May 6, 2020
Given the post-government advisories regarding social distancing and reduction / elimination of unnecessary travel, most of us have been working from home for several weeks now or even months (for some, of course, it’s been a standard way of working long before this), and everyone will have settled into a routine … of sorts.
Having a routine can be vitally important, in order to maintain some semblance of normality. We all like to have certainty and routine, and once we have this, we tend to relax, and perhaps become less attentive to ensuring we are vigilant in how we use our computer systems, and data.
There are all sorts of guidelines out there about working from home, which essentially boil down to; Routines, boundaries, getting out of the house (If you’re not self-isolating), speaking to colleagues, and taking regular breaks (https://bbc.com/news/business-51868894).
Within these areas, there are a few things we need to continue to consider; IT security.
When setting boundaries (e.g. when and what children, and other members of the family or household should or should not do), as well as setting times of interaction, you will also have systems (physical or digital) which have been supplied by your employer. These should be strictly out of bounds in order to reduce the level of risk. Who knows what web sites they may browse! Who knows what they may try to install! Who knows what they may input into systems, or click on if laptops are left unattended!
In terms of the business, it must be considered how to ensure that your remote users are who, in fact, you think they are, whether remotely accessing systems, or communicating with one another, and customers or suppliers. Identity and access management is critical for remote users, particularly when many who may not previously have been used to working from home, are now settling down to a new normal.
The mechanisms for communications are also critical, both in terms of securing the usage and educating users in the secure usage of the systems. This could be education around ensuring passwords are set when using remote meetings e.g. to prevent the recent “Zoom-bombing” incidents (this is not a direct problem with Zoom, more a problem with the usage of the platform). Other vital considerations are ensuring users understand the ideas behind ‘Business Email Compromise’ and/or phishing type attacks, where email is used as the attack vector, either pretending to be a sender they are not, or to obtain access to systems illegitimately.
Again, in terms of the business this should be considered, and there may be policies which can be put in place as controls, or there may be software and/or hardware solutions which can be utilised to manage users, and identify anomalous usage of systems.
Therefore, both organisations and users should bring due care and attention to bear when continuing to work remotely, and perhaps even expanding capabilities of those working from home.