Information Security Risks – Tips for Working From Home
As more employees settle into the ‘new normal’ of home working, organisations need to be extra vigilant to the increase in cyber and other security-related risks attached to online and remote working.
Whilst most home workers can use secure Wi-Fi connections, this is not the case for everyone. Some still need to use unsecured public Wi-Fi networks, which are prime spots for hackers to spy on online activities and, even worse, to steal information.
Some home workers will have their own home networks. They will need to use these and possibly, their personal devices to work remotely. Available protection will vary and, organisations will need to take care, as these devices and networks may lack the IT security protection built into business devices and networks, such as strong antivirus software and customised firewalls. Without adequate protection, the risk of home workers’ devices and networks being infected with malware and information being compromised increases.
Added to this, malicious campaigns or ‘work from home scams’, targeting home working security vulnerabilities are on the increase. As a result, home workers need to be particularly alert to the threats of ‘phishing’ emails, ‘vishing’ voicemails and ‘smishing’ text messages.
In terms of protecting against these threats and vulnerabilities, it is important that an organisation-wide approach is adopted and home workers are discouraged from implementing their own measures. URM would recommend a good starting point is to conduct some form of risk assessment, to identify what additional threats are likely to materialise with users working from home, on a scale not previously anticipated.
Your organisation may already have home working protocols and a remote or home working security policy in place. Such a policy typically includes guidance on storing devices, the management of passwords, and the acceptable use of company assets, etc. Having conducted a risk assessment of current working practices, however, you may feel that certain controls may need to be adapted or strengthened.
Let us look at the range of security measures that can be taken to protect your organisation, your home workers and the information controlled and processed.
Using unique, strong passwords on all online accounts is a good start. If only one password is used for all online accounts and it gets compromised, then all accounts are vulnerable. ‘Credential stuffing’ where usernames and passwords are used to try to log into other online accounts is rife. Obviously, it is difficult to remember multiple strong passwords, so a password manager, which creates, recalls and auto-fills passwords could be an option.
Two-factor authentication is often used as an additional security step rather than just relying on passwords, adding an extra layer of protection to online accounts. It comes in many forms and can be email or text messages, biometric methods or additional physical items such as a token generator.
Virtual Private Networks or VPNs improve online privacy, encrypting all internet traffic. VPNs keep information away from snoopers, such as your internet service provider, malicious agencies, or hackers.
Setting up firewalls will prevent threats entering your systems by creating a barrier between devices and the internet, thus preventing malicious programs from getting onto home networks and accessing and stealing data. Operating systems on home devices typically have built-in firewalls. Hardware firewalls are also built into many routers. They just need to be enabled!
Another area to consider is installing strong antivirus software on all devices, which act as your next line of defence after the firewall, detecting and blocking known malware. If malware does get onto a device, the locally installed anti-malware may be able to detect it and possibly remove it.
Changing ‘out of the box’ router passwords will protect the home network by preventing hackers from accessing connected devices. Additional measures that can be implemented are ensuring that firmware updates are installed thereby patching known security vulnerabilities, setting encryption to WPA2 or WPA3, restricting in and outbound traffic using the highest level of encryption available and switching off WPS.
Making sure home workers regularly install software updates on company and personal devices is recommended. As said above, updates typically include patches for security vulnerabilities that have been identified since the last versions were released. In many cases, updates can be set to run automatically.
Backing up information is critical. Whilst backups to some form of hardware is still common, many organisations choose to store data in the Cloud. Cloud backup services come with many options to customise backup schedules supported by a range of cost-effective storage options.
Homeworkers also need to be reminded that it is essential they continue to adopt the same working practices they have in the office. For example, if there is an organisational clear desk and screen policy, this should be followed when working at home. Alongside this, to minimise unauthorised viewing of computer screens, home workers should position their screens so they cannot be overlooked. For added protection, privacy screens are advisable. Printed documents and removable storage media should be securely locked away when not needed.
Finally, password-locking devices, when they are not being used is always a good idea. If more protection is required an additional, full disk encryption tool can be used. If devices need to be physically secured, Kensington locks are a good option. Alternatively, when devices are not being used, simply lock them away. Working remotely brings many benefits but also challenges. Adapting corporate policies to reflect the remote/home environment is essential. These steps will help you achieve this.
Are you and your organisation facing more difficulties?
Drop us an email! Our consultants are ready to assist you anytime.