Homeworking increases cyber-security fears

Peter says that the cyber-attacks on his company are relentless.

“We see tens of different hacking attacks every single week. It is never ending.”

A senior computer network manager for a global financial services company, Peter (who did not want to give his surname, or the name of his employer, due to his firm’s anxieties surrounding cyber-security), says they are bombarded from all directions.

“We see everything,” he says. “Staff get emails sent to them pretending to be from the service desk, asking them to reset their log-in passwords.

“We see workers being tricked into downloading viruses from hackers demanding ransoms, and we have even had employees sent WhatsApp messages pretending to be from the CEO, asking for money transfers.

“And having staff working from home during the lockdowns has just made it worse, as it is much harder to keep an eye on everyone.”

With one in three UK workers currently based exclusively at home, and the same level in the US, this remote working on a vast scale continues to be a major headache for the IT security bosses of companies large and small around the world.

And studies shows that many firms are not taking the issue as seriously as they should. For example, one in five UK home workers has received no training on cyber-security, according to a recent survey by legal firm Hayes Connor Solicitors.

The report also found that two out of three employees who printed potentially sensitive work documents at home admitted to putting the papers in their bins without shredding them first.

Meanwhile, a separate UK study last year found that 57% of IT decision makers believe that remote workers will expose their firm to the risk of a data breach.

“In the rush and panic to set remote working practices up, even simple data protection practices were ignored,” says Christine Sabino, a senior associate at Hayes Connor.

“Companies did not provide additional security relating to computers, electronic communication, phone communication.”

So what can both companies and home working staff do to make things as safe and secure as possible?

Ted Harrington, a San Diego-based cyber-security specialist, and author of Hackable: How To Do Application Security Right, says firms should have started by giving all home workers a dedicated work laptop. While many larger companies may well have done this, not all smaller firms necessarily have the resources to do so, but Mr Harrington stresses its importance.

“Supply staff with laptops and other equipment that are owned, controlled and configured by the company,” he says. “This alleviates the burden on your people to set things up right, and ensures they follow the security controls the company wants.”

Definitely don’t have staff using their personal computers for work, says Sam Grubb, an Arkansas-based cyber-security consultant, and author of forthcoming book How Cybersecurity Really Works.

“The main problem with using your own computer to do work is that you are not limited in what you can do on it, nor are you necessarily the only one that uses it,” he says.

“So while you might not be visiting a shady website to download movies for free, your teenage son could be doing that exact thing on your home laptop without you even knowing.

“This makes it much easier for malware or other attacks to happen. This might affect the work you are doing, or in a worst-case scenario, lead to the compromise of co-workers’ devices, or other company devices such as servers.”

Mr Harrington says that the next step is that companies must set up a VPN or virtual private network, so that remote computers have secure and encrypted connections with the firm’s servers and everyone else in the company.

Mr Grubb uses a transport and wildlife analogy to explain how VPNs work. “A VPN is like a tunnel between two cities,” he says.

“Instead of driving through the dark forest full of tigers, lions and bears, you drive through the underground tunnel, where no one can see you driving until you reach your destination on the other side.

However, even with work laptops, VPNs and the latest cyber-security software systems in place, staff can still make damaging mistakes, such as falling prey to a “phishing” email – a malicious email pretending to be a legitimate one in order to trick someone into handing over sensitive data.

Currently such scam emails doing the rounds include some that are pretending to be informing the targeted person that they have been exposed to Covid-19, or invited to have the vaccine. They ask the recipient to clink on the link, which then tries to download malware onto his or her computer.

For this reason, both Mr Harrington and Mr Grubb say that it is essential that businesses give staff proper cyber-security training.

“Firms should be providing training to help their employees understand the threats they face,” says Mr Grubb.

Ms Sabino adds that both staff and their bosses need to do their bit. She says, for example, that employees should avoid talking about work on social media, while firms should give shredders to home workers who need to print things out.

With even the most cyber-security aware home workers just one click away from making a mistake, Mr Harrington says that firms need policies in place so that staff know who to immediately report a threat to.

“If an employee falls victim to an attack, make sure that they know a) who to contact, and b) that their outreach is welcome and won’t result in termination,” he says. “You don’t want people afraid of repercussions and thus covering up mistakes.”

Tsedal Neeley, a professor of business administration from Harvard Business School who is an expert on remote working, agrees that home workers should know exactly who to report cyber-security problems to. “Engaging with their firm’s IT/cyber-security experts is crucial,” she says.

Peter, the computer network manager, says this engagement should be frequent. “Users should be suspicious of anything that they are not 100% confident about, and it does not hurt to ask your IT department. It is better to check than be compromised.”