Is Home Office the new Trojan Horse?
When the COVID-19 pandemic swept across Europe, more than a few companies faced a challenge that they had put off, or rather overslept, for far too long in the course of the highly discussed digital transformation: Am I able to let all of my employees work from home ?
Assuming that you have provided your employees with the necessary technical equipment and infrastructure, maybe set up a few guidelines, and therefore managed to take the first big steps towards home office – how many of you can actually claim to have taken information security into consideration? We are not talking about firewalls and using VPN at this point – although they also play very relevant roles – but we are rather speaking of your employee’s awareness of the risks with regard to information security.
What risks are employees exposed to when working from home?
Aside from getting caught for not wearing pants during video meetings, another risk has been rapidly increasing in significance: the very profitable world of cybercrime.
One of the reasons for the increase in cybercrime is that the switch to working from home was a very sudden event for many companies and the introduction or expansion of home office without a committed security concept is a temptation for hackers to either fill their own pockets or test their skills.
Employees who lack an understanding of information security and its dangers are particularly at risk and are, above all, preferred targets for so-called ”social engineering” attacks. Social engineering basically understands the manipulation of people in order to obtain valuable information, place malicious software or wire money.
A wrong click, because the request in the email seems trustworthy, an incautious data disclosure or a careless download of a file, because curiosity got the better hold of the employee, is enough for a company to take severe damage in confidentiality, integrity and availability of its data. Phishing or ransomware are popular and unfortunately also very efficient methods used by hackers to obtain data and/or compromise systems. Especially ransomware, which leads to the encryption of all company data it can find, is a dreaded tool that can cause serious financial and reputational damage to a company. A successful attack causes a company to pay a high ransom and to deal with the aftermath of confidential data being leaked or critical systems being brought to a halt.
What causes these risks?
The disclosure of confidential data is not done out of spite – in most cases. Common reasons for employees struggling to comply with corporate security guidelines include:
- Not being aware of the security threats at all
- Not being aware or believing that their behavior has an impact
- Not being aware or understanding the long-term consequences of their behavior
- Oversharing information in general, because that is what people do in the digital age and not understanding the value of data or individual pieces of information combined together
- Believing that they have either helped themselves or somebody by disclosing information
- Drowning in guidelines and requirements
- Not having clear and comprehensible guidelines on how to securely manage information
- Not being able to communicate questions and voice problems that occur in the course of implementing the security guidelines
What are success factors for the maintenance of secure home office?
As mentioned in the beginning, providing technical equipment and infrastructure is one thing, but do not underestimate the impact of proper awareness training and communication. Many companies tend to overlook its efficiency because it is not a security measure where the results are immediately visible – they should be rather viewed as long-term investments contributing to the level of information security in a tacitly but significant way.
The HR department can use their role as a bridge between employees and employer to promote awareness by not only addressing the policies but also providing them with a (digital) platform for exchanging information security related topics and communicate on a regular basis. Furthermore, HR departments are able to ensure sufficient communication with employees to ensure transparency in the cause of implementing new applications and systems.
Also showing best practices on how to identify threats, which security aspects are of relevance in the private life as well or the regular execution of surveys or phishing simulations are a good way to introduce employees to the topic of information security in a practice-oriented way.
It is particularly important to ensure that employees do not get the impression that information security is another burden in their daily business or even restricts them in their activities but rather helps them to act in a secure way.
Home office should not be taken as something temporary once the pandemic ends. For many employees, home office is becoming increasingly important, as flexible working brings along a lot of advantages and companies are also able to employ professionals outside of their region in the age of war for talents without compromising on their level of security.
With that being said, policies and technical security measures alone are not the only factors that determine the level of information security of a company. Employees will always represent an increased risk factor if there is a lack of awareness or if cybersecurity cannot be integrated in the corporate culture. The dangers multiply by themselves the longer organizations do not recognize and consider the significance of information security awareness among their employees.