The ‘New Normal’: What does the future look like for data and conversational information protection?

Covid-19 is one of those, thankfully rare, global events which is affecting the whole security threat landscape. Threats to digital, physical and information security have all increased and are evolving as countries navigate the pandemic on their own timelines, but with the interconnectedness of our economies and commercial activities we all feel the impact at broadly similar times.

As a result of the lockdown, we are all navigating the ‘new normal’; whether this is a change in our own personal working practices, implementing new routines within our own organisations, or looking to adapt our services to what we foresee the future looking like. From a security perspective, we need to be looking at our risk assessments, methodologies and processes so that they are in line not only with the current needs and demands of our respective organisations but also how they can be adapted to provide efficiencies in the wake of likely economic fluctuation. By considering efficiencies in working practices, time and expenditure, we can be ready to embrace the opportunities the current situation is bringing. So, what will be ultimately driving these opportunities and how will this impact data and conversational information protection?

One of the key change instigators is the huge increase in remote working. For those organisations who weren’t already set up for remote working or hadn’t prepared a response as part of a business continuity plan, the forced and rushed shift to fully remote working may well have resulted in an inadequate consideration of the threats to information confidentiality. Various research studies have been released over recent weeks highlighting the poor IT working practices of home workers, such as one by CyberArk which found that 60% are using their own devices to access corporate systems, 59% insecurely save passwords on their devices and 21% allow other members of their household to use their corporate IT devices. Guidance from respected bodies such as NCSC is available to help organisations to ensure their remote workers can work from home securely, encompassing advice on video conferencing software (surely we’ve all now read the concerns around some well-known solutions?) data storage, file sharing and more.

However, with many companies now signalling a move to complete or increased remote working in the long-term such as Google and Facebook, there is now the need to consider how best to both maintain a high level of alert by employees and also train them on the new threats which emerge. As the timeline of the pandemic has developed, the threat of malicious cyber activity has increased exponentially with attackers exploiting Covid-19 as a means of gaining access to information and financially scamming businesses and individuals. This has led to a national awareness campaign by NCSC and even joint guidance issued by NCSC and CISA highlighting the different methods they’ve seen used by fraudsters. Arguably then there is a significant need to support our colleagues with security training and security awareness briefings to ensure the integrity and safekeeping of information, particularly given research findings from the Information Commissioners Office in 2018 which demonstrated that 88% of data breaches were a result of human error.

With the move to more increased remote working, security professionals also need to review home offices for the level of protection they offer to confidential conversations as they would do for secure office spaces such as boardrooms. With more C-suite executives working from home, conversations on highly sensitive topics such as restructures and mergers have now moved to home offices which are arguably more open to attack. At Esoteric we predict far greater demand for private residence TSCM survey and related projects over the coming months as the eavesdropping threat analysis extends to the home environment.

For those organisations navigating a return to the office and then offering a more agile working environment, there are new considerations for assuring the integrity of the office space.  Working in the field of counter-espionage and the threat of eavesdropping, we recognise the threat posed to empty office space during the period of lockdown by the adversary who sees the opportunity to plant listening devices to be activated once a return has taken place. Security officers can help to mitigate this risk by restricting access, keeping logs, accompanying visitors, applying security seals to entrances to sensitive areas such as server rooms, and even conducting searches for quick plant devices. CPNI has released some detailed guidance on physical security protocols.

The significant threat posed by Covid-19 is the greater economic uncertainty. We’ve seen during previous times of economic uncertainty that as confidence decreases and unemployment rises, the risk posed by the insider threat grows. With a risk of redundancy or a fear over job security in the future, those with access to sensitive information are more likely to steal confidential data. With a 2020 study by Securonix citing ‘flight risk’ as the reason for 60% of insider threat cases, we can predict this will pose a greater risk as the economic downturn plays out.

This article has been contributed by Esoteric Ltd, world-leading experts in counter-espionage and technical surveillance countermeasures (TSCM). Esoteric has released a range of free content guides focused on Covid-19 and specific impacts on information security, available here.