The Cyber Security Risks of Remote Working

Written By Ruth Romano

Remote working looks like it is here to stay and if anything, organisations are looking to increase the number of employees that work from home.

There are obvious benefits of working from home for both employers and employees. Huge cost savings for businesses make remote working very attractive. In fact, research suggests that operational costs can be reduced by one third. And for employees remote working offers greater flexibility and means that they can work anywhere in the world.

On the flip side working from home can introduce cyber security risks that should be addressed to ensure the safety of both parties. Unfortunately, it’s not just a case of plug in and go.

That said, with the right guidelines and appropriate controls in place remote working shouldn’t be a show stopping issue, and it should not be regarded as such by organisations. There are so many benefits to this new way of working and the key to successful cyber security at home starts with awareness and a proactive pragmatic and balanced approach.

We speak to many organisations that assume they can’t do much to control the risk from the staff that are working from home. In fact, there are several controls that can be put in place to address the security risks of remote working.

The international standard ISO/IEC 27002:2022 addresses remote working:

“Security measures should be implemented when personnel are working remotely to protect information accessed, processed or stored outside the organisation’s premises.”

The standard sets out some of the guidelines and measures to be considered which include the provision of suitable equipment and storage furniture for the remote working activities, a definition of the work permitted, the provision of training for those working remotely, the provision of suitable communication equipment and physical security.

So, what are the cyber security risks of working from home?

  • User owned devices or BYOD (Bring Your Own Device)

  • Out of date antivirus software

  • Physical security and theft

  • Data exfiltration

  • Devices are not secured and can be accessed by family members

  • Insecure home Wi-Fi connection or network vulnerabilities

  • Use of weak passwords

  • Webcams that are plugged in when not in use

  • Use of software that is not updated

  • Two-factor authentication is not enabled

  • Online meetings where confidential documents can be seen on desks and/or inadvertently exposing confidential data when sharing screens

What can employers and employees do to mitigate the cyber security risks of working from home?

  • Protect company devices with approved antivirus software and firewalls

  • Document a remote working policy. Some guidance on what needs to be covered can be found on the ICO website

  • Document a BYOD (Bring Your Own Device) policy if applicable. Again you can find guidance on the ICO website

  • Provide cyber security awareness training for ALL staff

  • Physical security e.g. don’t leave mobile devices unattended when the doors and windows are open

  • Clear desk and clear screen e.g. lock away sensitive data in a secure filing cabinet, lock device screens when away from desk

  • Encrypt mobile devices and enable remote wiping capabilities

  • Prevent users from connecting removable media to mobile devices

  • Secure home Wi-Fi by creating a strong and unique password and make sure the name of your wireless network can’t be used to identify you

  • Ensure that staff use a VPN which is kept up to date with security patches

  • Encourage employees to use strong passwords and consider using a Password Manager. Have a read of our blog Strong and Secure Password Guidance and Tips

  • Implement two-factor or multi factor authentication to validate credentials and secure systems and applications

  • Change and update default Wi-Fi passwords and update firmware on routers and IOT devices

  • Implement monitoring to detect suspicious user activity

  • Ensure backups of end point devices e.g. laptops and mobile phones are enabled and carried out on a regular basis

Companies must acknowledge the unique risks that are associated with remote working and empower their staff with the tools that they need to deal with any risks that may arise.

If you would like us to help you with consultancy or training your staff in cyber security awareness, please get in touch with us today and we can tailor a solution to fit your unique needs.

Ruth Romano
Previous

How to Prevent Phishing Attacks
Next

Cyber Security A to Z