TT Talk - COVID-19: managing communications working remotely
Effective communications are the lifeblood of every relationship, whether personal or corporate. In the global supply chain, this inevitably extends to every counterparty, including those with differing interests, cultures, languages and time zones. COVID-19 has made life exponentially more complex.
The emergence of the current pandemic, and particularly mandated lockdowns affecting about half the world’s population at the time of writing, has profoundly stretched the capability of systems and communications infrastructure.
Cyber security has in recent years become a major topic at board tables as many companies have struggled to ensure that a range of systems - often part legacy, part bespoke, part absorbed from M&A activity, part accidental - are fully bounded by an effective firewall and then regularly checked with specialist penetration testing.
One of the most persistent challenges to minimising exposure to hacking or cyber security events has been the interface with humans – and no more so than in the global supply chain where many are necessarily moving from country to country and interacting with others beyond the confines of a standard firewall implementation. COVID-19 may have pretty much halted international travel – and with it the plethora of industry exhibitions and conferences, so valued in networking and enhancing awareness – but has presented managements with a host of new challenges.
In rapid decision-making, many organisations have responded by ensuring that systems infrastructure can operate successfully, sustainably and securely in multiple remote environments (see previous TT Talk on working from home). Equally, many process controls have had to be modified ‘on the fly’, which presents risks in other ways (see TT briefings and FAQs), but business tasks rely also human interactions amongst colleagues and elsewhere.
While even co-located colleagues may have resorted to phone or email communications, albeit almost always interspersed with face-to-face meetings, particularly when more than two people were involved. Overnight, this has been replaced (at least in part) by a variety of video conferencing platforms. Such connection has proved already critical for effective corporate and team communication, as well as going some way to protecting well-being amongst colleagues. Further, where distant communicants were addressed by phone or email, pending possibly a physical gathering, many connections are progressing almost by default to video conferencing.
Much as this bi-product of remote working can be embraced, it presents yet another headache for cyber security and risk teams to consider.
Many individuals will both personally and corporately be looking to connect utilising a number of the array of free and charged options, some from recent entrants and others from known suppliers. Most offerings appear to have much the same functionality, but there has been media comment about security and encryption capabilities – and these have to be important considerations for all. Here are some comments to support a decision process.
There are some basics that might be considered such as:
- picture/audio quality (taking account of varied national and domestic bandwidth capabilities)
- stability of video meetings
- flexibility to host multipoint internal and external meetings
- speed of deployment
- ease of use and simplicity to maintain
- ability to operate in both desktop and mobile environments
Inevitably, cost plays a part in the decision. And in the corporate environment, it may not simply be the headline supplier cost, since integration to other parts of the network may carry overhead.
A few rules of thumb that could be used for assessing corporate products are:
-
You generally get what you pay for
Paid products are generally more secure than free – in effect, in the free environment, the user becomes the product rather than the customer and the supplier earns through consumer data, ads and add-ons. Paid products ensure that the product continues to meet the security maturity/posture of the customer and therefore the supplier has a financial incentive to ensure that a customer continues to pay for services. This is particularly the case where there is heightened regulatory or risk interest. -
More recognisable names are generally more secure than new challengers
Inevitably, an established supplier needs to maintain its reputation, so will perceive greater risk in any adverse publicity from security breaches or issues. Conversely, any industry with little competition can also become complacent and over costly, so new entrants should be welcomed. -
Check for any news articles about recent & historic security vulnerabilities
While this will often require search of technical media, much information is easily accessible. This can give insight into their security culture and posture, together with what the general tech industry thinks of them – but be mindful that companies continually enhance their product offerings. -
Look for certifications and external assurance
Care needs to be taken to gain assurance in the right ways; while you should seek ISO 27001 information security standard certification and SSAE16/18 SOC2 reports, ensure that such audits apply to the supplier’s own services/products rather than advantaging from those of the underlying ‘cloud’ provider. -
Consider the baseline
Things like end-to-end encryption, encryption at rest, complex passwords and data protection compliance are recommended as the baseline for anything used in a corporate environment.
In the current scenario, entities might wish to take a greater interest in what is deployed not only in the workplace environment but also personal consumer products.
We hope that you have found the above interesting. If you would like further information, or have any comments, please email us, or take this opportunity to forward to any colleagues who you may feel would be interested.
We look forward to hearing from you.
Peregrine Storrs-Fox
Risk Management Director, TT Club