Author: Gary Hibberd

Date: 8th January 2021

 

Most of us have heard the saying “An Englishman’s home is his castle”. But while some may think it refers to the principle of protecting loved ones (and valuables), the original meaning was intended to refer to the principle that you can do as you please in your own home. And it’s almost held up as an ‘ancient right’.

 

Working At Home -Vs- Living At Work

In 2020 the lines were truly crossed when the vast majority of the country were forced to work from home. The phrase “You’re on Mute” became a standard opening for most meetings, as friends, families and colleagues got to grips with ‘Zoom’ and a plethora of other video conferencing tools.

But as people began working from home (or living at work), the lines between work and personal lives became increasingly blurred. Not from want, but a necessity. It forced people to turn their sheds, kitchens, bedrooms and living rooms into temporary office space.

Family pets and children soon became regular features in important client meetings. Along with these interruptions came the ringing doorbell, from the likes of Amazon, Tesco, and other retailers delivered our shopping.

 

Privacy and Security

Of course, what someone does (within reason) within their own home is down to them; as long as it is within law and order boundaries. But now that the lines have been truly blurred, you as an employer need to exert some influence in a space where traditionally you had no place going!

As employees, we all have a duty of care when accessing or using company assets; And this includes technical devices we are provided to carry out our roles and the data we access as part of that role.

We need to consider that Security of Data, which is usually provided and assured by our technical and physical environments, provided by companies we work for, is now OUR responsibility. Some might argue (and I’m one of them) that all of us have had a collective responsibility for security, from the outset.  But this has been thrown into stark relief now that we’re working remotely.

 

Where do we start?

As always, it starts with education and communication. We need to have conversations with our teams about the need for continued security and privacy in our daily (professional) lives. Although we can’t mandate controls (more on this later), we can offer advice and assistance to our teams to be better equipped to continue to operate effectively and safely and securely.

 

PPT – People, Process, Technology

We (in the Cybersecurity world) have spoken about the need to consider ‘PPT’, when considering how to protect organisations. I believe now more than ever this is truly important, but we need a rethink. We need to think about PPT in the context of the home worker. Our approach needs to evolve because home working IS the ‘new norm’. We need to recognise that it’s now simply ‘Norm’, and we’re not going to be rushing back to the ‘old norm’ any time soon.

So here’s what I think we need to do, to make your home, your castle.

 

People

Speak to your teams, both individually and collectively about what concerns them. Do they have all the right equipment to work for prolonged periods at home? Have you asked WHERE they are working? Are they in a cramped bedroom, sat alongside boxes of old CDs and DVDs? Are they sharing that bedroom with their kids, because it’s the only place WiFi works?!

Of course, you won’t be able to offer to build them purpose-built office space, but being aware of their working environment can help you appreciate their situation, or perhaps adjust their working processes.

Now is also the time to educate your staff about the dangers of Cybercrime. Yes, I’m sure you have a wonderful training programme that you run annually. But now is the time to talk about online scams linked specifically to COVID19, and how scammers are capitalising on the remote environment this pandemic has created.

Promote greater awareness around what to do if someone spots something ‘phishy’. Promote greater awareness around the need to take regular breaks in the day and set clear ‘start’ and ‘stop’ times for the day. Those that know me, know that I love to wear a good waistcoat during working hours. But I don’t dress that way ALL the time. Once the waistcoat comes off, I’m no longer at work… and even my dog knows that!

 

Process

Depending upon your sector, things have either changed dramatically or very little. The service industry, including call centres, financial advisors, consultants (HR, cyber, PR etc.), have adjusted to working remotely with relative ease. Technology has allowed us (all) to do this. But what about industries which rely on documentation, such as the legal or health care sectors? How are physical documents and media being controlled?

What about clear desk policies? How is the security now being considered when thinking about the storage of sensitive records (e.g. from the kids, partners, etc). 

Take time to review your processes and consider what needs to change to ensure you continue to operate in a safe and secure manner.

 

Zoom in the Room

While we’re thinking about processes, it’s worth looking at how we conduct meetings because they also represent potential issues for us. In the past, meetings would be held in secure office spaces and meeting rooms. But now are they being conducted in shared locations, such as kitchens, living rooms, bedrooms etc? If they are, then although those around can be trusted (I’m sure), are we breaching some forms of confidentiality by having these conversations in front of our families?

