Global pandemic has entirely changed the work culture of the organisation, while over 75 percentage  of the private sector employees are working from home and rest of the employees are working remotely at least once a week  percent of global employees work remotely at least once per week and willing to work from home more often if their job permits.

Presently, most of the organisations including start-ups ever are offering the option to work from home because of the serious health threats to the employees and to ensure the business continuity.Top managements and business leaders from all sorts of companies including the start-ups are recognising the benefits of permitting remote work for their companies

Previously, most of the organisation’s weren’t set up to work remotely, and most of the time prefers working on office premises only,but, the COVID-19 pandemic and resulting lockdown of many countries mean that many companies and their employees are now mostly full-time working from home (WFH).

Keeping business continuity in focus organisations allowed remote working, however the cyber security and information security has become a serious concern. One side work from home option has reduced commuting time for employees, more liberty for workers and even increased productivity, on the other side there are cyber security risks and challenges that come with allowing their employees to work from home or from any remote location.

What are the Risks of Work from Home/Remote Work?

Data security and cyber security is paramount, while work from home. Organisations need to have secure communication channels to access their Information systems hosted on premises, some organisations mainly start-ups may face operational risks such as not being able to support a huge number of simultaneous remote connections to their infrastructure and IT services. This could be troublesome for employees that need access to internal resources for business support and may even place additional burden on IT teams if they’re not properly prepared.

While this is a business disruption risk, and can cause unnecessary stress for an IT department that’s already overworked and overburdened trying to fix the issue on-the-go. Which could lead to the risk k of not properly implementing access, authorization and authentication policies which may result in employees accessing resources that they shouldn’t.

In order to reduce the risk of unapproved remote access to organisation’s Information Technology infrastructure, IT teams and information/ cyber security teams shall make it explicit which applications, services and VPN clients are supported by the organization IT infrastructure. Any unauthorised attempt to access internal Information Technology infrastructure with illegitimate and unknown tools should be treated as a cyber risk and blocked immediately.

Since many companies have a well-defined and strict IT and Information security policy for centrally managing and deploying software. Security patch updates to endpoints, gradual rollout procedures should be designed for deploying those updates. Delivering them all at once to remote devices connected with secured VPN technology, could create bandwidth traffic jam and affect inbound and outbound traffic. Data backups of individual laptops could be a tough task if backup servers are hosted inside the premises. Last but not least, enabling disk encryption for all endpoints should be a priority as it minimizes the risk of having sensitive data accessed or compromised due to unauthorised access or device theft.

Cyber Security Guidelines for Work from Home?

1. Having a Teleworking/Work from Home Policy

First and foremost, thing -Define “Remote,” “Work from Home” or “Teleworking” policy is a must if your organisation or start-up is allowing employees to work from home or locations outside of the office premise. This policy shall establish a set of procedures and guidelines that employees must follow in order to work from home. will reduce the inherent risks of working remotely since the organisation and employees are explicitly aware of the WFH responsibilities and its consequences.

Teleworking/ remote working policy shall include:

• Employee responsibilities
• Procedure of reporting of information security incident.
• Approval process from remote connections
• Workspace security mandates.
• System configuration/ hardening steps
• Use of encryption for data stored and in transit and Ensure encryption is used for all data that is stored and in transit
• Mandate use of a secured channel such as VPN for remote workers

2. Information security training’s to Top management and employees.

Conduct periodic monthly or quarterly training sessions to keep your employees and top management aware and educated on cyber security and information security risks and their responsibilities when it comes to organisation’s information security program and working from home.

Basic cyber security drills shall be conducted on regular basis and organisation’s information security awareness program shall be updated accordingly. Employees shall be aware of phishing attacks, spam mails as well as securing home Wi-Fi network.

Each and every employee shall be aware about the risk of using public Wi-Fi for organisation’s system. Employees should be aware whom to contact in case of any cyber security incidents.

