vCISO advice on work from home
Step one was the crisis-driven transition to work from home. Step two is managing the risk that was created by step one.
Worldwide we transitioned to shelter in place, and much of the time this meant a transition to work from home (WFH). This wasn’t optional. It was part of business continuity, but it likely created new risk. Our advice as virtual chief information security officers (vCISO) is to follow the normal steps of assessing the risk that was created, identify safeguards that can help mitigate risk and create a treatment plan. Risks are defined as the likelihood times the impact of threats. So, the first question is what new threats must be considered? Here are some:
Threats from un-managed home networks
- Workers network environments in the home may have vulnerabilities like out of the box login and passwords that come with home routers/firewalls.
- Home WiFi may be easily infiltrated if not set up securely
- Devices on the home network may not be patched regularly and have vulnerabilities to external attacks and malware.
- Home anti-malware may be less effective than that used by the business and malware can gain access to the business network once the employee logs into a VPN.
- VPN connections to the business may have vulnerabilities.
Threats to business sensitive information
- Loss of sensitive information can occur if workers download it to personal devices or print it at home.
- Business information stored on business file stores like SharePoint Online can be corrupted by malware on the home network.
Threats to employee personal information at home
- Businesses can gain access to employee personal information and non-employee personal information by applying its own anti-malware, and backup to personal devices. This may also occur if the business offers remote helpdesk support to employees working at home.
- Businesses need to protect personal devices that may be affected by malware that could have gotten into the business network.
Threats to obligations
- Non-disclosure agreements
- Obligations to customers for protection of security and privacy
- Statutory obligations for protection of financial data, personal health information and other personal information
The immediate need to rapidly move to a WFH program was the best short-term solution for business continuity for many businesses. If that was the case, a next step is needed because bad actors know there are new ways to attack. Step 2 is to review the risks that were created from step 1. Appropriate safeguards would include a combination of policy and procedure changes, training, technology changes and possibly physical security changes to the office that is not regularly occupied now. Cybersecurity is not just an IT thing.
Let me know if you’d like to discuss the risk of Work from Home for your business
Barry Weber – [email protected]