Remote-Work & Bring-Your-Own-Device: Cyber Risk Management and Business Continuity REMOTE DELIVERY OPTION AVAILABLE 75% of cyber attacks are directed at remote-workers. Act now to protect your organisation!
Remote-Work & Bring-Your-Own-Device: Cyber Risk Management and Business Continuity REMOTE DELIVERY OPTION AVAILABLE
75% of cyber attacks are directed at remote-workers. Act now to protect your organisation!
Summary• Covid-19 is now a global pandemic. Governments are instructing organisations to protect staff by letting them work from
home. 71% of organisations worldwide are likely to struggle due to the lack of tried and tested Remote-Work and Bring-Your-Own-Device (BYOD) policies.*
• Covid-19-themed ransomware, social engineering attacks and email scams have already resulted in large-scale denial of service and data breaches over the last few weeks, given that online hackers like to focus their energy at key global events for maximum results.** These are just the tip of the iceberg. Research shows that it takes organisations an average of 6 months to realise they have been hacked and the average cost of a breach is $3.9m excluding compliance fines.¤
• Staff working from home, often using personal devices such as home Wi-Fi and mobile phones, are suddenly exposing their clients, users and companies to new Information and Business Continuity Risks that they might be unaware of. Around 60% of organisations report cyber security incidents following the introduction of Remote-Work and BYOD policies.¤¤
• Many organisations are likely to miss out on the opportunities that the COVID-19 situation presents. A well-planned short-term emergency response could be leveraged to develop long-term assets such as improved cybersecurity and compliance controls, robust future-of-work Remote Work and BYOD policies, better training and awareness, and a Business Continuity/Pandemic Response strategy.
*United States Bureau of Labor Statistics, **cybereason, ¤IBM/Ponemon Institute, ¤¤InfoSecurity Magazine
Remote-Work & Bring-Your-Own-Device: Cyber Risk Management
What has changed with Covid-19?Typical organisation Before
ON-SITEHYBRID100% REMOTE
TOTAL SURFACE TO PROTECT TARGETED HACKER ACTIVITY UP 500%+ SINCE COVID-19!
Typical organisation After
Remote-Work & Bring-Your-Own-Device: Cyber Risk Management
When was the last time you changed the password on your home router?
Something to think about
If you think, that, providing your employees with company laptops and mobile phones, with locked-down hardware and software, will stop them from bringing their own devices (BYOD), and new threats, into your business environment, then you might be unaware of risks like the one illustrated above. Your home router, private Wi-Fi, printer, scanner, other smart devices and Things of the Internet (IoT devices) are also directly or indirectly connected to your company devices. Often they can monitor or access confidential, corporate data movements within your home. Remote-work without BYOD is rare.
It is always interesting to see things in their proper context. Under 10% of users ever change the instantly hackable, default password on home routers, or update the router software.* Also, 95% of successful cyberattacks arise from human error, innocent or otherwise.** A recent survey by Gartner found that up to 74% of organisations worldwide think that most of their employees will stay permanently remote after the pandemic.*** If this is the “new normal”, then risks like the one above are only a small sample of what your organisation might be facing today and in the future.
*Bleeping Computer | *IBM/Ponemon Institute | *Gartner CFO Survey, April 3, 2020
Remote-Work & Bring-Your-Own-Device: Cyber Risk Management
Distributing employees across geographies could expose organisations to new business and compliance risks around employee safety, client-facing services and confidential data.
Threats to your organisation’s Remote-Work Strategy could be summarised broadly as follows:
*bleepingcomputer, **techrepublic, ***shred-it, ¤cyware, ¤¤cnet, ¤¤¤the register
THREATS TARGETS REAL RISKS
Spoofingprocess, file name, machine, person, role
Emails about Covid-19, pretending to be from co-workers or organisations like the WHO, trying to trick users into opening links or infected files, and steal user credentials, are on the rise.*
Tamperingdata, code, links, logs, network, configurations
Coronavirus Android Ransomware, posing as a Covid-19 tracking app, locks out mobile devices, prevents access, and often also modifies, steals or deletes the data on them.**
Repudiating logs, actions, incidents, events, liability
Over 70% of corporate executives believe the risk of insider threat increases with remote-work.*** In the absence of evidence of wrongdoing, often the culprits go undetected or unpunished.
Disclosing Information
data, metadata, financials,trade secrets
Win32.Bolik.2 Trojan hiding in VPN software downloaded from legitimate- looking, fake websites promoting Covid-19 remote-work tools, intercepts data flows, hardware configurations, user information and keystrokes.¤
Denying a service
data flows, services, critical processes
The US Health and Human Services Department had a recent Denial of Service attack aimed at slowing client-facing systems by overloading them with traffic.¤¤ Full impact unknown.
