As outlined in our last blog, working from home has found a new lease of life since the Covid-19 pandemic forced the global lock down. Organisations which thought they couldn’t work from home, have been forced to adapt quickly and carry on with as close to normal working life as possible otherwise suffer possible closure.
Yet, working from home does not come without dangers. There are several risks associated with working from home that should be identified and handled by both the employee and the organisation to allow for the protection of information and the associated devices. Working from home, in most organisations, has always been a nice to have with no formal guidance given to working safely at home. This is now set to change. The considerations that follow build on the guidance provided in a previous IASME Blog, ‘Cyber risks in the Covid 19 Era- protecting your business when working from home’
Organisations should ensure that home working policies and documents are updated (or created), to allow for remote working and to help reduce the risk exposure. These documents should at least include the following sections and be made available to all employees by the most effective means necessary.
Anti-malware, often know as Antivirus software, is a software program that helps to protect your computer against dangerous software and threats. Anti-malware should be installed (if not already) and checked and updated regularly to ensure that the device assesses against the latest known threats. If you are a home worker and your anti-malware product is managed locally on the computer by yourself, how does the employer verify that the product is being updated and that there are no issues?
2 Backups and recovery
One key area commonly overlooked when working from home is the backing up of information. Understand where information is being stored and verify that is it being backed up correctly. Check that your policies and procedures require any saved information to be backed up. Is OneDrive, Google Drive, Dropbox or similar being used? Do you know the information is being held securely? More importantly, has the restoration of saved information recently been tested and did it work successfully?
The National Cyber Security Centre, (NCSC), has an informative webpage which discusses the importance of backing up your information, https://www.ncsc.gov.uk/collection/small-business-guide/backing-your-data.
Phishing emails, are malicious emails made to look identical to real emails. Their use is on the rise. Viruses are also being spread through malicious email attachments. It is important to ensure that staff are made aware of how to identify these threats. There are several ways you can train your staff such as reading guidance from trusted sources, for example, NCSC: https://www.ncsc.gov.uk/collection/small-business-guide/avoiding-phishing-attacks, or discussing training options. Your local IASME certification body may have some training options for you to explore.
4 Personal devices
If employees use their own personal devices, how does the organisation ensure that information is kept secure? Check that antimalware is installed on the device in question (excluding iOS devices such as iphones) and that mobile devices have a password or pin on the lock screen to further protect the device. The management of mobile devices should also be centrally managed via a Mobile Device Management (MDM) solution. This allows the organisation to manage, control and update all mobile devices and separate/protect areas of the device which store business related information.
5 Remote access
Instead of opening your systems to the internet, such as Remote Desktop (RDP), which allow you to access your computer’s desktop, you should ensure that all employees have access to a Virtual Private Network (VPN), This allows employees to securely access internal resources.
6 Software updates
Ensuring that software remains updated, (patched), is critical to keeping your information and devices safe. When working from home this can bring up several challenges. You should introduce/ update policies that require employees to install updates (patches) and keep their systems and applications updated.
If your organisation usually manages all the devices from the office network, can your computer still gain access and update your home workers device, or, are updates now failing? For Windows you can go to the Settings -> Security and Updates page and look at the update history; has there been updates within the last few weeks? For MacOS have updates been applied? You can check this from the System Preferences -> Software Update screen.
7 Monitoring of devices
Even when working from home, the organisation should be monitoring devices for security incidents. Keeping track of login attempts and malicious activity is key to ensure the protection of information.
Risk register updated
Finally, the risk register should be updated by the organisation to take into the account of home workers. Identify the risks home working may be present and then consider how to reduce the risk and by what means. Once this has been identified, assigning a responsible owner of that risk is good practice.
Whether through necessity such as the current Covid pandemic, or, to provide flexibility for the employer or employee, working from home has its benefits. Being aware of the risks and taking steps to mitigate them can make a significant contribution to the continued success of any organisation. For more advice on working from home, the National Centre for Cyber Security (NCSC) is a great resource with lots of practical hints, tips and good guidance.