Neil Coutts: Scotland’s cybersecurity challenge has only just begun
Neil Coutts, head of the cyber and technology risk capability for KPMG in Scotland, discusses some of the long-term cybersecurity challenges facing Scottish businesses as more people look to work from home in the future.
Scotland’s lockdown may be easing, but there’s a growing acceptance that life – at least from a workforce perspective – will never be the same again.
The coronavirus pandemic has forced companies of all sizes and in all sectors to adapt at a rapid pace, adopting new ways of working to maintain a customer base, and ensuring staff remain safe and healthy.
Many businesses were already introducing more flexible working patterns, enabling employees to better balance work and home life. Lockdown has simply pressed the fast forward button, with thousands of people now questioning whether they ever want to return to a 9-5 core office hours which hasn’t changed since the 1800s.
From productivity to personal wellbeing, shifting to a more agile economy has clear benefits for individuals, but it also opens up a raft of challenges, including cybersecurity.
As a cybersecurity expert, I’ve been impressed by the scale and pace of transformation from companies of all sizes. Within days of lockdown being announced a huge swathe of the country was working from home with only minimal disruption.
However, now – as workers and employers start debating the merits of making working from home more of a permanent concept, the real challenge begins. Since lockdown, technology was implemented quickly and, almost certainly, with less of the formal due diligence that would normally be applied. That’s not to suggest corners were cut, but, with little time to implement such fundamental change, it’s inevitable that some security procedures may have been overlooked.
At this point, employers should be planning for their own ‘phase 2’. While political leaders and health officials devise strategies to prevent a second wave, the time has come from businesses to take a more proactive view of their cybersecurity controls.
In periods of disruption and uncertainty, organised crime groups exploit new ways to target vulnerable organisations. So far companies in Scotland appear to have coped well with lockdown from a technology perspective, but there’s growing evidence that criminals are developing and adopting methods to exploit COVID-19 themes.
It may feel overwhelming, particularly for smaller companies, struggling financially in a period of volatility, but taking steps now could prevent a potentially devastating cybersecurity failure.
As a starting point, you should ask if you have a clear view of the top cyber and financial crime risks facing your business. Ask yourself what steps you’ve already taken to ensure senior management’s visibility of cyber and financial crime risks. Are you identifying, and reporting gaps in controls that have emerged during the pandemic? Those basic steps should help you identify some of the hidden weaknesses and areas where you need to take proactive action to prevent a potentially significant challenge to your business at a time when the economy is under increased financial strain.
As some employees begin their phased return to the office, there are new physical security considerations to factor in. How do you ensure staff returning have the technology and security they need in largely empty offices? For those working at home on a long-term basis, have you scaled your VPN, portals and gateways to handle the change? Have you identified weaknesses in the network that could cause significant long-term issues? And, have your networking facilities, such as video conferencing tools, been configured beyond default ‘out of the box’ setting to provide adequate security that you can be confident in their long-term use?
To some extent, lockdown was a dry run for assessing your operational and cybersecurity resilience. The business community coped well with unprecedented challenge, but the ‘new norm’ presents a raft of new risks and obstacles. The key now will be taking a transformative view of the future. IT teams need to collaborate at Board level, ensuring that no weak spots were overlooked or created in the disruptive period of lockdown, and putting in place a long-term strategy that builds a digitally secure, flexible model that can cope with an uncertain future.