Three reasons to look at the security of home working

1. Complacency

People feel more comfortable at home. Not exactly a revelation, but have you considered the security implications?

Working from home is not the same as remote working. Home feels safe in a way that a hotel or on a train doesn’t. This could lead to people letting their guard down and taking risks. This could be something as seemingly harmless as leaving devices unlocked when unattended. But it could also include more serious risks. In a post-lockdown study by Proofpoint, almost half of employees admitted to having let a friend or family member use their work-issued devices.²

People are also more likely to use their work devices for non-work tasks: this includes checking personal email, online shopping or gaming. Any of these could lead to the device being infected with malware and the exposure of company information.

And if organisations don’t give their employees all the user-friendly tools they want, people will find their own workarounds. 7% of employees admit to having used a personal cloud app to store sensitive corporate information.⁵

But it’s not just data that you should be concerned about. Finance teams have access to many key systems, including those related to banking and payments. A malware infection could lead to credentials being stolen and attackers getting access to these systems.

There are many technical solutions to help mitigate these risks, including mobile device management (MDM) and cloud access service brokers (CASBs). But education of employees is vital. Many people will be working remotely for the first time, but even seasoned remote workers would benefit from a reminder of the risks and how to report suspicious activity.

2. Attackers exploiting the situation

Attackers will seize on anything to see if it can help further their attacks. And the pandemic was no exception. Back in March 2020, Europol reported how quickly criminals had adapted their methods to exploit the crisis.¹ Malicious actors were quick to take advantage of the increased use of video conferencing to create new phishing campaigns; they even exploited the shortage of certain goods like hand sanitiser.

Business email compromise (BEC) attacks, also known as CEO fraud, also offered a way to take advantage of the situation. BEC attacks are a form of fraud where the attacker impersonates somebody within the company—or sometimes a business partner. These are typically carried out via email, but there have been examples of attackers using “deep fake” technology to impersonate people on the phone. With employees working from home it may not be as easy for them to check the validity of a request or instruction, as it would be in the office, leaving companies more vulnerable to attacks.

According to the FBI, which has been studying them since 2013, the worldwide losses from BEC attacks have been rising year-on-year.³ In 2020, the total reported losses reached $2.1 billion across 177 countries–and that’s almost certainly just a fraction of the total problem.

Some high-profile cases have hit the headlines, like the €6 million personal protective equipment (PPE) scam.⁴ But the FBI notes that the organisations that are most vulnerable to BEC scams are small and medium-sized ones—possibly because they have less rigorous processes in place.³

Companies have been warned to watch out for the urgent call from the CEO about to take a flight, so many attackers are shifting to trying to manipulate more mundane payments, like salary.

Again, education plays a large role in combating these problems. Many rely on employees being complicit, so making sure that they are aware of threats like this is vital. There are also simple and inexpensive things you can do to make it easier for users. For example, many companies have changed their email setup to flag messages from outside the company’s domains—e.g. “[E] Urgent request”.

3. Technological weaknesses

Many organisations had systems, such as virtual private networks (VPNs) which encrypt data sent over the internet, in place prior to lockdown. But even many of those that had protections in place found them unable to cope with the dramatic increase in demand. There was also a global shortage of laptops as companies and students rushed to buy them. As a result, many companies opened up access to corporate systems to personal devices.

Home networks can also be a risk. Many people don’t set a secure password, check for updates or take other basic precautions. And it’s subject to types of threats that don’t crop up in the office—like being shared with kids playing games and devices, such as smart TVs and home automation devices, any of which could be compromised—in November 2020, Amazon removed many smart doorbells from its site after they were shown to been soft targets for hackers.⁷

According to Verizon, 44% of companies don’t have an acceptable use policy (AUP).⁶ This is an important tool for making sure that employees are aware of their responsibilities and what behaviour is and isn’t acceptable—checking your personal social media accounts on a work device may seem harmless, but could expose the company to greater risk. There are also tools to make sure that employees only use authorised web tools, and that they do so safely. A cloud access security broker (CASB) can monitor all cloud use and enforce security rules.

Securing the future

With restrictions due to the pandemic ongoing, organisations should make sure that they are taking adequate measures to secure those working from home. Especially as it seems likely that while working from home will fall from its pandemic peak, it will settle at a much higher level than before.

Read more Transaction Banking-related articles and sign up to receive monthly TxB insights.