Home working increases cyber-security fears

Peter says that the cyber-attacks on his company are relentless.

A man typing on a keyboard
image captionCompanies are constantly facing cyber-attacks, and staff working from home can make them more vulnerable

“We see tens of different hacking attacks every single week. It is never ending.”

A senior computer network manager for a global financial services company, Peter (who did not want to give his surname, or the name of his employer, due to his firm’s anxieties surrounding cyber-security), says they are bombarded from all directions.

“We see everything,” he says. “Staff get emails sent to them pretending to be from the service desk, asking them to reset their log-in passwords.

“We see workers being tricked into downloading viruses from hackers demanding ransoms, and we have even had employees sent WhatsApp messages pretending to be from the CEO, asking for money transfers.

“And having staff working from home during the lockdowns has just made it worse, as it is much harder to keep an eye on everyone.”

A man working in his kitchen
image captionIf you thought your cyber-security had been compromised, would you know how to contact your IT department?

With one in three UK workers currently based exclusively at home, and the same level in the US, this remote working on a vast scale continues to be a major headache for the IT security bosses of companies large and small around the world.

And studies shows that many firms are not taking the issue as seriously as they should. For example, one in five UK home workers has received no training on cyber-security, according to a recent survey by legal firm Hayes Connor Solicitors.

The report also found that two out of three employees who printed potentially sensitive work documents at home admitted to putting the papers in their bins without shredding them first.

Meanwhile, a separate UK study last year found that 57% of IT decision makers believe that remote workers will expose their firm to the risk of a data breach.

“In the rush and panic to set remote working practices up, even simple data protection practices were ignored,” says Christine Sabino, a senior associate at Hayes Connor.

Christine Sabino
image captionChristine Sabino fears that in the haste to set up home working, some firms ignored cyber-security issues

“Companies did not provide additional security relating to computers, electronic communication, phone communication.”

So what can both companies and home working staff do to make things as safe and secure as possible?

Ted Harrington, a San Diego-based cyber-security specialist, and author of Hackable: How To Do Application Security Right, says firms should have started by giving all home workers a dedicated work laptop. While many larger companies may well have done this, not all smaller firms necessarily have the resources to do so, but Mr Harrington stresses its importance.

“Supply staff with laptops and other equipment that are owned, controlled and configured by the company,” he says. “This alleviates the burden on your people to set things up right, and ensures they follow the security controls the company wants.”

Ted Harrington
image captionTed Harrington says that workers should not be too scared to report a possible cyber-security breach

Definitely don’t have staff using their personal computers for work, says Sam Grubb, an Arkansas-based cyber-security consultant, and author of forthcoming book How Cybersecurity Really Works.

“The main problem with using your own computer to do work is that you are not limited in what you can do on it, nor are you necessarily the only one that uses it,” he says.

“So while you might not be visiting a shady website to download movies for free, your teenage son could be doing that exact thing on your home laptop without you even knowing.

“This makes it much easier for malware or other attacks to happen. This might affect the work you are doing, or in a worst-case scenario, lead to the compromise of co-workers’ devices, or other company devices such as servers.”

Mr Harrington says that the next step is that companies must set up a VPN or virtual private network, so that remote computers have secure and encrypted connections with the firm’s servers and everyone else in the company.

A man shredding paper
image captionShould firms give home workers shredders?

Mr Grubb uses a transport and wildlife analogy to explain how VPNs work. “A VPN is like a tunnel between two cities,” he says.

“Instead of driving through the dark forest full of tigers, lions and bears, you drive through the underground tunnel, where no one can see you driving until you reach your destination on the other side.”

However, even with work laptops, VPNs and the latest cyber-security software systems in place, staff can still make damaging mistakes, such as falling prey to a “phishing” email – a malicious email pretending to be a legitimate one in order to trick someone into handing over sensitive data.

Currently such scam emails doing the rounds include some that are pretending to be informing the targeted person that they have been exposed to Covid-19, or invited to have the vaccine. They ask the recipient to clink on the link, which then tries to download malware onto his or her computer.

Presentational grey line
New Tech Economy

New Tech Economy is a series exploring how technological innovation is set to shape the new emerging economic landscape.

Presentational grey line

For this reason, both Mr Harrington and Mr Grubb say that it is essential that businesses give staff proper cyber-security training.

“Firms should be providing training to help their employees understand the threats they face,” says Mr Grubb. 

Ms Sabino adds that both staff and their bosses need to do their bit. She says, for example, that employees should avoid talking about work on social media, while firms should give shredders to home workers who need to print things out.

Tsedal Neeley
image captionHarvard University’s Tsedal Neeley says that staff need to know who to call in the IT department

With even the most cyber-security aware home workers just one click away from making a mistake, Mr Harrington says that firms need policies in place so that staff know who to immediately report a threat to.

“If an employee falls victim to an attack, make sure that they know a) who to contact, and b) that their outreach is welcome and won’t result in termination,” he says. “You don’t want people afraid of repercussions and thus covering up mistakes.”

Tsedal Neeley, a professor of business administration from Harvard Business School who is an expert on remote working, agrees that home workers should know exactly who to report cyber-security problems to. “Engaging with their firm’s IT/cyber-security experts is crucial,” she says.

Peter, the computer network manager, says this engagement should be frequent. “Users should be suspicious of anything that they are not 100% confident about, and it does not hurt to ask your IT department. It is better to check than be compromised.”

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.