As lockdown eases, many businesses are preparing for employees to return to work. But are their corporate networks ready, with adequate security measures in place to ensure their systems are protected from the increased risk of a cyber attack owing to staff and their equipment working from home? Cyber criminals are well aware of employee environments and will target cyber attacks in areas that have become vulnerable. We saw this with the spike of phishing attacks themed around working from home, and it will continue to evolve as workforces change their work practices once again.
When remote working descended upon the nation strong and fast earlier this year, some organizations were able to issue company standard devices with regularly patched antivirus security. However, for the majority, there was a frenzy to equip their staffs with the required machines to enable a quick and adequate working-from-home setup. As we now raise our heads above the parapet, we are seeing an abundance of employee hardware lacking necessary security and about to connect to their company’s corporate network, risking sensitive data being exposed to cyber attacks.
Computers used for remote working are likely to have confidential company data stored and to have been shared with family members who possibly visited insecure websites or installed insecure software, with no guarantee that they have been patched and maintained over these recent months. The big question is—can these external devices be trusted back on to the corporate network?
Businesses need to carry out risk assessments and put best practices in place before their networks are exposed. First, staff need to share where company data has been saved and under which accounts—work or private credentials. Was it a public cloud environment like Google Drive, One Drive, or Dropbox? This all needs to be disclosed to minimize risk, ensure data is safe, and General Data Protection Regulation (GDPR) compliance is maintained.
Second, if employees have been sharing the devices with their household members, have they given away their passwords? Is the password the same across work accounts and personal accounts? What new software has been installed or removed and by whom? Were there any security warnings such as viruses being detected by antivirus software? Has any confidential paperwork been printed at home, and has it been shredded or dropped in the trash? Where employees have access to sensitive information, questions need to be answered before they rejoin an organization’s network.
If a company allows all machines back onto their corporate network, they will need to rely on network monitoring, and most critically, they will need to monitor the activities of the people within the network. It is the people who pose the greatest business risk if they don’t have ongoing support in terms of cyber-security awareness training. They are operating from within a company’s network on a daily basis, sending and receiving data through a multitude of access points. If left untrained, employees are a hacker’s haven, an easy access point to the entire network, surpassing any technological measures in place to keep them out. If trained, employees are your greatest line of defense—your “human firewall.”
About the Author
Stephen Burke founded Cyber Risk Aware in 2016 after a career spanning over twenty years in technology and security specializing as a chief information security officer. In that time, he found that most if not all security incidents are caused by human error at all levels in an organization, no matter how good the technical defenses were. Burke founded Cyber Risk Aware with the mission of making a genuine difference and preventing companies and users at home from being victims of cyber crime.