Top management is more prone to cyber security attacks. They shall be adequately trained.

Organisation shall assess the Information Security awareness status of the employees and top management on timely basis.

3. Use of advance technology and tools for Data Protection

A well-defined policy in place will help employees know what they need to do and how to do it, but providing them with the right technology tools will also reduce the risks of working remotely. Depending on the organisations and the role of their employees, the technology could vary. Below are the few examples of some tools helpful in data protection during remote working:

• Enable built-in Firewalls: Firewalls are the defence for information security risks. Now a days every Operating Systems has inbuilt firewall which can prevent malicious inbound or outbound requests
• Enable built-in Encryption: Systems data will be encrypted by using built in encryption techniques, this is helpful in case the drive is lost or stolen. However, the passkeys shall be remembered by the IT administrator.
• Use Virtual Private Network (VPN): VPN provides a secured tunnel to the data travelling to the servers and make it difficult to crack for malicious users or hackers. Organisation shall only accept traffic coming through VPNs and employees shall always use VPN for connection to office network specially when they are in a shared network at home or outside
• Use of Password Managers:This will help employees to store their passwords and generate secure password.This reduces the risk of using the same password for all services and applications by employees.

4. Enablement of two-factor authentication

Use of two factor authentications to critical information assets is a must, since it provides a surety that the data request is coming from a genuine source. This method reduces the risk of phishing and malware attacks.

5. Monitor your third-party vendors and service providers

Many a times organisations outsource few services for them. In this case the vendors shall be regularly monitored as the Suppliers information security policy. Assess your vendors cyber security program on regular basis because a vendor can also be sometimes acting a risk for organisations information security

6. Use of access control

Organisation shall implement an access control policy in order to reduce the data breach or data leaks. Least privileged shall be given while granting permission to any user. Access should be based on the role of employees in the organisation, and these accesses shall be monitored on timely basis

7. Enforcement of strong passwords on Applications, servers and employee devices

Organisation shall ensure that strong password policy is enforced on employee devices applications and servers,

8. Use of web security protection

Last but not the least organizations should deploy security solution like antivirus, anti-phishing, anti-malware security solutions employee endpoints and technologies capable of preventing network vulnerabilities from exploitation. There are many solutions available in the market nowadays.

Only deploying these solutions is not sufficient, it shall be updated and monitored regularly and necessary actions shall be taken on it. Organisation shall deploy the solutions which can accurately detect the phishing attempts and any known malware attacks.

Work from home or remote working has given a golden opportunity to hackers and cyber criminals as well as it is a challenge for organisations IT Team and information security team. Managing Cyber Security during remote working is really tedious job for the organisations, however use of proper technology and monitoring can certainly mange this work. Organisations shall take cyber security as a risk and shall appropriately invest in safeguarding their Information assets. A vigilant and aware team can save organisation from cyber attacks and hence from financial, reputation and business operational loss.

# Keyword: Information security, cyber security, data protection, VPN, training and awareness VPN, strong password, business continuity, access control, remote working, work from home, cyber security risk.

Cyber Security during COVID 19, The Most difficult time in this era, our generations witnessed, no one could imagine that this time could ever come and we have to face total Lockdown. We know that this type of situation has  occurred in the past, but this situation with the Internet in existence is all of the first of its kind.

Has anybody imagined, if the internet would not have been invented, then how would the whole world behave?

So the most important tool is the invention of INTERNET and if the internet was born then some hackers would also have been born

There comes Cyber Security Domain.

COVID 19 Pandemic came with side effects

• Hampered the Business Continuity of many organization, we all know once business continuity is reset, this sometimes costs organizations 
• Think about Power Plants, Industrial plants, and such large setups which can not take the weight of starting up and shutting down again & again, It Costs for every hour.
• Setup cost to make workforce start working from home, giving them secure devices, high speed internet, we know work from home Networks are Not Secure – they could be a easy entry point 
• Situations where organizations were at the verge of upgrading, what happened to broken systems.
• Systems which were not designed to take loads & cyber secure, what happened to those.
• Some of the basic basic hacking attempts have taken place in our lives have come out vigorously, should be noted that whenever there is a disruption in society these attacks will come out commonly.

