residual Risks

Tailored Remote-Work CYBER RISK MANAGEMENT SERVICE

Client agrees on delivery agenda and stakeholder access schedule.

Client shares preliminary information and documentation ahead of project.

ASSESSMENTS

Top-Down Cyber Readiness Gap Analysis:

PoliciesServer-SideClient-Side

DELIVERABLES

Stage 1 Report: Risk Analysis Report & Mitigation Strategy Part 1

MILESTONE REVIEW #1

ASSESSMENTS

Bottom-Up Work-flow Disruption Assessments of the following business functions:

Accounting & FinanceHRITLegalProduction Purchasing Sales

DELIVERABLES

Stage 2 Report:Risk Analysis Report& Mitigation Strategy Part 2

MILESTONE REVIEW #2

ASSESSMENTS

Staff Remote-WorkCyber-readiness Pre-workshop Quiz (department/location-level)*

Staff Remote-WorkCyber-readiness Post-workshop Quiz (department/location-level)*

TRAINING &AWARENESS

Staff Remote-Work Cybersecurity Training & Awareness Workshops (department/location-level)

DELIVERABLES

Staff Training Deck

Access to Quiz for future use:Pre-Workshop QuizPost-Workshop Quiz

Various Checklists

Various “To Do” and “To Avoid” posters for training & awareness

Stage 3 Report: Staff Remote-Work Cyber readiness overview and Training & Awareness Strategy

MILESTONE REVIEW #3

* Both quizzes are based on an analysis of the 25 most successful remote-work cyberattacks.

ASSESSMENTS

Remote-Work & BYOD Control Assessment

MITIGATION STRATEGY

Risk Mitigation Plan

Risk Mitigation Priority List

MITIGATION

Selected Risk Mitigation

Policy-level controls

Technical controls

DELIVERABLES

Selected Risk Mitigation

Remote Internal Audit

Methodology Risk Mitigation

Guide (for future reference and continuous improvementDamage Control and Disaster Recovery Action Sheet

Stage 4 Report:Full appraisal of Stage 4 control implementation activities

MILESTONE REVIEW #4

ACTIVITIES

Policy customisation:Remote-WorkBYODBusiness Continuity & Pandemic Response

POST-IMPLEMENTATION ASSESSMENTS

Top-Down Cyber Readiness Gap Analysis

Bottom-Up Work-flow Disruption Assessments:

Accounting & FinanceHRITLegalProduction PurchasingSales

Remote-Work & BYOD Control Assessment

DELIVERABLES

Top-Down Cyber-readiness Gap Analysis, Implementation and Tracking Tool

Set of 7 Bottom-Up Work-flow Disruption Assessment, Implementation & Tracking Tools

Remote-Work & BYOD Control Assessment, Implementation & Tracking Tool

Customised remote-Work and BYOD policies (see above)

Project Report: with gaps found, mitigation achieved & residual risk mitigation strategy

Over 250 employees


1

6

2

5

3

4

DEFINE• Define scope.

• Categorise suppliers as critical and non-critical Tier 1 and Tier 2.

• Agree on deliverables.

RISK MITIGATION OPTIONS• Offer Remote-Work Cyber

Risk Mitigation support to affected suppliers.**

• Remote delivery possible. **At suppliers’ expense.

SETUP• Contact target suppliers.

• Set audit date.

• Agree on deliverables.

INFORM SUPPLIERS• Share individual audit

findings with suppliers.

• Share Risk Mitigation plan.

AUDIT• Remotely audit selected

suppliers for remote-work and BYOD cybersecurity risks. Note: Audit against international standards NIST 800-46 (Telework and BYOD) and ISO 27001 (Information Security).

INFORM CLIENT• Present audit report and agreed

deliverables.

Note: Deliverables would typically include an audit report and a risk mitigation strategy.

Remote Supply Chain Risk Management Over 250 employees


Why trust Experis?Experis was born from three established ManpowerGroup companies: Elan, Jefferson Wells and Manpower Professional. As a $23Bn, global Fortune 150 business, we are one of the world’s largest HRM organisations. This pedigree assures our clients of our heritage, global presence, strength and ability to deliver projects of any size anywhere in the world.

Our management consultancy business was founded to challenge the monopoly of traditional professional services and consultancy companies and represents 60 years of combined knowledge and experience of successfully serving clients around the world and delivering complex, global projects.

ABOUT THE REMOTE-WORK & BYOD CYBER RISK MANAGEMENT SERVICESThis is a mature service which we are repurposing for Covid-19. It is available immediately via remote delivery or in-house, travel permitting. There are various flexible options available for the smaller organisations ranging from the most cost -efficient D-I-Y package, to the 5-Day remote delivery service. For larger enterprises, there are the Tailored Service options between a “Remote-Work & BYOD Cyber Risk Mitigation service” and a “Critical and Non-Critical (Tier 1 and Tier 2) Supplier Cyber Audit for Remote-Work and BYOD risks”. Our consultants are fully vetted, certified and experienced to provide consistent delivery in local languages.

While the Covid-19 needs a short-term solution, our service aims to provide your organisation with long-term assets, as well, in the form of improved cybersecurity and compliance controls, better training and awareness, robust Remote-Work and BYOD policies, and a Business Continuity/Pandemic Response strategy.

AWARDS

11th consecutive year 11th consecutive year 11th consecutive year 9th consecutive year 6th consecutive year 4th consecutive year 8th consecutive year


Michael Hampton, Engagement Manager

Our Engagement Manager will provide global industry and market expertise to assume the overall responsibility for project planning, coordination to ensure consistent and smooth delivery and com munication while managing any challenges, processes, and procedures during the engagement.

E-mail [email protected] +44 (0)20 3122 0426Mobile +44 (0)7483 337 201

www.experis.co.uk/client-services/experis-consulting

Remote-Work & Bring-Your-Own-Device€¦ · 11/05/2020 · The D-I-Y Package D-I-YRemote-Work CYBER RISK MANAGEMENT PACKAGE Remote-Work Cyber Assessment & Implementation Documentation:

Documents