In recent years, the rise of remote work has transformed the traditional office landscape, offering unprecedented flexibility and convenience. However, this shift to remote work comes with its own set of challenges, particularly in the realm of cyber security. As organisations adapt to the virtual workplace, they must be vigilant in identifying and addressing the various cyber security risks that can compromise sensitive information and undermine the integrity of their operations.
Here MetaCompliance explores some of the problems that home working brings to the cyber security table and what to do to close the door on remote work security challenges.
The Problem with Remote Working and Security
- A poll of 1,000 British firms by the British Chambers of Commerce (BCC) and Cisco found that more than half of firms felt exposed to cyber security risk through home working.
- According to one report, 20% of organisations believe a data breach occurred because of a remote worker.
- The Verizon Mobile Security Index report found that 79% of respondents are concerned that changes to working practices harm an organisation’s cyber security posture. The report also highlights the issue of mobile device security and remote working, with 52% of respondents admitting to sacrificing the security of mobile devices (and IoT devices) to “get the job done”.
- Cyber security policies are also being affected to allow remote workers to do their job unimpeded. A survey found that 26% of UK companies surveyed had relaxed their cyber security policy to enable employees to work remotely more easily.
Where Are the Security Risks when Working from Home?
Employees working from home or remotely brings new risks into play; these are typically not unknown risks. Areas where cyber-risk creeps in include:
A UK Government DCMS “Cyber Security Breaches Survey 2022” shows that 45% of businesses allow employees to use personal devices such as laptops to carry out work-related tasks. The problem with this arises when there is no oversight or control of the device.
For example, if a device is used to send and receive business emails, are you sure that received emails are not phishing attacks or a scam?
Similarly, suppose your IT team is unable to ensure that mobile devices are updated and patched. In that case, security risks can creep in, leak data, and malware can enter your corporate network.
Unsecured Home Devices and Networks
Insecure home networks can become an entry route for cybercriminals and lead to sensitive data exposure. Cybercriminals scan the internet for unsecured networks, and any security gaps will be exploited, including default passwords on IoT devices and Wi-Fi or unpatched routers.
Similarly, Wi-Fi printers should not be overlooked. An insecure connection to a Wi-Fi printer also opens the door to a cybercriminal. Again, printer vulnerabilities can lead to an exposed home network. A Quocirca Print Security Landscape 2022 study found that 68% of companies suffered data losses because of print-related insecurities.
Internet Use and Non-Compliant Behaviour
The adage “out of sight, out of mind” sums up how changes in behaviours and internet use when an employee is in their home lead to insecurities. An Avanti report found that 66% of IT professionals reported increased security issues caused by online remote working. Security issues included malicious emails, non-compliant employee behaviour, and software vulnerabilities.
A further study into the security behaviours of remote workforces found that risky behaviour was more prevalent in homework environments, with issues such as leaving a computer unlocked when left unattended. The study was performed during the Covid-19 pandemic and concluded the need for “wellbeing and educational measures to help those at risk of PIU (problematic internet use) become more aware of how to spot the types of cybercrimes related to COVID-19.”
Risky behaviour, such as leaving sensitive emails and documents open on a computer left unattended, can open security risks in shared homes. Shared spaces can turn into shared devices, and if those devices are logged into a corporate app or network, this can leave an organisation open to regulatory non-compliance or vulnerable to cyber attacks. Security concerns for remote working should also include co-working spaces – one study found that 23% of workers in coworking spaces had security concerns.
What Security Measures Can Help Secure Home-Based and Remote Workers?
There are several things that an organisation can do to help improve the security of its workforce for home working:
Supply a VPN
A virtual private network or VPN is a valuable tool that provides a secure connection between a user and a network/internet. For example, an employee with a correctly configured VPN can send and receive emails and other data security. A VPN will protect any data traffic, even if the home network is insecure. You can learn more about the benefits of using a VPN in our blog post, “3 Reasons Why You Need A Secure VPN.”
Security Awareness Training that Covers Home Workers
An October 2022 UK Parliament POST brief on “The impact of remote and hybrid working on workers and organisations” concludes:
“Research suggests that cyber security challenges can arise from inadequate training and decreased levels of employee compliance with information security policy due to a lack of organisational support.”
A home-work environment has unique challenges, and Security Awareness Training must reflect this. Therefore, ensure that your Security Awareness Training program focuses on home working and security needs. Typical areas that Security Awareness Training should educate home workers on include:
- Be aware of leaving sensitive information open on the screen.
- Don’t remain logged in to apps when away from a workspace.
- Password hygiene and clean desk policies.
- Keep work and personal devices separate wherever possible.
- The importance of using a VPN.
- Their role in protecting data.
- Keeping devices and software up to date.
- Following security policies, even at home.
Apply Robust Access Control Policies
Home and remote working access to corporate apps and the network must be managed using principles such as least privilege access. However, robust access control must also become part of the general home office.
For example, device access must be protected using a biometric or strong PIN. Similarly, access to a home working computer must have robust access controls with biometric or strong password controls. App access should be enforced using two-factor authentication (2FA).
Even with a VPN, Wi-Fi should be made secure as a best practice. To secure a Wi-Fi network, create a secure Wi-Fi education pack to ensure that employees have the details needed to:
- Change the default Wi-Fi password and update the password regularly.
- Anonymise the Wi-Fi network name and don’t name the network using personal or identifying information
- Enable network encryption on Wi-Fi routers, e.g., WPA and WPA2.
- Keep routers patched and up to date.
As more of us turn to remote or home working, it is vital to close the door to cybercriminals taking advantage of insecure practices. When creating security policies, remember to focus on the unique challenges of home working and security. It is also essential to empower employees with training to protect their working environment at home or in the office.