Cyber Risks When Working from Home

Following the effects of the Coronavirus pandemic, many businesses have opted to close their physical premises in favour of adopting a full remote working solution and with the latest Government announcements (22nd September 2020), businesses that had begun the transition back to the office will now once again be planning to revert to remote working in line with the guidance.

This will mean, of course, many thousands of employees will be working from home either full time or part of the time. In turn, this raises the question of whether untrained employees could be jeopardising employers’ data security.

A new study by London-based IT security firm CybSafe found that 23% of UK office workers rely on unauthorised devices to work from home. Alarmingly, the survey also found that 9% share their work devices with other members of the household.

In addition, a fifth of those surveyed admitted they did not keep collaboration and video conferencing software up to date. Nearly a quarter said that they did not update software on devices connected to their own home WiFi network.

These poor personal cybersecurity practices could be linked to a lack of staff being adequately trained in cybersecurity and information management. Of the workers surveyed, 65% revealed that in the last six months they had not received any training on keeping data secure when working remotely.

The survey also showed that fewer than four in 10 workers had been given a cybersecurity policy dealing with the issues relating to working from home when lockdown was introduced on 23rd March 2020.

Meanwhile, a report from cybersecurity firm Malwarebytes found that 20% of businesses have suffered a breach due to the actions of a remote worker and nearly a quarter of businesses faced unexpected expenses as a result of these breaches.

That report also revealed that 61% of businesses do not compel their employees to use antivirus solutions on personal devices used for work purposes.

What can be done to reduce the risk of cyber-attacks during coronavirus home working?

The speed of the migration to home working has led to staff using their work equipment for both work and leisure activities without the appropriate IT infrastructure and available expertise being in place to support this form of working. Inadequate data governance, a lack of risk management strategies and a general lack of preparedness have exacerbated the situation.

At the same time, cyber criminals are taking advantage of the lack of effective security and people’s fear of - or curiosity about - coronavirus to convince employees to click on malicious sites related to COVID-19.

Many organisations are discovering too late that the human factor is the weakest element in their cyber security chain, with poor training and ineffective enforcement of remote work policies leading to IT security being compromised.

If they are to have any chance of surviving a cyber-attack during the coronavirus lock down, it is essential that organisations implement fundamental safeguards such as:

• Ensuring that staff are adequately trained, restricting work equipment to business-related tasks only

• Requiring multifactor authentication for business apps and networks

• Implementing robust VPN infrastructures

• Mandating employee use of private Wi-Fi networks

How can rradar help?

Our Cyber, Data and Information Law (CDIL) specialists are known for their common-sense, practical advice and regularly represent clients who are being investigated by the Information Commissioner’s Office (ICO) and other regulatory authorities. They advise a broad mix of private, public and charity sector clients on a wide range of CDIL issues, including data protection, privacy, electronic communications and marketing and cyber security and breach management.

Our team has a wealth of resources to help you to minimise data security and cyber incident risks and, if the worst happens, we are available to help you effectively manage data breach and cyber-attack incidents by giving immediate advice and support.

For more information on Cyber, Data and Information Law head to: https://www.rradar.com/cyber-data-and-information-law

Written by

Leigh Payne, Solicitor at rradar