Ideas: Securing data in the transition to working from home

The agility of many businesses to move to home-working is a massive lifeline in the COVID-19 crisis, without which the economic fallout would be even greater than it is. But working from home does have its own challenges. Richard Dawson highlights how companies may be more vulnerable to cybercrime as a result of the shift

Working from home is increasingly presented as a panacea for business continuity, with employees in a cross-section of industries setting up make-shift workstations in their homes and communicating through tools such as Microsoft Teams and Zoom.

To be clear, I shudder to think what state the economy would be in right now were it not for the agile working practices digital technologies have enabled.

If the economy is presently running at around two-thirds of its normal capacity, as many commentators have claimed, then it is difficult to imagine how bad things would be if we couldn’t work wherever we like.

However, while being crucial for preventing total economic collapse, mass home-working does have its own challenges, particularly from a cybersecurity point of view.

Costing an estimated £27 billion every year, cybercrime is already a huge threat to UK businesses.

The situation is complicated by the fact that under GDPR, all a hacker has to do now is prove they have broken into a company’s database or accessed customer data to be able to command a large ransom.

This is because the fines for data breaches under GDPR are so huge that many companies opt to pay a hacker’s ransom and avoid the reputational damage.

It is thought that cyber-attacks are a lot more commonplace than is officially reported as a result of this.

Cybercrime is likely to be exacerbated by the current situation for a number of reasons.

First of all is hardware. Business premises and office spaces normally have a company-wide IT system of computers, laptops and tablets that are regularly updated with the latest firewalls and anti-virus software by a dedicated IT support team.

Security protocols are often embedded in office IT systems to such a degree that many employees probably go about their business without realising they are there.

Contrast this with a personal computer or laptop being used while working from home and it is highly unlikely that the same level of security is integrated.

Personal devices are often not routinely updated with the latest security settings and for obvious reasons cannot be checked by the IT support team and regularly scanned for vulnerabilities.

The transmission of sensitive company information and data from office machines to personal machines therefore increases the vulnerability of businesses to cyber-attacks.

Human error is also a significant risk in the transition to home-working, as new ways of working mean new software, which many workers may be unfamiliar with.

Unfamiliarity is preyed on by cyber criminals who create web pages and computer programs that look genuine in the hope of capturing personal information from employees who are simply trying to download software to help them do their jobs.

If a hacker can obtain the password of an employee, they could easily compromise the whole company database.

In addition to these fraudulent tactics, there has also been a rise in the number of phishing scams related to the coronavirus itself.

Phishing is the practice of sending emails pretending to be a reputable source in order to induce individuals to reveal personal information, passwords and credit card numbers.

Cyber criminals are taking advantage of public fears about the virus, generating COVID-19 related content such as health updates, fake cures, fiscal packages and emergency schemes to lure people in.

All it takes is one person, adjusting to working from home, to open a fraudulent email or download a dangerous software package for all company data to be at risk.

The way digital networks are structured means that it only takes the smallest breach to get into the whole system.

In light of this, it’s incredibly important that individuals and business owners recognise how they may be more vulnerable to cyber-attacks while working from home.

Businesses can also implement new security protocols and practices that will improve their cybersecurity.

Things as simple as making sure passwords are strong, setting up two-factor authentication, ensuring the latest firewalls and anti-virus software is updated and disabling USB drives to avoid the risk of malware can all make a huge difference.

It’s also useful to make provisions so that finance processes require finance teams to confirm any requests for large payment. This can help to guard against the increased risk of email fraud.

Ensuring that employees have greater awareness of the risks is also an important step, particularly given that it is often human error that cyber criminals target first.

Paul O’Leary, who leads KPMG’s cybersecurity practice in the North East, says: “We are seeing that the region’s organisations are at significantly greater risk of a cyber incident at the moment due to an increase in attempts by organised criminal gangs to exploit the uncertainty which COVID-19 brings.

“As the region’s workforce copes with new ways of working and using technology, IT systems and processes, including some security protocols, are also being altered. Both the human and the infrastructure elements of business may be more vulnerable to cybercrime during this time.

“There’s no such thing as a technology safety blanket but the winners will be those with a proactive mindset, who take action around consistent monitoring, reporting and education.

“That said, as well as preventative measures, organisations also need to think about their ability to recover in the event of an attack and to ensure they can communicate with all of the workforce whenever required.”