The last 18 months has seen every company in the world having to make big changes to their ways of working in order to adapt to lockdowns, travel restrictions, and increased Zoom meetings that have come from a global pandemic – Lineup included. Most office-based roles had to shift very quickly to working from home, and companies closed their physical offices – some temporarily, and some more permanently. How people worked with company information and data became almost entirely electronic, and the protection given by – or assumed of – a physical office building was removed, with people’s work laptop, documents, and meetings being located primarily in their own homes instead for the first time.
Fortunately for us, Lineup was in a good starting position for this transition: most of our staff were used to working mobile, with frequent meetings & workshops out of the home office, and working on-site with our customers. We have always used cloud-based SaaS solutions, being firm believers in the flexibility that this model allows for, so our systems and processes were set up to more easily allow mobile working for most of our people. We had to make some adjustments for departments that typically remained in office(e.g. Finance and HR), but even their systems and tools were cloud-based, and the adjustments were mostly human, not technical!
How to prepare – within reason – for risk
Even with this advantage, we couldn’t assume that everything would work just fine – or that switching to completely mobile working would be a smooth transition. Before any countries announced a lockdown, we had a trial run: all of our offices closed for two days and everyone worked from home. Doing this before it was mandated allowed us to examine what worked well and what didn’t, and allowed us the bandwidth to make some adjustments. Because of our practices already in place, our trial did so well that most Lineup employees did not return to offices afterward; a week or two later when countries across the world started announcing lockdowns, we were already a successful home-based company.
Risk assessment with your IT team
Though comfortable and confident, we knew we couldn’t stop there. We conducted a thorough risk assessment of the new arrangement, asking the following questions:
- What changes to your risk profile when your staff are much less mobile, but as a result are having to share much more information electronically?
- Was our meeting software secure?
- Were the settings on our file sharing appropriate?
- What about the risk of staff laptops being stolen, broken, etc?
As we conducted this risk assessment, it was clear it was timely as the world saw a massive increase in phishing attacks of all kinds, with the sophistication of these attacks also skyrocketing.
As part of this, we identified some scenarios to determine how we would handle different risks and how they interact and build on each other. Many of us know what these risks are, and they often follow a pattern:
Out of the risk assessment came an action plan, with short, medium, and long-term changes identified, owners assigned, and completion dates set. In general, most of the changes we made related to our corporate data and information as the protection of our customer data was already very robust. Below you’ll see the action steps we took and can use this checklist as a starting point for your company:
- Our people are the first, last, and best line of defense: We have invested in additional security training across the company, tracking completion and results, so we can focus on those areas where people need refreshers or more information on the threats that exist, or are seeing a spike.
- We encrypted every hard drive on every laptop so any information that we store locally is safe in the event a laptop is lost, stolen, or otherwise compromised.
- We implemented combined SIEM and endpoint / network protection software across all our staff laptops and our servers: This is a state-of-the-art system, using AI to constantly assess activity, identify threats, and quarantine any suspicious activity.
- We run regular phishing tests to check staff’s awareness of phishing techniques: The results of these feed into our ongoing security training plans.
- We implemented Multi-Factor-Authentication for all staff.
- We hardened our password policy for all accounts, with longer password lengths and shorter password lifespans.
- We brought in an external data privacy consultancy to analyze how we managed personal information in Lineup, and build an action plan to ensure we are meeting or surpassing global standards.
- We deployed a tool that helps identify phishing attacks, and remove phishing emails before they have the ability to get in front of a user.
- We reviewed and removed local admin permissions from many users to reduce the risk of them installing something dangerous.
- We obtained, and have since renewed, our ISO27001 (Information Security) accreditation.
Our users are at the center of everything we do. For any security strategy to work, your users need to be informed, educated, and involved in the whole process. Hackers typically see users as the weak point in any system, so it is very powerful to make them the strongest part of the whole process.
We used technology to add protection where it brings real benefit. Tools like endpoint protection, hard drive encryption, and Multi-Factor Authentication (MFA) can have a big impact on different kinds of attack vector. Implementing MFA can be one of the simplest, and most effective defenses against human-targeted attacks, and will probably cost you nothing more than some simple training and education time.
We have more security improvements planned over the next year, and one thing you can never do is think that your cybersecurity work is finished in this fast-evolving tech world we live in. There are always new threats, new lessons to learn, and (fortunately) new ideas and techniques for building up your defenses. Covid and its restructuring of home and work life made most of us reassess and revamp our cybersecurity measures, but for Lineup, it was mostly a refocus with a bigger emphasis on things like mobility and sharing. As many companies continue to work remotely or begin to hybridize, the same best practice principles hold true: understand your risks, educate your teams, get good advice, and follow solid, secure practices to maintain and strengthen your cybersecurity standards.