Home working is now the new normal for the vast majority of businesses in the country. Unless your business and its staff are classed as critical, your teams and staff are already at home and potentially still working out which services to use to best maintain their productivity from their new home offices.
Security leaders need to recognise this new environment and the challenges it brings. Business needs to continue at pace; firms cannot sit idle while security undertakes reviews and considers options, and snap decisions are having to be made. Staff and leaders may make calls that bring some risk, but which also maintain productivity and enable critical elements of the business to function. Security leaders need to adjust their internal risk registers for what is effectively a new operating environment for business and their staff, an environment where a higher level of risk has to be accepted to ensure the business can function.
In this context, security leaders need to consider the key challenges staff are facing as they work from home, and how the cyber security function can assist them in operating efficiently and securely.
Data storage can be a significant issue for people suddenly pushed to work from home. Organisations whose staff do not have dedicated work laptops to take home are likely to be requiring employees to use personal devices for work. Regardless of any virtualised desktop solutions or other mechanisms being put in place, there will always be reasons why staff may simply decide that it’s easier to write a file on their home system.
- Immediate staff awareness reminders should be considered for staff handling personal data, or highly sensitive legal, medical, or financial data, reminding staff of the sensitivity of this data and the need to keep it off personal IT if at all possible.
- Staff handling personal data or highly confidential information will need prioritisation for any emergency rollouts of corporate laptops for home use, or integration into any remote working solution being put in place.
- Staff should be reminded of the need to avoid personal accounts for file sharing. Personal dropboxes, Google Drives or even personal S3 buckets on AWS can be misconfigured to share their contents far and wide. While recognising that users might sometimes need to create documents on personal IT, a line does need to be drawn on sharing those documents; always use corporate email and file sharing applications.
Securing personal IT security
For staff who cannot be prioritised for an immediate rollout of corporate IT such as laptops, a small number of measures can help to improve the security of their systems and the data they hold:
- Guidance should be provided on how to use home IT safely. This can include encouraging good physical security practices such as locking your system when you step away from it, enabling automated patching, and other steps such as enabling disk encryption. These are controls that will make home IT safer for both the employee and the business whose data may be processed on it.
- Extend your corporate licensing for software such as anti-malware protection to include user’s home devices if possible. If this is not feasible then guiding users towards relevant free tools is recommended.
- Staff in shared accommodation as well as staff with younger children should be reminded that devices need locking when not in active use. Accidental errors are more likely than malicious acts involving unlocked devices, but both are easily prevented with basic steps.
In the period directly after a move to home working, teams are in a state of flux. Staff searching for communications solutions have been turning to a wide range of providers who offer seemingly robust solutions but whose underlying security is unknown. This has been particularly true in areas like videoconferencing, where a plethora of solutions with varying controls and some known security issues have left the security of communications in an unknown state.
Instead of viewing the current state of flux as uncontrolled software use, it can be considered a wide unstructured set of pilots. In this sense, staff can be involved – actively soliciting opinions on the software in use demonstrates to the wider business that the cyber security team is not only aware of the threats to the business, but is also aware of the realities of the current environment, and willing to approach the situation pragmatically.
Remembering the need to maintain an operational business, IT and cyber security should work together to quickly assess the tools being used by teams. Excepting areas where there are clear cyber security issues, activity to review licensing options and potentially procure licenses for a selected subset of those tools in use should be undertaken.
If free versions of tools provide appropriate functionality and provide appropriate legal assurances regarding security and functionality then these can be maintained, otherwise business should consider licensing ‘professional’ versions of tools where these are cost-effective.