Elevating Privileges
networks, access management, devices, iot
In the midst of the Covid-19 crisis, millions of Dell PCs were found to have a bug that can potentially allow unprivileged users to gain administrator level acess to the devices.¤¤¤
The Remote-Work Threat Model
Remote-Work & Bring-Your-Own-Device: Cyber Risk Management
Major Risks and OpportunitiesAre you a small or medium-sized organisation that relies heavily on centralised business and IT infrastructures?
Or are you a large organisation with many critical Tier1 and Tier2 suppliers who have a lot of remote-workers?
Perhaps you are a medium-large or large company with hundreds or thousands of remote-workers?
If so, have you already considered the following Top 5 Business Risks and Opportunities from Remote-work?:
TOP FIVE RISKS
1. DATA LOSS AND BREACHES
2. EXTORTION AND RANSOMWARE
3. ACCESS TO CLIENT-FACING SERVICES BLOCKED
4. SOCIAL ENGINEERING
5. INSIDER THREATS
OPPORTUNITIES
1. IMPROVED SECURITY
2. COST-EFFECTIVE BYOD POLICY
3. COST-EFFECTIVE REMOTEWORK POLICY
4. IT BUSINESS CONTINUITY PLAN
5. TRAINING & AWARENESS
Remote-Work & Bring-Your-Own-Device: Cyber Risk Management
Your weekly Covid-19 Strategic Checklist
AREAS WHERE EXPERIS
CAN SUPPORTYOU
1. Proactively and clearly communicating your organisation’s:
• Employee-first business strategy
• Business Continuity Plan
• Remote-Work policy
• Bring-Your-Own-Device (BYOD) policy
2. Identifying critical business functions and role
3. Defining a clear budget and lock-off funding
4. Managing Risks by evaluating:
• Remote-Work and BYOD cybersecurity and business impact
• Tolerance levels and mitigation controls
• Regulatory compliance impact
5. Preserve contractual, legal and regulatory obligations
6. Protect your core supply chain
7. Engage in relevant creative marketing
Can your product or service solve any aspect of Covid-19?
8. Iterate: Stop. Measure. Assess. Pivot. Restart from item #1 above.
Remote-Work & Bring-Your-Own-Device: Cyber Risk Management
How Experis can secure your organisationWe have developed simple and effective solutions for helping you overcome the remote-work cybersecurity challenge strategically without negatively impacting business performance.
Our services aim to leave you:
SWIFT.
EFFECTIVE.
COST-EFFICIENT.
UNCOMPLICATED.
REALISTIC.
END-TO-END.
DYNAMIC.
Quick and visible results.
Mitigate most Remote-Work & BYOD risks.
Very convenient, cost-efficient options.
Light services. Minimal business impact.
D-I-Y and Remote delivery options available.
Practical services with practical deliverables.
Available immediately. Agile. Scalable.
Remote-Work & Bring-Your-Own-Device: Cyber Risk Management
SMALL COMPANIES
SMALL-MEDIUM COMPANIES
MEDIUM AND LARGE COMPANIES
D-I-Y PACKAGE
5-DAY SERVICE
Below 250 employees
Above 250 employees
Below 250 employees | Ideal for below 50 employees
TAILORED SERVICE+
SUPPLY-CHAIN RESILIENCY SERVICE
Remote-work Cyber Risk Management options
Remote-Work & Bring-Your-Own-Device: Cyber Risk Management
The D-I-Y PackageD-I-YRemote-Work
CYBER RISK MANAGEMENT PACKAGE
Remote-Work Cyber Assessment & Implementation Documentation:Staff Training Deck10 Things to Do Poster10 Things to Avoid PosterRisk Mitigation GuideDamage Control and Disaster Recovery Action SheetBoilerplate policies:
Remote-Work PolicyBYOD PolicyBusiness Continuity & Pandemic Response Policy
Remote-Work Cyber Assessment & Implementation ToolsTop-Down Cyber Readiness Gap Analysis, Implementation and Tracking ToolBottom-Up Work-flow Disruption Assessment, Implementation and Tracking Toolset:
Accounting & Finance FunctionHR FunctionIT FunctionLegal FunctionProduction FunctionPurchasing FunctionSales Function
Top-Down Cyber Readiness Gap Analysis, Implementation and Tracking Tool
Tutorials:VideosPrintable/Digital documents (PDF)
2 Links to Cybersecurity quiz (pre- and post-assessment) (based on an analysis of the 25 most successful remote-work cyberattacks)
Access to 10 hours of customer service via our ticketing desk
Client purchases package
Client receives package
Staff remote-work cyber-readiness status and improvement report: After client uses both quizzes (pre- and post-assessment), we will provide a statistical report based on the quiz results.