Of course, it depends on the sector you are in, and it may not be an issue. But if you are working, for example in the health sector and discussing someone’s mental well-being, or you work in HR and discussing a disciplinary matter, is the front room the best place to hold that meeting?

I’m sure most of us are professional enough to know how to moderate and manage this, but have you considered the risks? Is an update to your security policies and processes required?

While we’re talking about Zoom; Do you and your team know how to configure online conferencing tools so that they are secure from prying eyes? If not, then now is the time to find out and help them secure their own meetings.

Technology

This is almost where we loop back to the beginning, to People, because although there are technical measures we can put in place, some of the best methods to protect ourselves requires individual responsibility and actions from our teammates.

Review Policies

One of the first things to do is to revisit your Cybersecurity or Information Security policies and review what it says in relation to remote working. If it’s still relevant then consider reminding staff that the policy still applies, and highlight anything you feel is of particular concern or warrants special attention

Secure the Network

In many training programmes, we tell people not to connect to unsecure devices, including routers. But how many of our staff are using routers that haven’t been updated in years? Or have admin passwords set to ‘Admin’? If Cybercriminals can take over your router, then they can pretty much connect to any device that is connected to that router; Including your company devices.

You may need to provide some assistance in explaining how to change the password on the router, but it’s usually pretty simple, (eg. “Login to Router admin panel using its default IP Address – 192.168.0.1 / 192.168.1.1.”)

An additional approach to secure the connection to sensitive is to encourage the use of a VPN (Virtual Private Network). Perhaps identify a good VPN and provide some support (financial and technical) to install it on the devices your teams are using to access client data. This should be for all devices that might access your corporate networks.

Enable 2FA

Encourage your teams to implement 2FA (Two-Factor-Authentication), so that any login attempts will be quickly identified.  This should be enabled on professional and personal accounts, such as online banking and shopping. Most devices and systems allow some form of 2FA setup (including FaceBook, O365 etc), so help your teams to help themselves (and help you in the process).

Update systems

If you don’t have the capability to check, centrally, you should explain to staff how they can update their devices with the latest security patches. As with many things, it’s the simple steps that often have the biggest impact.  Getting staff to check for updates on their devices will ensure that there are no gaps for the Cybercriminals to crawl through!

Firewalls, Malware and Anti-virus

The holy trinity in protecting your devices, ensuring Firewalls, Malware and Ant-virus is installed, configured correctly and up to date is going to take you a long way to protecting the data your teams are accessing.

These tools should be installed and configured on all devise, including mobile devices, that access data.

Encryption

One way to protect data is to ensure you are using Encryption tools where and when possible. Encrypting devices will protect data if a device is lost or stolen. Although it’s not likely your staff will be leaving home for any prolonged periods of time, the truth is that ‘traditional crime’ isn’t going anywhere. We may claim our homes are ‘our castles’ but everyday burglary is still a concern, and I’m guessing your teams’ homes aren’t as physically secure as your office space.

If a device is lost or stolen, and it is NOT encrypted, there may be a chance that you will need to inform the ICO of the data breach, which could cause you yet more heartache. So do yourselves a favour and enable encryption on those devices.

 

Conclusion

There are a lot of things to consider when thinking about securing a network. A long time ago, I recalled talking to people about the difficulties in security because data no longer ‘sits’ in a Data Centre. It lives and spreads across multiple devices, so securing a Data Centre is great, but not the end of the story.

The same has happened with banking; In the past, criminals had to target a physical location and steal from a highly secure establishment. But with the advent of online banking, we effectively built a million doors into the banking infrastructure, and now we have to protect each and every door.

That is where we are today. We have built 10, 100, 1000 access points into our businesses, and right now, we are not protecting them very well. We need to proactively protect them and help our teams understand how.

That’s how we can turn our homes into our castle.

Other resources

Case studies

Our cyber consulting team works with clients from public sector bodies and global businesses to SMEs and start-ups. Read our success stories here. Learn more >

Video

See what our team have been discussing around current issues in regulation and data security, and recommended processes and policies that will benefit your business. Learn more >

Whitepapers

In our collection of whitepapers, Cyberfort’s cyber consulting experts explore issues from cyber threat intelligence to incident planning and data security. Read our whitepapers to help make informed decisions for the benefit of your business.Learn more >