Cyber Security & Working From Home
Covid-19 has resulted in many changes to the way organisations have to operate. One of the largest impacts in the long term is going to be the fact that organisations have realised that not only can their staff work from home in most cases but that actually they are often more productive. This is likely to result in organisations driving down their cost base (i.e. reducing office size) and asking more and more of their staff to work from home on a permanent basis.
What are the risks with home working?
There is an increased risk to the security of the organisations information. It is not that obvious to most people as to why that risk would increase in a home working scenario but the reality is that home working locations are not as cyber secure as office environments.
Lets start with looking at the technology. Most homes have wifi, access that should be secured via a wifi access key. However, we still experience examples where home wifi networks are not secured and left with open access resulting in a an obvious increased risk of abuse. Home networks don’t generally have firewall rules in place that ‘blacklist’ websites that could result in security issues.
The home tech available to most people is less secure than in the office, for example unless you are working in IT most people don’t have a good understanding of anti-virus, anti-malware and other software that will protect your technology from attack. In home working scenario’s the hardware is often operating outdated software (i.e. doesn’t have the latest security patches applied) and isn’t secured with appropriate virus and malware protection.
Then there is the question on data storage, is data encrypted, being transported inappropriately and destroyed appropriately when no longer required. Again, home working can compromise these requirements when organisations allow their staff to utilise their own devices in a remote working scenario.
The risk of phishing attack is greatly increased, this has been evident since February 2020 where the number of attacks has grown exponentially leaving organisations more vulnerable to disruption of service and data loss. Home working environments aren’t typically geared to detect such attacks especially when users access their personal email on devices that are used for work.
The harsh reality here is that in most cases people feel secure in their own homes and don’t take information security seriously. That said, organisations are now at greater risk of attack and the resulting issues that would arise.
How to enable a safe home working environment?
The first and most important step is to think about the security of the home worker. Ignoring this and just accepting the risks above is simply asking for trouble. All organisations that now are supporting home working need to:
- Assess the security risks and vulnerabilities that this scenario presents
- Have a documented policy in place that is designed to mitigate those risks
- Support their home workers to implement the requirements of the policy
- Check that the policy is being followed by their home working staff members
The components of such a policy includes:
- Remote Working Policy
- Bring your own device (BYOD) Policy
- BYOD end user agreement
- Security procedure for remote environments
The Policy needs to be supported by effective technology.
Home workers should have access to the organisations network (if applicable) over a secure VPN via two factor authentication so that not only is the connection secure but the user has to have more than one method of authenticating that access is to the network is permitted based upon successful identification of the user. Username and passwords can be compromised, this approach is far more secure and with modern technology fairly simple to set up and operate.
Ideally, home workers should use the organisations hardware, which is set up with the appropriate protection software installed and auto updates enabled. Again, ideally the hardware is encrypted to protect personal data from being stolen.
Note – where BYOD is permitted, there needs to be a limitation on access to sensitive systems and data.
Training and awareness must not be overlooked. Home workers must be made aware of the policies and procedures that need to be followed to ensure the security of the organisations data.
Cyber21 can directly support you in this key transition to move towards a more secure home working environment. We can develop your policies and procedures, advise and guide you through the process and provide the necessary training for your team. Please get in touch if you feel this is something that you require additional assistance with.