Working from home kept many organisations functioning during Covid. It also opened the door to a whole new world of cyber risk. With working from home now a well-established practice, that’s not going to change any time soon.
Indeed, it may become more widespread, with legislation supporting the right to request remote working due later this year. “It doesn’t give you the right to it, but the right to request it,” points out Elizabeth Bowen of the Small Firms Association.
“Obviously we need to remind people of the threat and risk of scams and malware that they face wherever they are working, but working from home increases the risk.”
For a start, it means more devices. “Previously people in administration roles for example wouldn’t have needed laptops, iPads or mobile phones. Now they do,” she says.
Standards of security at home may be more lax than employers might like. “When it comes to home wifi we tend not to have very strong passwords, often using the one it came with. At the very least there is a need to ensure those are changed,” she adds.
Ensuring the organisation is protected while employees work from home costs money. “It’s not just all the extra devices required but the antivirus software, the firewalls and the cyber awareness training that goes with it,” she says.
The cost is however minimal compared with that arising from a successful attack, either financially or reputationally.
“Too often small businesses think they are too small to be of interest to hackers but that is not the case. If anything they are seen as low-hanging fruit, easy to penetrate and hold to ransom,” warns Mark Jordan, chief strategy officer at Skillnet, the workforce development agency.
“What’s more, if they are selling into a bigger company as part of its supply chain, these will want to ensure that all providers have security infrastructures in place, to know that they take this seriously, as part of their vendor selection programmes,” he adds.
Increasingly that includes protocols in relation to remote working. “The genie is out of the bottle. Working from home is now part of our lives. Despite the fact that some companies are pushing to have employees return to the office more often most are still allowing employees to work from home some of the time,” says Karl Mc Dermott, head of connected solutions at Three Ireland.
“Remote working stretches the company security perimeter from the office to the devices that employees are using. This means that companies need to have security solutions in place to deal with this extra threat.”
That threat may be more varied than you think, including devices being lost or stolen, as well as illicitly gained data such as usernames and passwords already circulating online.
“Employee mobile devices are connected to the corporate network service. People can be fooled into clicking on links from SMS messages compromising the device. Employee devices used for personal and work use can open up back doors into corporate networks,” he says.
He points to a number of steps employers can take to minimise such threats, including the provision of VPN (virtual private network) access to any services on the company network to protect from data being compromised while employees are out of the office.
Switching on multifactor authentication (MFA), the mechanism whereby a second verification method is needed, normally by SMS or an authenticator app, will protect against a password being leaked or found on an open wifi network.
“Secure mobile devices the same way you would secure a laptop or desktop computer. This means putting mobile device management software on all devices. Employers also need to deploy security software such as 3Mobile Protect to protect mobile devices from threats like phishing, smishing and malware,” he suggests.
He advises against allowing employees to use public networks.
“Making use of public wifi makes your device or data more vulnerable to attacks. According to research from (anti-virus software company) Norton, 54 per cent of internet users use public wifi and 73 per ccent of people knew that public wifi is not safe, even if it is password protected,” he points out.
There are other risks to guard against too, such as people simply looking over your staff member’s shoulder in public spaces to capture passwords and data.
Back up your data regularly, encrypt data both in transit and at rest, and keep your software up to date, he advises. Stop the use of USB memory sticks or using third-party apps to send or store company data, such as documents and pictures, often referred to as “shadow IT”.
One of the best ways to protect your business as staff continue to work remotely is to introduce what are called “zero trust” technologies which require all users to be authenticated and authorised continuously, before getting or holding on to access to various company applications and data.
“Introducing zero-trust technologies allows companies to secure boundaries around applications rather than locations,” says McDermott.
And don’t be fooled into thinking that remote working is really only a risk if the staff member is working outside of the country. It isn’t.
“Once outside the office, the data is at risk. It does not matter whether the staff are in Ireland or abroad,” he points out.