Home>Security>IT Security >BSI issues advice on cyber security and data protection essentials for office return
Home>Security>Office Management>BSI issues advice on cyber security and data protection essentials for office return
Home>Security Matters>Security Matters>BSI issues advice on cyber security and data protection essentials for office return

BSI issues advice on cyber security and data protection essentials for office return

01 July 2020

PREPARATION WILL be paramount for many organisations, with the transition from working from home back to working from the office requiring safe and considered management as facilities are re-occupied. Maintaining a company’s information resilience is a key element of these plans to ensure that cyber security risks are managed and data privacy regulations are not violated.

Organisations are currently reviewing guidelines such as planning one-way systems, implementing staggered start and finish times, reviewing the effectiveness of safety controls and measures and taking immediate action to improve those that are not effective.

From a cyber security perspective this includes reassessing system networks, reviewing Shadow IT activity and Bring Your Own Device (BYOD) usage. For data protection the focus will be on workstation changes, employee health data, data protection impact assessments and transparency.

Cyber security and data protection essentials

Focused on supporting companies across all industry sectors to plan their re-opening and develop a sustainable methodology for them working in the ‘new normal’, the BSI has outlined ten cyber security and data protection essentials for consideration:

*Physical security: Make sure that physical security controls, employee identification and physical media are all up-to-date and fully operable

*Access control: Ensure credentials like multi-factor authentication and password expiration and reset are all up-to-date

*Data protection and privacy: Seek the advice of the Data Protection Officer or Privacy Officer on the impact of changes made to existing processes or new processes where data is recorded and collated. Conduct Privacy Impact Assessments where relevant

*Asset management: Re-evaluate BYOD policies and ensure that all non-inventoried assets are correctly logged

*Network security: Remote access is still important during a phased return to work so keep network services such as Virtual Private Networks available and secure

*Vulnerability management: Patching is a challenge even for an information resilient organisation. In returning to the office, organisations must evaluate their patch posture and, where this is found wanting, prioritise patching

*Operations security: Organisations should re-evaluate any configurations they made during the working from home period to ensure that they’re still the most effective

*Business continuity: It’s now time to learn from recent activities – the remote working paradigm – and apply the acquired knowledge to improve the readiness of the business continuity plan

*Incident management: Incident response represents the last line of defence should an attack materialise. Make sure the organisation is set up in preparing for and responding to a data breach

*Security governance: Risk Registers should be reassessed given the newly restructured threat landscape and control plane

Self-assessment questionnaire

The BSI has also developed a self-assessment questionnaire for organisations focused on cyber security considerations around office re-opening. The questionnaire can be accessed here. On completion of the survey, the individual will receive a report from the BSI outlining their business’ readiness to re-open focused on cyber security and data governance implications.

Stephen O’Boyle, global practice director for cyber, risk and advisory at the BSI, explained: “The last few months have tested many organisations of all shapes and sizes across the globe. Many needed to adapt quickly to the restrictions to ensure the safety and well-being of their employees and clients, with remote working being activated and IT systems tested and reconfigured to remain effective. While there were many challenges involved, including the increase in cyber threats and risks, as well as data privacy concerns, this period also provided organisations with the opportunity to customise, review, update and improve their response planning and enhance their business continuity plans to prepare for the phased re-opening.”

O’Boyle added: “The focus now is very much on opening safely, with a top priority being an organisation’s cyber security and data governance needs. Those responsible for this need to be part of the planning process. Not only will this ensure that the correct protocols are adhered to and implemented, but it also will enable a business to operate in a more secure, safe, sustainable, trusted and resilient manner, thereby protecting its people, information and reputation.”