IT Security Risks In The Home Office

IT Security Risks In The Home Office

For many employees, being able to work at home on a computer is an advantage. However, remote working does not make IT security any easier.

After having acquired a taste for it, employees are increasingly drawn to the home office. The advantages from their point of view are clear: shorter commuting times and more freedom around the daily schedule. Yet there are disadvantages in terms of security. In a home network, there is not the multi-layered network security as in a corporate environment. In addition, there are human errors. Employees work in environments that are more distracting, for example, having to answer the front door or doing chores at the same time. This increases the likelihood of errors, such as sending an email to the wrong recipient or a malicious email attack. Thus, IT executives are noticing that there has been an increase in security issues since the shift to working from the home office .

The biggest security threats to remote working?

Non-secure internet connectivity

Employees who work from home are often allowed to use their own computer equipment and internet connection – separate from the company’s computer and network infrastructure and bypassing the protections provided by the company’s security infrastructure. Spouses and children use the same network. If one device is infected, the virus can spread to the other systems. This is called cross-traffic contamination and can lead to the loss of important company data.

There are ways to minimise these risks. The best option is two-factor or multi-factor authentication. It is also advisable to use VPNs or a zero-trust network. This means that anyone trying to gain access to network resources must prove their identity.

Endpoints cannot be monitored

Some companies monitor the traffic between the remote user and the company and analyse it for anomalies. The computer used by the remote worker works with endpoint detection and response (EDR) capabilities to identify threats that may have made it to the desktop. However, if remote users are predominantly using their own infrastructure and are not logged into the company’s system, the risk of incidents occurring without the knowledge of incident response teams increases significantly.

Corporate environments have playbooks for dealing with threats. But with remote employees, control is difficult. Who checks whether someone really changes a password even though they have been asked to do so? Security incidents can go unnoticed or unreported for longer and cause more damage.

Communication and shadow IT

When field workers communicate with each other, they often use third-party channels such as Slack, Teams and Discord, which are not controlled or monitored by the employer. The biggest risk here is that employees access these applications and download a virus or malware by curiously clicking on a link.

In addition, wherever people share sensitive data via email or unmonitored applications, the risk of data loss increases. This can happen through human error – for example, sharing a file in the wrong team chat – or someone may be deliberately using these channels to exfiltrate data. As a protective measure, secure communication channels should be used and data should be exchanged in encrypted form.

 

Unsecured files

Just as communication over unsecured channels can lead to increased security risks, so can sharing and storing files over unencrypted channels. Most people don’t know where the data is actually stored. They are constantly on the move with data. Therefore, all data should be encrypted, so that data is secure regardless of where it is stored.

 

Risky behaviour

Many employees prefer to work remotely because it is convenient and does not involve any restrictions. But it is these very factors that can lead to cybersecurity risks if not managed properly. At home, people are more relaxed about strict security measures. As a result, people take more risks and are more likely to visit dubious websites that they wouldn’t normally visit in the office since no one is monitoring their activities at home.

Add to this the greater distraction that leads employees to get up from the computer in the middle of a task. Without a company-controlled timeout of applications and network sessions, the likelihood of someone viewing data or information that is sensitive or subject to special protection increases.

Thus, regular and mandatory cybersecurity training should be conducted. Employees should be aware of the cybersecurity policies and commit to comply with them. They need to understand the potential consequences of inadvertently or deliberately breaching these policies.

 

Phishing emails on the rise

Since the pandemic, there has been a six-fold increase in phishing emails – trends continue to rise. Phishing attacks make no distinction between office and home office employees. However, in a home office, the line between work and private life becomes blurred, which means that employees often work longer hours. Tired, distracted people are the perfect target for cybercriminals, and that’s why phishing is a bigger threat to businesses with remote or hybrid employees.

Phishing attacks involve employees posing as brands, employees or suppliers to trick them into taking false or malicious actions. If someone works in an office, the intent of a seemingly internal but malicious email can be quickly identified. Employees can more easily verify that the email is actually coming from a colleague. Companies can mitigate these risks by properly training their employees to recognise phishing emails and take the right steps to report and control such issues. A more effective approach may also be to use a zero-trust architecture. A zero-trust environment treats insiders and outsiders equally. Every access is verified through continuous authorisation and authentication.