29 Jan Cyber risk during the crisis: Checklist
Questions a Board needs to ask management around home working:
The changing system risks
- How have the external threats changed for us? eg from phishing and other ways hackers are taking advantage of the situation
- What is our organisational level of exposure relating to mass home working from unverified systems and software – and from the wider use of devices?
- What restrictions are being applied on confidential discussions and data transfer through the various media? Where unrestricted, how are the risks managed?
- How far are our usual protections coping in response to the change in risks?
- What constraints/procedures are getting in the way of responding quickly to threats?
- Are internal systems and resources over-loaded? Do extra budgets need releasing?
The people and behavioural threats
- How have we refreshed people’s awareness and explained the new risk levels?
- What is our assessment of any change in “the people threats”? How are the risks changing of attack or fraud from disgruntled or stressed employees?
- How are we adapting controls to take into account the lack of direct physical supervision, monitoring or control?
- What briefing has been given to employees about working on confidential or personal data when other people are in the home?
- Have risks such as data or confidentiality breach, accidental insider status etc been considered, and have the related rules and warnings been communicated?
- What are we doing to maintain GDPR standards when the risks of unauthorised access to personal data have increased?
- What steps are we taking to strengthen the culture so each staff member working from home takes responsibility and applies strict self-discipline?
Communication and responsibilities
- Who at senior management level is responsible for managing the various developing risks? And who is responsible for monitoring and managing the softer behavioural risks?
- What is the revised cyber communication strategy? And the CEO’s role in messaging?
- How is the Board communicating leadership in its own working from home behaviours?