Monday, 25 January 2021

Working From Home: are your systems still secure?

This year businesses across the UK have prepared themselves for the effects of the pandemic - now it's time to check that all new systems are secure.

Even before the lockdown was announced in March 2020, businesses across the UK were doing what they could to ready their business for the effects of the pandemic. But now that we're in 2021 and a 3rd lockdown for some, have you done enough to make your systems more secure? 

Most business continuity plans hadn’t addressed the risk of a global pandemic. Yet, despite the lack of readiness that many businesses felt, IT leaders across the UK have kept their organisations running. In many ways, they are the unsung heroes of the Coronavirus pandemic.

The sudden and unexpected need to work from home that many organisations experienced has transformed IT in these businesses utterly. Years of digital transformation were suddenly fast-tracked(1) and implemented within weeks – or days – even in industries and sectors that have traditionally been resistant to change.

The rush to keep operations working

For organisations that had already made the first tentative steps towards cloud migration, the switch was made easier; scaling up what was already in place to allow for home working and transitioning more users to cloud services such as Microsoft 365, for example.

The first priority for everyone has been to keep our organisations operational and support our customers, especially those that are recognised with key worker status. But in the rush to ensure users are productive, make data accessible and get everyone online, it was inevitable that the normal transition process was streamlined.

For the most part, it was the cultural and change-management processes that were dropped from the traditional roll-out processes – rather than communication, it was need that drove user uptake.

However, it is also the case that some organisations have made the shift to cloud solutions without fully investigating the ramifications of those decisions. Now the dust has settled on that rapid transition, now is a great time to address any issues and review your own shift and ensure that the necessary controls and securities are in place.

The risks of a rapid transition

One of the risks the Grant McGregor team has been highlighting to our customers relates to your Microsoft 365 deployments.

Many organisations understandably assume that Microsoft is providing services around the key services for backup and restore. In fact, this is not the case.

Microsoft’s user agreement clearly states:

“We strive to keep the Services up and running; however, all online services suffer occasional disruptions and outages, and Microsoft is not liable for any disruption or loss you may suffer as a result. In the event of an outage, you may not be able to retrieve Your Content or Data that you’ve stored. We recommend that you regularly backup Your Content and Data that you store on the Services or store using Third-Party Apps and Services.”

This leaves organisations at risk in the event of an outage, cyber attack or other disruption to services. Without an adequate solution in place, you might find yourself unable to restore the information on which your company relies. Whether it’s human error, a phishing attack, ransomware, or a disgruntled employee, without a backup and restore solution, your business is horribly exposed – and possibly non-compliant with regulations (such as GDPR).

Whose responsibility is it to backup services?

As Microsoft makes clear in its Services Agreement, it doesn’t see itself as responsible for retaining your data. Deleted data is only accessible for up to 30 days with Exchange Online and 180 days for SharePoint Online. In fact, Microsoft recommends the use of third-party apps to insure against data loss.

However, organisations shouldn’t automatically assume that, since Microsoft isn’t backing up their data, their IT partner is doing so instead.

Backing up and protecting your data requires a specialist solution. Unless this has been itemised in your service agreement, you can’t assume it is naturally in place.

It is really important that you have this conversation with your IT partner to determine what is in place now, discuss the data that you need to protect – that which is business-critical and that which you have a duty to protect/ keep private – identify any gaps or exposures, and discuss possible solutions.

What does Grant McGregor recommend?

Ensuring the backup of your data is just one of the security issues which should be addressed when it comes to protecting your organisation, especially when working from home. 

Review your IT security with our 12-step checklist to make sure your business is WFH ready and secure:

Assess your Cyber Security  today