The Covid-19 pandemic brought remote working into the forefront of people’s minds by normalising it. But remote working has been part of many people’s lives for years. Remote working is not just about working from home; it also includes working on the move via airports, trains, co-working spaces, and hotel rooms.
Also, since the Covid-19 situation, hybrid working has become normalised. This mix of in-the-office and at-home working remains popular: according to the ONS 2022 “Opinions and Lifestyle Survey (OPN)“, 38% of workers worked from home, at least some days, during the previous seven.
One issue of a remote work environment is securing this ‘satellite office.’ Here MetaCompliance explores some of the problems that home working brings to the cyber security table and what to do to close the door on remote work security challenges.
The Problem with Remote Working and Security
Remote and home working is likely to become a regular part of our working lives. Because of this, an organisation must become aware of the risks inherent in this change in working patterns and environment. These risks show up in the cyber security statistics, for example:
- A poll of 1,000 British firms by the British Chambers of Commerce (BCC) and Cisco found that more than half of firms felt exposed to cyber security risk through home working.
- According to one report, 20% of organisations believe a data breach occurred because of a remote worker.
- The Verizon Mobile Security Index report found that 79% of respondents are concerned that changes to working practices harm an organisation’s cyber security posture. The report also highlights the issue of mobile device security and remote working, with 52% of respondents admitting to sacrificing the security of mobile devices (and IoT devices) to “get the job done”.
- Cyber security policies are also being affected to allow remote workers to do their job unimpeded. A survey found that 26% of UK companies surveyed had relaxed their cyber security policy to enable employees to work remotely more easily.
Where Are the Security Risks when Working from Home?
Employees working from home or remotely brings new risks into play; these are typically not unknown risks. Areas where cyber-risk creeps in include:
Personal Devices
A UK Government DCMS “Cyber Security Breaches Survey 2022” shows that 45% of businesses allow employees to use personal devices such as laptops to carry out work-related tasks. The problem with this arises when there is no oversight or control of the device.
For example, if a device is used to send and receive business emails, are you sure that received emails are not phishing attacks or a scam?
Similarly, suppose your IT team is unable to ensure that mobile devices are updated and patched. In that case, security risks can creep in, leak data, and malware can enter your corporate network.
Unsecured Home Devices and Networks
Insecure home networks can become an entry route for cybercriminals and lead to sensitive data exposure. Cybercriminals scan the internet for unsecured networks, and any security gaps will be exploited, including default passwords on IoT devices and Wi-Fi or unpatched routers.
Similarly, Wi-Fi printers should not be overlooked. An insecure connection to a Wi-Fi printer also opens the door to a cybercriminal. Again, printer vulnerabilities can lead to an exposed home network. A Quocirca Print Security Landscape 2022 study found that 68% of companies suffered data losses because of print-related insecurities.
Internet Use and Non-Compliant Behaviour
The adage “out of sight, out of mind” sums up how changes in behaviours and internet use when an employee is in their home lead to insecurities. An Avanti report found that 66% of IT professionals reported increased security issues caused by online remote working. Security issues included malicious emails, non-compliant employee behaviour, and software vulnerabilities.
A further study into the security behaviours of remote workforces found that risky behaviour was more prevalent in homework environments, with issues such as leaving a computer unlocked when left unattended. The study was performed during the Covid-19 pandemic and concluded the need for “wellbeing and educational measures to help those at risk of PIU (problematic internet use) become more aware of how to spot the types of cybercrimes related to COVID-19.”
Shared Spaces
Risky behaviour, such as leaving sensitive emails and documents open on a computer left unattended, can open security risks in shared homes. Shared spaces can turn into shared devices, and if those devices are logged into a corporate app or network, this can leave an organisation open to regulatory non-compliance or vulnerable to cyber attacks. Security concerns for remote working should also include co-working spaces – one study found that 23% of workers in coworking spaces had security concerns.
What Security Measures Can Help Secure Home-Based and Remote Workers?
There are several things that an organisation can do to help improve the security of its workforce for home working:
Supply a VPN
A virtual private network or VPN is a valuable tool that provides a secure connection between a user and a network/internet. For example, an employee with a correctly configured VPN can send and receive emails and other data security. A VPN will protect any data traffic, even if the home network is insecure. You can learn more about the benefits of using a VPN in our blog post, “3 Reasons Why You Need A Secure VPN.”
Security Awareness Training that Covers Home Workers
An October 2022 UK Parliament POST brief on “The impact of remote and hybrid working on workers and organisations” concludes:
“Research suggests that cyber security challenges can arise from inadequate training and decreased levels of employee compliance with information security policy due to a lack of organisational support.”
A home-work environment has unique challenges, and Security Awareness Training must reflect this. Therefore, ensure that your Security Awareness Training program focuses on home working and security needs. Typical areas that Security Awareness Training should educate home workers on include:
- Be aware of leaving sensitive information open on the screen.
- Don’t remain logged in to apps when away from a workspace.
- Password hygiene and clean desk policies.
- Keep work and personal devices separate wherever possible.
- The importance of using a VPN.
- Their role in protecting data.
- Keeping devices and software up to date.
- Following security policies, even at home.
Apply Robust Access Control Policies
Home and remote working access to corporate apps and the network must be managed using principles such as least privilege access. However, robust access control must also become part of the general home office.
For example, device access must be protected using a biometric or strong PIN. Similarly, access to a home working computer must have robust access controls with biometric or strong password controls. App access should be enforced using two-factor authentication (2FA).
Secure Wi-Fi
Even with a VPN, Wi-Fi should be made secure as a best practice. To secure a Wi-Fi network, create a secure Wi-Fi education pack to ensure that employees have the details needed to:
- Change the default Wi-Fi password and update the password regularly.
- Anonymise the Wi-Fi network name and don’t name the network using personal or identifying information
- Enable network encryption on Wi-Fi routers, e.g., WPA and WPA2.
- Keep routers patched and up to date.
As more of us turn to remote or home working, it is vital to close the door to cybercriminals taking advantage of insecure practices. When creating security policies, remember to focus on the unique challenges of home working and security. It is also essential to empower employees with training to protect their working environment at home or in the office.