The client has the option to extend customer support hours by purchasing additional credits.
The client has the option to engage our remote or on-site consultants for further support, especially during implementation. A separate quotation will be sent for such services
1 year of updates to documentation and tools provided (based on R&D)
Client conducts self-assessmentand implementation activities at own pace
Below 250 employees | Ideal for below 50 employees
Remote-Work & Bring-Your-Own-Device: Cyber Risk Management
The 5-Day Service
DAY 1
DAY 2
DAY 3
DAY 4
DAY 5
5-Day Remote-Work CYBER RISK MANAGEMENT SERVICE
Service delivered remotely by our consultant.
Staff Cyber-readiness Quiz 1 (Pre-workshop)*
Staff Remote-Work Cybersecurity Training & Awareness Session
Assets shared with client: Staff Training Deck10 Things to Do Poster 10 Things to Avoid Poster
Staff Cyber-readiness Quiz 2(Post-workshop)*
Day 2 Report:Staff remote-work cyber-readiness status and improvement report
* Both quizzes are based on an analysis of the 25 most successful remote-work cyberattacks.
Further Risk Mitigation Activities
Quick Re-assessments to measure improvements and residual risks:
Top-Down AssessmentBottom-Up AssessmentControls Assessment
Assets shared with the clients:Top-Down Cyber-readiness Gap Analysis, Implementation & Tracking ToolSet of 7 Bottom-Up Work-flow Disruption Assessment, Implement ation & Tracking ToolsRemote-Work & BYOD Control Assessment, Implementation & Tracking ToolBoilerplate policies:
Remote-Work PolicyBYOD PolicyBusiness Continuity and Pandemic Response Policy
Project Report: with gaps found, mitigation achieved and residual risk mitigation strategy.
Client purchases packageand agrees on delivery agenda and stakeholder access
Top-Down Cyber-readiness Gap Analysis
Bottom-Up Work-flow Disruption Assessment:
Accounting & Finance FunctionHR FunctionIT FunctionLegal FunctionProduction Function Purchasing FunctionSales Function
Day1 Report:Risk Analysis Report and Mitigation Strategy
Remote-Work & BYOD activities:Control Assessment Risk Mitigation Strategy Selected Risk Mitigation
Assets shared with the client: Risk Mitigation Plan
and Priority List Risk Mitigation Guide Damage Control and Disaster Recovery Action Sheet
Below 250 employees
Remote-Work & Bring-Your-Own-Device: Cyber Risk Management
NOTES:All scope limited to chosen departments and locations, and to Remote-Work and BYOD cybersecurity.All assessments and implementations aligned to standard Enterprise Risk Management Frameworks (COSO and COBIT 2019) and to International standards (ISO/IEC 27001 Information Security Management and NIST 800-46 Telework & BYOD).
The Tailored Service
Client purchases package Stage 1: Assessment
Stage 2: Assessment
Stage 3: Training & Awareness
Stage 4: Control Implementation
Stage 5: Progress Management &
Residual Risks
Tailored Remote-Work CYBER RISK MANAGEMENT SERVICE
Client agrees on delivery agenda and stakeholder access schedule.
Client shares preliminary information and documentation ahead of project.
ASSESSMENTS
Top-Down Cyber Readiness Gap Analysis:
PoliciesServer-SideClient-Side
DELIVERABLES
Stage 1 Report: Risk Analysis Report & Mitigation Strategy Part 1
MILESTONE REVIEW #1
ASSESSMENTS
Bottom-Up Work-flow Disruption Assessments of the following business functions:
Accounting & FinanceHRITLegalProduction Purchasing Sales
DELIVERABLES
Stage 2 Report:Risk Analysis Report& Mitigation Strategy Part 2
MILESTONE REVIEW #2
ASSESSMENTS
Staff Remote-WorkCyber-readiness Pre-workshop Quiz (department/location-level)*
Staff Remote-WorkCyber-readiness Post-workshop Quiz (department/location-level)*
TRAINING &AWARENESS
Staff Remote-Work Cybersecurity Training & Awareness Workshops (department/location-level)
DELIVERABLES
Staff Training Deck
Access to Quiz for future use:Pre-Workshop QuizPost-Workshop Quiz
Various Checklists
Various “To Do” and “To Avoid” posters for training & awareness
Stage 3 Report: Staff Remote-Work Cyber readiness overview and Training & Awareness Strategy
MILESTONE REVIEW #3
* Both quizzes are based on an analysis of the 25 most successful remote-work cyberattacks.
