Home and Remote Working – Are you being careful?
Many of us work from home, or other locations, either regularly or occasionally. It can help maintain a good work / life balance, but are there any specific cyber risks we should be aware of? And it’s not just home – what about other remote locations, such as public transport or hotels?
This is the ninth in the Year of Cyber articles to help you use cyberspace safely at work and at home.
Simple points to remember:
1. We are all responsible for protecting work and home assets, and information is one of our key assets. Report any concerns immediately.
2. Be alert to your surroundings – can anyone overlook or eavesdrop on what you are doing?
3. Take the minimum you need and keep access tokens and passwords separate from devices.
Home working or remote working?
Remote working is any kind of work done outside your normal place of work – whether you are accessing, storing, processing or simply discussing organisational information. Home working is a specific type of remote working, where you work regularly or occasionally from your home, either because of personal circumstances or because (for occasional home working) you need to concentrate on a specific piece of work. Both remote and home working can offer flexibility to support work / life balance – which helps both individuals and organisations.
Organisations encourage flexible working, and provide IT equipment to support it, including laptops and smart phones. Some services and networks, such as organisational portals can also be accessed remotely from personal devices.
What is the Risk?
Whenever you are working outside the office, there is always a risk that you will be overlooked or overheard. Even small pieces of information can be pieced together and can be useful for an adversary – and working on a document, or talking on the phone, about something which is obviously related to work is often enough to pique the interest of those around you.
Even when you are in your own home, overlooking and eavesdropping can be an issue. There have been instances where information has been passed to others by family members who have seen documents or information on a laptop and not appreciated the sensitivity, sometimes with serious repercussions. And what about workmen and other visitors to your house - often they are the reason you may be at home in the first place.
Personal devices (smart phones, tablets, laptops etc) and online accounts do not have the same level of protection as those provided by an organisation (although even these cannot guarantee total security), and so should not usually be used for organisational work, except for services specifically designed for use with them. And remember that any organisational information on your personal devices is also subject to release in line with Freedom of Information and Data Protection legislation.
There is also an increased risk of malware from imported files, and from equipment being linked to our networks. Last year there was an incident where a contractor picked up a virus from his home PC and spread it using his laptop as he visited different sites. While organisational systems are well-protected against malware, no system can guarantee complete protection against everything, so we all need to be careful. And of course, there is always the risk of leaving something behind – dropping or forgetting documents or devices when you leave the train, café or wherever – or of equipment being damaged or stolen. So, it’s a good idea to check you have everything before you leave a remote location.
So, what can I do?
Remember that you are personally responsible for securely handling any assets entrusted to you – this includes information.
Try not to draw attention to the fact that you are working on organisational information and be alert to anyone showing undue interest in your work – report any concerns immediately to your line manager or Information Security Officer, including loss or possible compromise of equipment or information.
Take the minimum of information you need and keep papers and screens out of view from others – use a laptop privacy screen if appropriate – and lock them away, if possible, when not in use.
Keep access tokens (e.g security ‘dongles’) and passwords separate from devices, and shut down unattended devices, rather than leaving on standby so that the encryption on them is enabled. Take care that you are not being watched as you type your password in – the normal rules about avoiding being overlooked apply.
Use Organisation-provided equipment where possible, but if you must use your personal device then make sure it is patched and uses anti-virus software and firewalls, and is password protected.
Remember that email over the Internet is like sending a postcard in the ordinary mail – anyone can read it during its journey.
Get Safe Online has good advice to help you protect your personal equipment.
Sanctions
We are all responsible for maintaining the security of our working environment, including an organisation’s networks and systems. If you put sensitive organisational information at risk, whether at work or through outside activities, you should expect action to be taken against you.
Reporting
The advice in this article underscores the necessity of consulting cyber security experts, such as Cybercentry, for addressing any cyber security incidents in both personal and professional contexts. Reporting concerns promptly to the relevant authorities is crucial for a swift response and safeguarding against potential threats.
© Cybercentry Limited. All rights reserved.
Terms and Conditions Privacy Policy GDPR Statement Modern Slavery Statement Cybercentry Partner Programme