Lots of us are discovering that our businesses can operate pretty well even with many employees working from home. However, the Covid-19 outbreak has forced employers' hands in numerous ways, explains Robin Thompson, director of Hull IT firm RedFez.
One of the reservations regarding working from home has been the issue of security – and quite rightly so. In our office environment we have put in place (hopefully) various systems, procedures and policies to ensure that data is accessible only to those that need it and that it is safe from corruption and/or loss. In recent years, this has become a hot topic with the switch to GDPR legislation from the older DPA, although in reality much of what GDPR has asked of us should have been observed under DPA.
As soon as workers are moved out of the office environment, then these security measures can often easily be bypassed, intentionally or otherwise. Exactly what this means largely depends on how employees are working from home. Did you supply the IT equipment, for instance, or is it theirs? They both present different challenges.
So here are some things to think about in both scenarios
Staff using a work computer
This has the advantage, from a security perspective, of benefiting from the various restrictions and protections that you will have installed on your employees’ machines, or “endpoints”. You will have a company-approved firewall, antivirus and malware program and a login system that controls access to both the machine and resources. If you have the endpoint set up to restrict the use of USB devices, for instance, then that restriction will apply at home too. You will no doubt also have suitable backups in place. So, by requiring your staff to use a corporate machine, you have minimised the risks somewhat.
However, part of the protection of each endpoint will also have been provided by the restrictions and protections you placed on the corporate network. Now the machine is at the client’s home, the firewall on the corporate network is no longer protecting that endpoint. If the employee is using a VPN to connect back to the corporate network (and I hope they are) then the risk is reduced BUT they are still initially connecting via a less secure home network. You have no control over how that is set up and what else is on that network. To that end, it represents a risk. The chances of a machine being hacked or being infected by malware are increased.
The solution here is to revise the policies – firewall and otherwise. You may have to make these stricter or limit what can be accessed or done from home. You may also want to make sure that your IT usage policy reflects clearly what the expectations are in terms of what care must be taken by the employee. They may of course contravene that but then you will at least have recourse through the HR process.
Care is very important. Particularly in terms of ensuring that the machine is not easily stolen, or lost, or accessed by a family member. What happens if they leave the laptop open on something confidential and this is read by someone else in the house? Do your staff know to lock screens and do they do it habitually? What is the consequence if they don’t? Where are they storing the equipment when not using it or out and about? In terms of loss or theft, it is unlikely that the equipment will be covered on your employee’s household insurance – and why would it? It is not their equipment, it’s yours. So before letting any equipment leave the office check to make sure that it is insured to do so.
Staff using their own computer
This is obviously inherently more risky. With the exception of insurance (although you might want to check any cyberinsurance policies cover staff using their own equipment at home) all the above risks apply but you have the added issues that come with allowing the use of an effectively unknown device.
Generally computers used for home use are not set up for business use. They are not encrypted. They are used by many members of the household. They have basic firewalls and antivirus if any at all. The risk of data loss and a data breach are much greater. To that end I would recommend NOT allowing staff to use their own devices. You ultimately cannot control them.
If however, if it is unavoidable, and they absolutely have to use their own equipment, then there are two things to do:
- Get the device audited or checked out by your IT department or partner. They can ascertain its suitability from a security perspective, encrypt the device if it is needed and may be able, licences permitting, to install the corporate security software to keep it protected
- Make sure you have a robust policy on the use of personal devices for work use and educate your staff in good cybersecurity practices. In fact, save yourself some potential heartache and do this anyway
It essentially comes down to risk versus reward. Working from home will always present a security risk to the organisation and, while this can be minimised, it is still there.
The bottom line is to make sure you are purposeful about working from home and involve the staff concerned and your IT provider in the process, to ensure that the risk can be reduced to a level that is acceptable to you. At the moment, homeworking has become a necessity to keep things going, so we may take a bit more risk than we normally would to achieve that. But when things calm down? That remains to be seen.
Call Redfez on 01482 298120 or visit redfez.co.uk