Work from home from a security perspective
Remote working has and will change the culture of how we work in the modern business world. Organizations throughout the world have had to adapt quickly to new ways of working to survive and prosper in what is becoming a very challenging economy.
In order to compete on a local and global level, and in order to secure jobs whilst increasing the competitive advantage, organizations and the working population will need to change the way they conduct business – and importantly, organizations will need to educate their staff on data protection, privacy and security risks associated with remote working and working from home.
Some of these risks may never be realized, but like with all security and privacy risks, all organizations need to prepare for the worst-case scenario and ensure their staff knows what to do, how to behave, and what are the crucial steps to take in the event of an incident. They will also need to have access to the tools and knowledge, so they can feel empowered and competent in dealing with an incident or request for information e.g. Phishing, or Data Subject Access Request. How to tell the difference and what to do when working from home is and will be challenging.
Despite these changes in working patterns, organizations still need to demonstrate how they comply with global privacy laws and security standards (e.g. GDPR, CCPA, Cyber Essentials, NIST Cybersecurity Framework, ISO27001, etc.). Such standards already include things like how to safely work from home, and how to continue the safe transfer of data between businesses, organizations and/or countries – all from relative (and slightly disillusioned) safety of their own homes.
Such guidance and training will require some carefully worded advice. As the controls or risk reduction technology you have installed at your place of work might not be in place for ‘the home environment’ e.g. the WIFI access point might be incorrectly configured, or the organization end to end encryption might only work on company-issued laptops, and the workforce might be using alternative or non -secured devices. Therefore, every organization will need to create simple, easy to use training and guidelines that help staff take corrective action and ensure their staff know what to do, when, and how.
Working from home has become a necessity for some people to help limit the spread of the COVID-19 coronavirus. But before you head out of our premises, you need to know how to protect your organization’s information and yourself from the risks you face when working remotely or from home.
Security considerations when working at home
Our home is often the place we feel most secure, but this can blind us to potential risks. When you are working from home, you are responsible for keeping company information and devices safe, just as you would in the office. Below are some of the risks and solutions that need to be considered when home working.
Issue No1: Information being compromised in transit or intercepted by cybercriminals (also known as a man in the middle attacks)
The solution:
1. Only use your organization’s usual, approved methods for communicating and sharing files. Do not use personal email accounts to send or receive company information.
2. Change the default password of your router and ensure your home network is encrypted with at least WPA2 – if you’re unsure, check your instruction manual or revert to your ISP or Broadband service provider.
Issue No2: Data loss/data leakage
The solution:
1. Keep documents and devices safe – securely lock them away when not in use.
2. Store any documents securely before bringing them back onto the premises.
You can then dispose of them using a shredder or secure waste bin when you return to the office.
3. Shut down your laptop or company mobile phone when you have finished using them. This helps keep information safe if the devices are lost or stolen. As hard disc encryption only works when the device is powered down.
Issue No 3: Increase in phishing attacks
The solution:
1. Do not open emails from unknown sources, download attachments, or click on links if you are not sure they are genuine. Always report them to your security team. Try hovering over the URL, it often gives away where the source comes from.
Issue No 4: Handling confidential information
The solution:
1. Consider using a privacy screen for your laptop and make phone or video calls from a private room or even in your car whilst parked outside your home.
2. Lock your computer screen whenever you move away from it, especially as children might access the device.
3. If you make a video conference call, be aware of your surroundings and what people will be able to see in the background. Select a plan background and avoid areas where you can be overheard (which is tricky during lockdown).
Issue No 5: Information or a device has been lost, stolen, or accessed by an unauthorized person.
The solution:
1. Immediately report it using your line manager, plus any security support desk, or follow the breach incident reporting procedures. Contact your Security officer, DPO or if in doubt contact your Data Breach Incident Team
In conclusion, the same security and privacy risks and mitigations should be considered when working from home. Without a doubt, criminals will be using this time to target individuals whether to commit a crime against them individually or to use their credentials to form part of an orchestrated attack. The legal and compliance obligations for any organization doing business also need to be considered. As regulators will not necessarily see this current crisis as an excuse not to do basic security and to ensure compliance with global privacy laws.
All organizations need to be designing, planning, and implementing a comprehensive set of training packages to address some of the points mentioned. Neglect for these basic requirements will not be forgiven by your customers, clients or the regulators should your organization fall foul of the new norms of working from home, so be prepared to tell your story and make sure it is robust and the defense can stand up in court.
By Steve Wright
Partner at Privacy Culture Limited
United Kingdom