ASSESSMENTS
Remote-Work & BYOD Control Assessment
MITIGATION STRATEGY
Risk Mitigation Plan
Risk Mitigation Priority List
MITIGATION
Selected Risk Mitigation
Policy-level controls
Technical controls
DELIVERABLES
Selected Risk Mitigation
Remote Internal Audit
Methodology Risk Mitigation
Guide (for future reference and continuous improvementDamage Control and Disaster Recovery Action Sheet
Stage 4 Report:Full appraisal of Stage 4 control implementation activities
MILESTONE REVIEW #4
ACTIVITIES
Policy customisation:Remote-WorkBYODBusiness Continuity & Pandemic Response
POST-IMPLEMENTATION ASSESSMENTS
Top-Down Cyber Readiness Gap Analysis
Bottom-Up Work-flow Disruption Assessments:
Accounting & FinanceHRITLegalProduction PurchasingSales
Remote-Work & BYOD Control Assessment
DELIVERABLES
Top-Down Cyber-readiness Gap Analysis, Implementation and Tracking Tool
Set of 7 Bottom-Up Work-flow Disruption Assessment, Implementation & Tracking Tools
Remote-Work & BYOD Control Assessment, Implementation & Tracking Tool
Customised remote-Work and BYOD policies (see above)
Project Report: with gaps found, mitigation achieved & residual risk mitigation strategy
Over 250 employees
Remote-Work & Bring-Your-Own-Device: Cyber Risk Management
1
6
2
5
3
4
DEFINE• Define scope.
• Categorise suppliers as critical and non-critical Tier 1 and Tier 2.
• Agree on deliverables.
RISK MITIGATION OPTIONS• Offer Remote-Work Cyber
Risk Mitigation support to affected suppliers.**
• Remote delivery possible. **At suppliers’ expense.
SETUP• Contact target suppliers.
• Set audit date.
• Agree on deliverables.
INFORM SUPPLIERS• Share individual audit
findings with suppliers.
• Share Risk Mitigation plan.
AUDIT• Remotely audit selected
suppliers for remote-work and BYOD cybersecurity risks. Note: Audit against international standards NIST 800-46 (Telework and BYOD) and ISO 27001 (Information Security).
INFORM CLIENT• Present audit report and agreed
deliverables.
Note: Deliverables would typically include an audit report and a risk mitigation strategy.
Remote Supply Chain Risk Management Over 250 employees
Remote-Work & Bring-Your-Own-Device: Cyber Risk Management
Why trust Experis?Experis was born from three established ManpowerGroup companies: Elan, Jefferson Wells and Manpower Professional. As a $23Bn, global Fortune 150 business, we are one of the world’s largest HRM organisations. This pedigree assures our clients of our heritage, global presence, strength and ability to deliver projects of any size anywhere in the world.
Our management consultancy business was founded to challenge the monopoly of traditional professional services and consultancy companies and represents 60 years of combined knowledge and experience of successfully serving clients around the world and delivering complex, global projects.
ABOUT THE REMOTE-WORK & BYOD CYBER RISK MANAGEMENT SERVICESThis is a mature service which we are repurposing for Covid-19. It is available immediately via remote delivery or in-house, travel permitting. There are various flexible options available for the smaller organisations ranging from the most cost -efficient D-I-Y package, to the 5-Day remote delivery service. For larger enterprises, there are the Tailored Service options between a “Remote-Work & BYOD Cyber Risk Mitigation service” and a “Critical and Non-Critical (Tier 1 and Tier 2) Supplier Cyber Audit for Remote-Work and BYOD risks”. Our consultants are fully vetted, certified and experienced to provide consistent delivery in local languages.
While the Covid-19 needs a short-term solution, our service aims to provide your organisation with long-term assets, as well, in the form of improved cybersecurity and compliance controls, better training and awareness, robust Remote-Work and BYOD policies, and a Business Continuity/Pandemic Response strategy.
AWARDS
11th consecutive year 11th consecutive year 11th consecutive year 9th consecutive year 6th consecutive year 4th consecutive year 8th consecutive year
Remote-Work & Bring-Your-Own-Device: Cyber Risk Management
Michael Hampton, Engagement Manager
Our Engagement Manager will provide global industry and market expertise to assume the overall responsibility for project planning, coordination to ensure consistent and smooth delivery and com munication while managing any challenges, processes, and procedures during the engagement.
E-mail [email protected] +44 (0)20 3122 0426Mobile +44 (0)7483 337 201
www.experis.co.uk/client-services/experis-consulting