These below threats will be very common

• Payment Wallets –  You will be receiving many Freudian calls, asking you to check messages in which an encrypted url will be seen, as soon as you click on the link fishing attacks starts
• Online ordering system – There are fraudulent websites on which people order online and will use their credit card details on the pages, and then transactions take place.
• Phishing emails – Most number reports coming up since the lockdown. An Attempt to obtain information like usernames, Passwords and other details using emails is actually called as Phishing emails. This type of attempt has been increased due to unrest in governance.
• Malicious App – Whenever you use mobile apps, we sometimes get a message to click on a promotional banner, which might be a message to instal new app.. Now one knows what these apps are capable to get your data and breach our mobile data. These attacks are more common these days.
• Network Endpoints Attacks – There are malware’s on the internet which always keep finding the endpoints which are easily vulnerable and they get infected and penetrate into the system and then live inside the system as a host and wait for their master command further on to start damaging in one form or another.
• Targeting Healthcare Systems at the time of covid – The most important is the healthcare system, this covid19 is a pandemic, most  of the people are dependent upon healthcare services and in these times healthcare systems are most common to get attacked.

Cyber Security teams should take the most common steps as mentioned below:

• Online awareness workshop – Most important is increasing awareness in employees working from home. 
• Backup of all Digital Assets – Digital Assets monitoring tools are becoming very common these days, Organizations should keep regular backups for all digits assets.
• Endpoint Scanning – More and more endpoints increase because people are forced to work from home, hence they are using mobile, ipads, laptops etc in unsecured zones. Hence regular endpoint scanning is necessary.
• Creating Groups, for risks  – Immediate Risk mitigation teams should be made, who would be taking care of cyber attacks.
• Excessive use of Tools for monitoring – organizations should start using monitoring tools where you can get reports like Risk Observation, Endpoint Breach, DOS Attack report, Performance & Load Analysis etc.

Lessons from Covid 19 pandemic in reference to cyber security.

• Emergency response  teams should get More Active 
• Immediately activating multi tyre authentication 
• System Performance & Load monitoring, in case situations like sudden traffic rise.
• Cloud Security Preferences 

Summary

This pandemic is the first of its kind, which we have faced in this digital era. COVID 19 will be a perfect case study for future pandemics, the world will be now more prepared for these disasters.Some of the factors like how the digital industry behaves, all of a sudden change, immediate load and performance issues, systems scalability, penetration test, cyber attacks etc. Systems which fell or broke easily in this would be a great learning or case study for future.

Relevant Links

INFORMATION SECURITY-KNOW WHAT COMPLIANCE YOUR ORGANIZATION NEED

Cyber Security Consultants 

startups are easy targets. Startup world is filled with examples of data theft and how a beautiful idea just came down thrashing. Startups have a very narrow financial funnel and Startups are weaker targets, in case of any cyber attacks they are unable to handle legal implications and die. Most important is Planning, cybersecurity threats in today’s times can not be ignored. Startups are more vulnerable and this will increase day by day.

• Startups are Easy target or more easily vulnerable  – Large organizations already have procedures or have good infra & spending power to mitigate these threats, but small companies or startups are not so lucky. Cyber crime is increasing day by day and these startup’s are easy targets for them. Basic concern is protecting customer data. It’s all about protecting your digital assets, one of the ways is to use tools for Vulnerable Management.

• Tarnish Reputation  – Basically startups have to be more vigilant  about their reputation, only a single incident in news can tarnish their reputation. Startups business are like planes taking off from the runway, it’s very important to be very vigilant while taking off. Once startups have enough customer base or good investments, then it’s easy to handle.

