Cyber Security when working from home
There has been a seismic shift towards virtual working during the pandemic. Whilst for many this will have been enforced, it is likely that many organisations will make this change a more prominent or even permanent feature of their working culture moving forward.
Whilst the risk of cyber attacks and data breaches are ever present no matter where we work – there are additional security challenges that an organisation faces when staff are working from home. This may be especially true for smaller organisations that may not have the support of a dedicated IT team to lead a security strategy, and to call upon in the event of an incident. One study found that cyber-attacks in the UK had risen by over 60% in the first month of the first national lockdown.
Some of the main cyber security risks that have been shown to increase when working from home include;
Bringing the office into the home can pose particular challenges when it comes to keeping data secure. This can be due to a number of factors, such as using personal devices and accounts to transfer and store data; displaying confidential information where others can see; and an increased risk of devices being misplaced or stolen. It is also much harder for an organisation to effectively monitor GDPR compliance outside of an office environment.
With emailing becoming the primary means of communication when working from home (and inboxes often overflowing) – staff may not be as alert to scam emails as they would be in the office. There has been a huge increase in email scams during the pandemic, with cyber criminals preying on fears of the Coronavirus and sending ‘phishing’ emails that try and trick users into clicking on a bad link. Phishing attacks have become highly sophisticated and can be almost indistinguishable from the real thing – such as an email from a colleague, customer, supplier, or utility provider.
Working outside of the office environment has added a huge number of endpoints to organisations that may not have been there previously. Systems that are now being used to connect to a company’s infrastructure may not have been vetted or provided by the employer. This has lead to dramatic rise in ransomware attacks – where hackers gain control over a device, or even an entire network of devices. The devices and the data within it can then be effectively held ‘hostage’ whilst the attacker demands payment.
How to mitigate common risks?
For advice and guidance on all matters relating to cyber security, we recommend that organisations take advantage of the National Cyber Security Centre’s comprehensive set of guidance notes and training tools. These can be found on the WSA’s Cyber Security for Sports Organisations Digital page.
Below are just a few examples of simple things a sport & leisure organisation and its workforce can do to enhance cyber security when working from home.
Where possible, it is preferable to supply staff with dedicated work devices that have been configured by IT specialists to optimise security. Where this is not possible, ensure that the all workers are aware of good practices when using personal devices for work purposes – such as keeping software updated and having clear protocols in place regarding data storage.
Ensure that screens are locked if left unattended, especially if there are children or housemates present. When the device is not being used, keep it somewhere safe. Where a device has been lost or stolen – staff should be encouraged to report this as soon as possible to help minimise the risk to data.
Make sure all work devices encrypt data whilst at rest, which will protect data on the device if it is lost or stolen. Most modern devices have encryption built in, but encryption may still need to be turned on and configured.
Two-factor authentication (2FA)
If available, 2FA should be enabled for any accounts staff will be accessing. It adds a large amount of security for not much extra effort and is one of the most effective ways of protecting against unauthorised access.
The of USB devices should be generally discouraged as they can contain lots of sensitive information, are easily misplaced, and can introduce malware. The threat is increased where a USB is openly shared or of unknown origin. To reduce this risk, consider; disabling the use removable media from devices; only allowing products supplied by the organisation to be used; and ensuring that any external devices are password protected in case of loss or theft.
Training and awareness
Most of the additional security risks that come with working from home result from human error. Whilst human error can never be eliminated – a little basic knowledge and awareness can go a long way in recognising threats and knowing what to do. Whether this be keeping up to date with the most recent trends in cyber threats, to knowing how to spot and deal with suspicious emails, texts and phone messages.
The NCSC has a free online training course for staff that covers a variety of topics, such as phishing, password security, and how to secure devices. WSA partners Watkin Davies can also support with Cyber Security insurance policies.