What Home Workers Need to Know About CyberSecurity
Remote working works!
The most recent data from the UK Office of National Statistics has found that 35% of working adults are working exclusively from home, while in the US, Upwork found that “42% of the American workforce remains fully remote”.
After many long months of the pandemic it seems that organisations and their employees are adapting to, and valuing the benefits of, remote working which include:
- A better work / life balance and improved wellbeing for employees
- Increased job satisfaction
- Increased productivity
- Positive impacts for the environment
Perhaps not surprisingly then, a July 2020 Gartner survey found that 82% of company leaders plan to continue to allow employees to work remotely, at least part of the time, after the pandemic.
What’s not to like?
Remote working seems like a win-win for organisations and their employees but there are potential downsides in terms of information security and data privacy. The sudden and dramatic impact of COVID 19 meant that this massive shift to working from home was largely unplanned. Consequently, we have seen a surge in security breaches directly related to remote working. An August 2020 survey from Malwarebytes found that:
- One in five organisations reported facing a security breach as a result of a remote worker
- One in four said they paid unexpected expenses to address a cybersecurity breach or malware attack following shelter in place orders
Here are just a few of the security issues related to remote working:
Mixing personal and professional
More home working has meant that the boundaries between our personal and professional lives have become even more blurred. A recent Mimecast survey found that 73% of respondents used company issued devices for personal matters including personal e-mail, financial transactions, online shopping and personal social media. Conversely, Malwarebytes found that 28% of their respondents were using personal devices for work related activities. Either way, this mixing of the personal and professional exposes organisations to increased cybersecurity risk.
Home network configurations are often less secure than the connections employees would be using in the office. For example, routers and Internet of Things devices that still operate with default login credentials (as many do) are vulnerable to attack. As a result, home networks have been found to be 3.5x more likely than corporate networks to have at least one family of malware. VPNs and cloud-based secure web gateways may be available to home-based employees but enforcing their use can be a challenge for security teams operating at arm’s length.
More remote working means more outbound e-mail which means more e-mail related data breaches. A recent report from Egress found that 94% of organisations have experienced an increase in outbound email traffic due to remote working during the pandemic. Perhaps as a result, in October 2020, and for the second quarter in a row, the UK Information Commissioner’s security trends report saw misdirected e-mails as the top cause of security incidents. Egress also found that 93% of organisations had suffered e-mail data breaches in the last 12 months. Some of the main causes were:
- Wrong recipients added
- Wrong files attached
- Encryption not used
- Errors using Bcc
- Intentional exfiltration
Much as e-mails from Nigerian princes raise nothing more than a wry smile these days, phishing still works. Attacks continue to get more sophisticated often targeting home workers with messages apparently from their organisations’ senior leadership or IT Support or tapping into our understandable fears and concerns about the pandemic. According to Symantec “phishing increased significantly during the first quarter of 2020, accounting for 1 in every 4,200 emails.” And it seems we just can’t resist. Although 96% of respondents to the Mimecast survey claim to be aware of the risks of links in e-mails, 45% of respondents to the same survey admitted to opening e-mails they considered to be suspicious!
When people are the problem, training is the answer… isn’t it?
Technical security measures to support home workers will, no doubt, continue to improve over time but, as we are all aware, the vast majority of data breaches and security incidents are caused by human error and it would seem that this risk is exacerbated when we work from home.
Our go to solution for ‘the human factor’ risk is training and any organisation of any scale now routinely deploys information security and data privacy training to its employees. However, The Malwarebytes survey found that the challenge that most respondents (55.4%) were worried about was training employees on how to be security compliant at home. So, perhaps not surprisingly, 44% of respondents said that they did not provide cybersecurity training that focussed on the potential threats of working from home.
Given the surge in security breaches associated with the increase in remote working it certainly seems that the standard, generic security and data privacy training simply isn’t hitting the mark.
If you think your security and privacy training may not be addressing the unique risks of the home working environment, here are a few tips to improve the security and privacy behaviours of home-based employees:
DON’T roll out the standard corporate training and expect your employees to make the connection to their home environment.
DO tailor your awareness training to give people relevant and useful support and guidance specific to home working.
DO acknowledge the overlap between the personal and professional and while you’re helping people keep corporate data safe also help them to keep themselves and their family safe online.
DO help employees to use the tools available to them (such as VPNs and encryption) to keep data secure.
DO combat a potential sense of isolation and fear of a blame culture by encouraging employees to use the available support channels and to speak up if they have an issue or concern.
DON’T make security and privacy training a one and done event, regular reminders drive better outcomes.
DO make your training short and to the point – especially if you are going to increase frequency.
DO focus on behaviour and motivation over knowledge and rules (see this article from Security Intelligence for some interesting examples and ideas from behavioural science.)