Companies are moving to remote work. COVID-19 has accelerated this trend.
With large numbers of employees working from home or Starbucks, information security is becoming a real issue.
Employees conducting their work via private internet connections outside of office networks and security protocols are an easy target. Take the recent case of a broad and sophisticated attack on dozens of Fortune500 companies. US Law Enforcement discovered a campaign by a notorious Russian group, targeting employees working from home. Malware was deployed on popular websites. The actual attack, however, occurred only when the employees’ computers were connected to corporate or government networks.
Other attacks come along in the simple form of a forged website designed to trick the employee to type in their credentials, or through so called “brute force attacks” in which passwords are simply tried out until gaining access.
Companies should double their defenses on essential information
Organizations have responded to these attacks by introducing more protocols for the employees working from home and by investing in additional security software.
However, this traditional defense strategy cannot win.
While companies need to ensure the security on every device and with every single employee, attackers only need to find one “chink in the armor”. Even if Cyber Security Managers will not admit it, a 100% defense of all information has become unfeasible and too expensive.
We propose a different approach. In our recent articles in HBR Italia and LSE Business Review, we suggest to focus on identifying the actual information and data that the company really needsto protect at all cost.
Typically, real strategic information that may compromise the competitive position of a company makes up only 3-5% of what Cyber Security Managers are trying to protect today (see matrix below).
In order to understand what represents “real strategic information”, a company needs to dive deeply into its business. This information is only sporadically overlapping with data protected by law such as GDPR in Europe.
Companies should map their unique winning competitive factors and their underlying information which can be science-related as well as business information/data like pricing schemes, contracts with distribution partners, sourcing agreements or client contracts.
Once strategic information/data is screened and identified, the company should do everything possible to protect them. Ideally, this information/data is physically separated from the company’s networks (“air gapping”), with access being granted only to a limited circle of employees and managers.
In summary, we see three main challenges for companies:
- Accept the notion that all circulating information can be hacked, particularly when most employees work remotely
- Define which information and data is strategic and which is not, focusing on the most critical 3-5%. It is the responsibility of the business leaders – and not of the Cyber Security Managers – to define what is strategic information based on their winning competitive factors
- Innovate their cyber security strategy, doubling down on efforts to protect this most critical 3-5% and using less conventional moves.