• Dependency upon Third Party API’s – Most of the startups initially take support of third party API’s due to the fact that it’s impossible to develop API from scratch or the business model is not financially viable hence, third party API’s are the only source, using API means dependency and data exchange and we never know how this is taking place. Recommendation is that some legal documentation should be done before going for this arrangements.

• Less Spending upon IT Infra & Technology  – It’s very important that you select the best IT infra and technology solutions, we are living  in an advanced era, although there are many IT infra solutions available these days which offer services on the basis of bandwidth usage, this actually means Pay as you use. Ie: AWS , Google Storage’s etc These tools have actually made life easier because we are getting the same quality which larger setups are getting and are actually paying on the basis of usage, these advantages were actually not available even a few years back.

• Testing & Performance  – Most of the startups ignore this process called “Testing & Performance”. Although it’s a very important department, in case there is a financial crunch, startups can go for freelancers available at low cost and high quality.

• Lack of Legal know how – We all know startups are betting on new ideas or playing on new technology which might disrupt the market, and it’s not possible that a legal journey would be so simple for the company, hence just starting on mere ideas is not the only important. Analyzing the legal aspect would be a very wise decision. It’s recommended to hire a Cyber laws expert before going forward, this will not only help the company get a second opinion.

• Startups are Less Likely to fight back – Most of the startups have very small small financial backbone or narrow funnel for finances, In incidents like data thefts or legal notices, many startups haven’t even planned these financial aspects or we can say they have not planned for this situations, these incidents actually lose focus on the actual technology which they are working and leave the focus on what the actual idea was resulting in shutting down of startups or moving in wrong direction.

• Less due diligence  – Duedelegence for the idea is very important, a startup team should spend more and more time on this, Managing their resources, Technology aspects, research, IPR, demographic, usage, bandwidth, People, taste etc.   There are the most important aspects in understanding businesses. It’s also important to understand the Cyber Laws, although the world is becoming borderless, the internet has no boundaries, but these cyber laws would be acting as borders for different communities. Hence it’s very important for IT startups to design their  software in a way that is easily configurable according to the change in laws. Scalability not only refers to the tech infra, but also refers to how immediately you change your policies and how easily it is configurable in your software.

Recommendation

Get your Idea Patented 

The Most important aspect of an idea is to get that registered, you again need some attorney and get to read some local or national laws just going to get your idea registered. Although it’s difficult and time consuming but people have come up with innovative ideas to get it mark in the history that they thought for the idea first and small small efforts they did in this direction could save them from losing their idea. 

Cyber Risk Analysis 

Cyber Risk Analysis is the best due diligence which you can start initially, this report will basically touch endpoints where cyber risks are involved. Moreover this gives more insights before taking steps.

Before going for full scalability, have a cyber laws lawyer on your panel.

It’s very important, startups need to have cyber security & Legal advisors on their panel, this will help them analyse local laws and understand the legal implications before taking any steps. This will help companies to do due diligence before going further. 

Keep a cyber security plan always ready in case of emergency response.

In case of data breach or cyberattacks, always be ready with Plan B and try to minimize the risk to customers data, because that will be the only way to safeguard, once this risk is mitigated all other risks seem secondary and will automatically be secured. 

Always be in touch with the regulators or authorities regarding any thefts which you think would be in advance addressed to policy makers.

If you think your product is new and is somewhat governance is needed with public authorities or regulators, always get connected via events with the regulators of industry. You never know  whom you need to connect at the time of crisis.

 Before releasing any version of your product always keep your Terms & conditions, and disclaimer updated and enforced.

The most important part is the disclaimer policy, most of the court cases have fought and won or loose on the basis of Terms & Conditions of usage and Disclaimer. It is strongly recommended that always keep your Policies Updates and keep it reviewed with your legal consultant every time. 

Be proactive in addressing issues with your users. 

