Data Governance

COVID-19 & Working from home – Mitigate the security risks

As COVID-19 infections increase globally there has been a vast increase in the numbers of staff working from home. Many of our clients have asked us to assess the potential security risks which may result.

We thought it may be helpful to share some of this advice more widely.
There are a number of key security risks associated with large numbers of staff working from home, many related to the very systems and environment which make working from home possible.

So, what are the risks and how do you minimise them;

Office 365

Many organisations have migrated from Microsoft Exchange to Office 365 over the last two or three years. While this is generally a very positive shift, in many implementations security was a bit of an afterthought.

We have recently seen many external attacks resulting in mailbox takeovers. These attacks were successful due to the somewhat poor implementation of Office 365.

Now is the time to validate your Office 365 security controls. We can assist with a health check of your Office 365.

 

Data Leakage

Outside the physical security of the office there exists additional opportunity for leakage of sensitive data. Some of these opportunities are;

  • It may be possible for staff to print sensitive information
  • It may be possible for staff to copy data to other devices on their home network
  • Staff members may back up sensitive data to unencrypted devices
  • Laptops and other devices may be stolen from the home environment
  • Laptop screens may be left unlocked exposing information to unauthorised persons
  • Staff members may share laptop usage with unauthorised persons
Productivity

For many staff, working from home will be something they may never done, or at least not done for extended periods. It may take some staff a few weeks to get into the rhythm of working from home. Some may never acclimatise to the new way of working.

It is important to be patient and guide staff to survive this new experience. Look for our article on ‘How to Survive Working from Home’ in our Blog page.
Equally, it is important to ensure staff balance life and work while working from home. It is very common for people to work many extra hours as the work environment is effectively only a few steps away.

Security Awareness

Working from home brings with it many challenges in how to work effectively and securely. While the vast majority of staff are well intentioned, in attempting to simply do their job, some staff will inadvertently breach policy and security controls.

This is an opportunity to guide and help staff to understand what they can and can’t do to keep company and customer data safe. Frequent and operationally relevant security tips for staff are the order of the day here.

Virtual Private Network (VPN) Access

Although staff are away from the virtual security of the office you should add the additional layer of a VPN connection to protect your essential systems by encrypting data in transit.

Many of our clients are currently upgrading their VPN infrastructure to accommodate the additional remote staff.

 

Operating System

Confirm that the remote staff’s laptops are completely up to date and that automatic updates are switched on. We have already seen attackers targeting remote staff using unpatched and unprotected devices.

 

Security Software up to Date

Prior to staff working remotely, it is essential to ensure that all standard security software is up to date, including antivirus, host-based firewalls and device encryption.

In the last week we have seen many organisations provisioning hundreds of new laptops so staff can work remotely. The increased workload for IT teams means installing and configuring essential security software becomes an additional challenge. It’s important to make sure staff are operational but the security of their devices and the organisations data is equally if not more important.
Consider how this software will stay up to date where staff are working remotely for extended periods.

 

Cloud Services

There will be a temptation for some staff to use unapproved cloud services for both official and unofficial purposes. Where a staff member has difficulty accessing internal systems such as shared drives or official cloud services it is common for them to resort to private cloud storage solutions such as Dropbox. Additionally, you may find staff utilising other internet services which may expose the company to additional risk.

Security Controls

Do all of your controls apply to devices where staff are connected via VPN and when they are not connected to a VPN? We have observed numerous occasions where remote staff have bypassed security controls either intentionally or inadvertently. Controls such as internet proxy are frequently bypassed by remote staff.

 

Internet Bandwidth

Internet usage is an important consideration where staff are working remotely. Will the staff members internet connection support the type of work they do from home? It won’t be effective for staff to work from home if their internet connection is slow. In the last week we have seen global internet usage increase markedly, with dips in performance during working hours.

Australian Signals Directorate (ASD) Essential 8

Ask us about our free guidance in implementing the ASD Essential 8 security controls.

 

Other Associated Articles

Also see our article on ‘How to Survive Working from Home’ at the below link.

https://www.linkedin.com/pulse/covid-19-how-survive-working-from-home-christopher-mcnaughton

Contact the Author

Christopher McNaughton
Director | SECMON1

EM christopher.mcnaughton@secmon1.com
PH 0428 183 095
www.SECMON1.com
The Rialto, 525 Collins St. Melbourne

Christopher McNaughton

Recent Posts

Understanding the Australian economy through the lens of underwear and lipstick sales

In an intriguing development, recent trends in Australia's retail sector—namely, a decline in men's underwear…

12 months ago

New fraud costing Australian business millions annually

  If you work in the Finance Department of your company your email account might…

4 years ago

INFORMATION THEFT – THE EMPLOYEE RISK

  Information Theft - What is the Risk? Our research has shown that around 68%…

4 years ago

Don’t Become a Victim of Cyber Crime

  The Impacts of a Cyber Attack In your personal life and as an employee,…

4 years ago

YOUR COMPANY HAS BEEN BREACHED!

The Data Governance Watershed "You've been breached!" These are words none of us want to…

4 years ago

CASE STUDY – OFFICE 365 BREACH

CASE STUDY  (5 Min read)  The following case study details a case where SECMON1 was…

5 years ago