The global pandemic and the spread of COVID-19 has created a huge shift to working life as most organisations have adopted homeworking to reduce the risk of the coronavirus spreading. However, this shift has caused an increase in cyber security attacks across the UK which has led to a rise in organisations bolstering its cyber defenses.
As with all improvements and developments in technology, there is a higher risk of errors being made which can lead to serious cyber security breaches. ECSC Group Plc (ECSC) has created a guide for small to medium sized organisations which highlights the cyber security risks of homeworking. The guide aims to provide defensible approaches that should be used in order to manage the risks and highlights basic security principles organisations should follow to avoid Information Commissioner’s Office (ICO) breaches.
Errors and Phishing
The main cyber security risks associated with homeworking include hackers exploiting errors that organisations have in its cyber security defenses rather than targeting them for its information or systems they own; and criminals exploiting emergency situations, particularly in attempting to trick users with phishing attacks. In line with ECSC’s principle of prioritisation, it is advised that organisations educate employees with phishing training as this is the easiest way for information to be exploited to hackers.
Personal and Business devices
Generally, an organisations cyber security defenses are significantly weakened when employees use a mix of personal and business devices for work purposes. This practice is not recommended as it increases the risk of a potential breach. It is statistically proven that better security is achieved when work related activities are completed on a work device and personal activities are restricted to a personal device.
In the context of homeworking, organisations should provide its employees with company owned and secured devices as well as restricting its usage to work-related activities only. When remotely used devices are under the control of an organisation, security measures can be put in place including protecting devices with anti-virus software; applying regular security patching; and ensuring users do not have administration rights.
The homeworking environment can also mean that screens, documents and work-related conversations can become available to family members and other co-habitors. Therefore, organisations should guide its employees on how to handle information and data in order to comply with any ICO regulations in place. Additional information leaks can occur with video conferencing and screen sharing, therefore, employees should be advised to regularly check participants on the call to ensure they are not sharing information with a potential hacker.
A traditional virtual private network (VPN) connection in an organisation’s cyber security defense system is the safest method for employees to work remotely. However, it is vital to understand that with any remote access, a hacker will attempt to steal passwords in order to connect to an organisations information and systems. Therefore, it is advised to implement a 2-factor (or multi-factor) remote access (2FA/MFA). This will allow employees to receive a code or a request to a mobile device to verify their identity when logging into a device. If organisations are unable to restrict all remote devices via a VPN, then there is a risk of opening up services to the Internet, which hackers can easily access.
Organisations need to ensure that any new Internet-facing services are be planned, understood, secured, and tested before use. Over the last two years, over 80% of ECSC incident response call-outs have been related to cloud projects, therefore, organisations are advised to test all emergency changes in the shortest time-frame possible to avoid any security breaches.
It is clear that homeworking is the way of the future and is likely to be an ongoing method used by organisations post COVID-19. Therefore, it is vital that organisations focus on having security measures in place to protect information and data in order to reduce the risk of cyber threats and any breaches. If you would like more information on the services provided by ECSC or would like advice and guidance then please visit www.ecsc.co.uk or call on 01274 736 223.