The remote working method was one of the flexible working methods that could be preferred from time to time. Today, with the effect of the COVID-19 epidemic, working from home has become almost the basic method to run our business.
The sudden and excessive increase in work from home activity with the pandemic can affect network accessibility and information security, especially in regions where telecommunications and system infrastructure are not sufficiently developed.
The pandemic has challenged too many businesses not only with the problem of a sharp decrease (or sharp increase) in demand for products or services, but also because the company has had to offer its products and services through unfamiliar channels.
In an organization with remote workers, information security; should be positioned as an integral part of business processes. Risk analysis for remote workers should be done, security measures should be applied systematically and this should cover other processes of the company. Systematic risk management, information security awareness and training are key to success.
Even though many companies have voluntarily implemented remote work, few have the necessary cybersecurity solutions and infrastructure. One of the minimum security needs required for remote workers; Not using next-generation endpoint protection (EPP/EDR), multi-factor authentication (MFA) and secure access solutions such as ZTNA or VPN, and information security awareness below the required level increases security risks. As all this is combined with the attack surface and attack diversity that continues to grow; We observe that cyber security vulnerabilities and forensic cases continue to increase exponentially.
Looking at the data compiled by different sources from the beginning of the COVID-19 process to the present, we see that there has been an increase of 300 – 400% in leaks within two months. In order to take precautions against all these attacks and cyber risks, ensuring information security and protecting networks and data should be one of the main agenda items of companies so that they can be managed remotely.
In this context, Information Security Management System/ISO 27001; It presents best practices regarding preventive and risk-reducing controls by identifying the risks of companies and institutions. If during the epidemic we live in; If you have not re-evaluated your information security risks, which have become more critical with working from home, and have not taken the necessary precautions, you can contact us via the link below so that we can assist you. Hereby, we present and repeat some of the relevant ISO 27001 controls, which have increased in importance recently: Systematic risk management, information security awareness and training are the keys to success.
| Information Presence | Threat | vulnerability | Precaution | ISO 27001 Appendix-A Controls |
| Computer, Mobile Device | Theft | Leaving it visibly exposed and unprotected | Remote work and mobile device policy | A.6.2.1
A.6.2.2 |
| No backups | Backup policy | A.12.3.1 | ||
| Malware | Lack of next-generation endpoint protection (EPP/EDR) | Next-generation endpoint protection (EPP/EDR) | A.12.2.1 | |
| Cryptolocker | Lack of EPP/EDR and incident response solution | EPP/EDR and incident response solution | A.12.2.1 | |
| Failure to follow patches | IT Security Policy | A.12.6.1 | ||
| No software installation restrictions | Processes for software installation should be established and implemented | A.12.6.2 | ||
| Internet/Network connection | Interruption | No alternative connection option | Switching to an alternative service provider | A.17.1.2 |
| Data leak or data theft | Inadequate network security and network controls | Effective Network security management, ZTNA, VPN, NGFW, IPS, NAC | A.13.1.1
A.13.1.2 |
|
| Documentation | Unauthorized access | Lack of access controls | Locked doors and document cabinets | A.11.1.2 |
| Lost or destroyed | No backups | Scanning and digitizing | A.12.3.1 | |
| Cloud Services | Unauthorized access | Poor Password | Creating and controlling the password policy | A.9.3.1
A.9.4.3 |
| Identity/access management | Multi-factor authentication, MFA, Token | A.9.4.1
A.9.4.2 |
||
| Access by multiple people | Access control policy | A.9.1.1 | ||
| Unauthorized activities | Lack of an effective follow-up and monitoring structure | Log, SIEM, PAM | A.12.4.1 | |
| Random screenshots, Evaluation of logs, | A.12.4.1 |
In addition to the above, in the last period; The management of information security breach incidents and improvements (A.16) has also become one of the issues that should be given more importance for companies and institutions. While observing that some companies may have a prejudice about whether they can initiate ISO 27001 certification programs during the Covid-19 epidemic, it is pleasing to observe that companies that have started and continued ISO 27001 programs despite the epidemic are able to manage this period with a much more advanced business continuity and cyber resilience. Recently, it is a great advantage that ISMS compliance, implementation, training and audits can be done remotely.
For detailed information about our ISO 27001 Information Security Management System (ISMS) services, please click.
We wish you healthy and safe days.
