What are the cyber risks of working from home and how can Cyber Essentials protect your business?
As many organisations increase the number of employees working from home, the need for increased vigilance against cyber threat is becoming clear. People are using new equipment at home in a less controlled environment than the familiar surroundings of their office. Adhering to the five technical controls required for the government approved Cyber Essentials certification will help keep data safe from cyber-criminals in the COVID-19 era.
So, how can the five controls from Cyber Essentials certification help to make working from home safer for organisations?
- By using a firewall to secure your internet connection
A firewall creates a buffer between your computer and the internet. Many organisations will have a dedicated boundary firewall to protect their whole network but employees working from home must make sure that they are using a personal firewall on any internet connected laptop or computer. This is often included within an operating system and just needs to be activated.
- Always choose the most secure settings for your devices and software
This control is particularly important when employees are setting up new software and devices due to home working. Manufacturers often set default configurations to be as open as they can be to allow them as much connectivity as possible. Unfortunately, this openness can also allow cyber attackers access to your data. Settings within new devices and software should always be checked to ensure they have the right level of security; any unnecessary functions should be disabled, and strong passwords should be added to both devices and accounts.
- Ensuring control over who has access to your data and services
It is always important to check what privileges your accounts have, but maybe even more so without the safety net of the office environment. Admin accounts should only be granted to those people who need to perform administrative tasks. If an attacker gains unauthorised access to an admin account, they can do far more damage than to a standard user account. The fewer admin accounts you have, the less chance you have of one being breached. You also need to remind employees to only use software from official sources, such as manufacturer approved stores.
- By protecting yourself from viruses and other malware
Cyber criminals are keen to exploit vulnerable systems and there are many ways viruses and malware can access a computer, including through an infected email attachment, USB stick or a malicious website. There are several ways to protect your data from viruses and other malware and Cyber Essentials certification gives you a variety of approaches to implement including anti-malware measures, only allowing approved software and sandboxing. These will help protect home-workers from malicious cyber-attacks.
- Keeping your devices and software up to date
It is really important that employees working from home are able to update (or patch) operating systems, programmes, phones and apps. By setting these to “automatically update” you can make sure they are protected as soon as an update is released. You must also make sure that all home workers are provided with fully supported hardware and software to help keep your business data safe.
Finally – phishing. It is a sad fact that cyber criminals are constantly looking for ways to exploit vulnerabilities and there has been a noticeable increase in phishing emails using COVID-19 and furloughing as their subject. The Cyber Essentials controls will help protect against some of this activity, but you should also remind employees to look out for these types of emails and not to reveal any sensitive information unless they have checked the source of the email. Additional guidance can be found from the NCSC here.
The Government’s Cyber Aware campaign gives more general advice about how to stay secure online during coronavirus. This campaign encourages people to Stay Home. Stay Connected. Stay Cyber Aware and their top tips can be found here.
Please note, this blog may contain guidance and information that is outdated.
On 24th January 2022, the Cyber Essentials technical requirements were updated in line with current cyber security threats. The self-assessment question set changed from version ‘Beacon’ to version ‘Evendine’. Blogs and articles published before that date, may no longer accurately reflect the Cyber Essentials requirements