Let’s assume, your system is attacked in past months, and you want users to change their passwords asap, don’t hesitate to this announcement, It’s a responsible step, we have seen any automobile companies recalling cars for some defective part, it’s similar to that, you are becoming responsible company trying to save your customers and their data.

Hence by becoming a proactive founder dont let your Startups become  Easy target and vulnerable. SAVE YOUR STARTUP

Related Articles :

CYBER SECURITY CHALLENGES FACED BY FINTECH START-UPS

What Is GDPR?

What is GDPR? GDPR give guidelines to organizations for handling the information of their customers/individuals. GDPR actually gives more controls to individuals over their personal information. Moreover GDPR specifies how consumer data should be used and how it should be protected.

This will change the way how data is handles around the world.

In case of non-compliance, defaulters can be fined in proportion to the severity and scale of violation. GDPR came in to (into) force on May 25th, 2018. Companies must be able to show compliance by May 25th, 2018.
Main focus of the compliance is towards, protecting the personal information of the individuals.

How will this Impact my Business ?

GDPR sets new Rules, Restrictions on commercial data usage, Businesses will have to shell out more money on Compliance Spending, Inspire Trust & Confidence, and they have to safeguard customer data security rights, which will take a more priority over the internet.Companies have already started rewriting their policies, Most Important Change is how companies share data with other vendors.

CYBERLAWS GDPR CHECKLIST

⦁  Consent : Companies cannot use illegible terms and conditions filled with legalese. It must be easy to withdraw consent as it is to give it.

⦁ Mandatory Breach Notification : Data processors have to notify their controllers and customers of any risk within 72 hours of any event of data breach.

⦁ Right to Access : Data subjects have the right to obtain confirmation from data controllers of whether their personal data are being processed or not. Data controllers should provide an electronic copy of personal data for free to data subjects. This is called Confirmation of personal data usage& one has to give Free Electronic copy of data.

⦁ Right to Be forgotten : When data is no longer relevant to its original purpose, individuals have the right and request data controller to erase their personal data and ceases its dissemination, yes people have right to be forgotten, but in certain case this doesn’t apply.

⦁ Data Portability : In recent times you must have experience mobile number portability, similarly individuals can obtain and reuse their personal data for their own purposes by transferring it across different IT environments.

⦁ Privacy By Design : Calls for inclusion of data protection from the onset of designing systems, implementing appropriate technical and infrastructural measures.

⦁ Data Protection Officer(DPO) : Data Protection Officers [DPO],must be appointed in public authorities or organizations that engage in large scale (>250 employees) for systematic monitoring or processing of sensitive personal data.

Penalties

Businesses can be fined Up to 4% of global turnover or 20 Million Euros.
Moreover even if your Business does not have a location in the Europe or if you handle the personal information of any European citizen, you will need to comply with the General Data Protection Regulation. The risk will hit with hefty fines

Type of data GDPR Protects

We have a set of data which is covered in GDPR. This data can be Names, Addresses, And ID Numbers, Geo Location, IP Address, Cookie Data,and RFID Tags. Moreover not only above, Health & Genetic Data, Bio-metric Data, Racial & Ethnic data, Political Opinions &Sexual Orientations etc are also covered in GDPR.

How this Regulation will impact beyond boundaries?

The concept of GDPR popularized in 2016 and put to effect in 2018. People are downloading Apps on their mobiles &while downloading, the App asks for the permissions i.e.: access phone book, access location, access cookies etc. we give those permissions without realizing/understanding the repercussions. Companies have been collecting data at a huge pace, one of the common reason is to find the consumer behaviors. This can be in the interest of the business but this becomes dangerous if this crosses line or if misused.

This data is shared on Big data Pools and where analytics came in to picture, analytics can be used in positive as well as in negative ways.

Hence it’s a good step towards data privacy.
The factors this collection of data will impact on your choice hence this may impact your future. We are giving permissions of our future to companies and this can be misused across boundaries.