Cyber-security – home and safe?

While the pandemic may now feel like a distant chapter for some, its impact on working habits is undeniable. Remote working, a necessity during Covid, has since evolved into a preferred option for many, and the flexibility of homeworking continues to appeal to both organisations and employees.

 

Global lockdowns accelerated the adoption of teleworking technology, compressing what might have taken a decade to happen naturally into a matter of months. However, opinions still appear split on the long-term value of remote working. While organisations such as Amazon are calling employees back to the office full-time, the new Labour government’s upcoming Employment Rights Bill advocates for a default right to flexible working. This highlights the ongoing debate over the future of remote work.

 

The remote working debate

 

One challenge of home working is the potential for cyber-security to become neglected. Some organisations have observed employees returning to the office with bad habits picked up while working remotely, while others who continue to work from home may still be developing them.

 

As with many aspects of cyber-security, it’s all very well to blame employees for poor cyber-hygiene, but it’s only fair to do so if they’ve been given the appropriate support and guidance. Enabling or enforcing remote working is one thing, but ensuring staff have the resources and knowledge to do so securely is equally important. 

 

Where cyber-security training is provided, it must be relevant and tailored to the specific working environment. Advice on locking unattended devices, following a clear desk policy and not sharing access all make sense in an office environment, but they’re just as crucial for remote workers – especially when family and friends are around. Whether staff training adequately conveys this context can vary, and many employees may naturally assume these practices only apply to the traditional office setting.

 

Cyber-security education

 

There needs to be more focus on what is being protected as opposed to where it is being protected. Take driving, for example – a common activity that spans both personal and work lives. The rules of road safety don’t change based on why you’re driving. The handling of digital devices and data should follow the same principles, regardless of location.

 

Cyber-literacy shouldn’t depend on whether you’re at home or at work. Personal data is not any less sensitive because it’s being accessed from home. Phishing attacks can occur in either location, and some individuals may be more vulnerable at home, where a relaxed and informal environment can lead to lower vigilance. So, what’s really happening in practice, and what more should be done?

 

The stats

 

According to the latest Cyber Security Breaches Survey, 68 per cent  of businesses have cyber-security policies that cover remote or mobile working, and 55 per cent address the use of personal devices for work. However, only a third of businesses report having a Virtual Private Network (VPN) for staff working remotely, suggesting a gap between having policies in place and implementing the technical controls needed to secure remote working.

 

Research from the University of Nottingham highlights a significant disconnect in the provision and perception of cyber-security support in different environments. The study gathered data from employers and employees from a range of organisations that permit flexible working. It examined traditional workplace settings, home use and remote use in public spaces where neither party controls the IT infrastructure. The findings revealed notable disparities between what employers and employees believe regarding key cyber-security practices, including: 

• Whether a cyber-security policy covers all three environments
• Whether personal devices are permitted for work in each context
• Whether employees have received training that addresses security in all scenarios 

While some organisations appear to be addressing the issues, with the views of employers and employees in alignment, there were cases where perceptions diverged considerably, with employers believing certain issues have been addressed while employees felt otherwise.

 

Conclusions

 

For organisations looking for practical advice, the National Cyber Security Centre offers valuable guidance for home working within its extensive online resources.

 

However, the key questions remain the same. If you’re an employee working from home, are you doing so securely? If you’re unsure, the answer is likely no. As an employer, if your staff are working remotely, have they been given the support and tools to ensure cyber-security? Are they following best practices? If you don’t know the answers, then the chances are neither do they.

---