by Steven Furnell, senior member of the Institute of Electrical and Electronics Engineers (IEEE) and Professor of Cyber Security at the University of Nottingham
How quickly times can change. At the beginning of the year, home working was something that many people had heard about, but relatively few had practised. Now it has become routine for the majority and, interestingly, many organisations have found that it has worked surprisingly well.
One of the key enablers, of course, has been the increased availability of IT devices and broader internet connectivity. In fact, the collective investment in technology and infrastructure over the past few years has enabled a relatively smooth transition to remote working. That said, the need for security and protection has never been greater, and perhaps unsurprisingly, it did not take long for certain vulnerabilities to show. This year saw an increase in worldwide phishing threats and other cyber-attacks from nefarious actors seeking to take advantage of the pandemic. At the height of the global lockdown period, it was reported that more than 100 million phishing emails were being blocked every day, with a fifth of those being scam emails related to coronavirus.
The truth is, working from home doesn’t always have to pose such a grave cyber-security risk. It can be a secure, seamless transition from office-based work if organisations are fully prepared for it. The question is whether they have actively done so, or simply assumed that staff already use technology at home, and know how to protect themselves.
While there are plenty of opportunities for people to be protected and improve their IT security awareness, this may not translate so well into practice. Being threat-aware is not the same as being cyber-security literate. In other words, identifying a threat does not necessarily mean that someone knows how to handle it or provide a resolution. Similarly, the fact that safeguards are available does not mean they will always be used effectively. Too often, people handle security badly by default, such as choosing weak passwords or failing to install important updates. The guidance is out there if we look for it, but it’s questionable whether staff are actively supported or encouraged to do so.
A good insight into the preparedness of organisations comes from the latest Cyber Security Breaches Survey from the Department for Digital, Culture, Media & Sport (DCMS). Though published at the beginning of the lockdown in late March, the fieldwork for the survey was conducted at the end of 2019. As such, it provides true insight into the measures that organisations had taken as standard, and how they were positioned ahead of the pandemic.
The survey explores the extent to which organisations have addressed the recommendations in the National Cyber Security Centre’s 10 Steps to Cyber Security. These span a variety of technical and organisational measures, but in terms of readiness to switch to remote working, the most interesting steps are those relating to “user education and awareness”, and “home and mobile working”. The former relates to the percentage of businesses that have user-facing policies on acceptable and secure use of systems, while the latter refers to having established clear policies on working outside of the workplace. In both cases, one would hope that organisations already promoted policies and awareness. However, in the vast majority of cases, most organisations do not cover the steps in the first place. The 2020 results suggest that just a third have addressed user education and awareness and only a quarter cover home and mobile working. Based on these findings, it seems rather unlikely that staff will have been fully prepared for the shift to remote working.
In some cases, working from home can lead to complacency as staff are more inclined to be vigilant when operating in work environment. Now in the comfort of their homes, some may feel more relaxed and less likely to focus on the cyber-security policies of the workplace. In fact, many people may be working remotely on their own devices, therefore, there is no guarantee that they will have configured them appropriately or installed the necessary security software. Conversely, if staff are using work devices, they need to be able adhere to security policies and be clear on the bounds of permitted use. In the future, businesses must make specific provision for the cyber-security of home workers, if they are to minimise any potential threats or vulnerabilities.
With remote working proving successful for many, we may see a situation where businesses explore increasingly flexible work options in the future. While some may have learned from recent experience, if remote working is to continue in a meaningful way, there needs to be greater awareness of the cyber security measures that support it. Home workers must be fully prepared, in terms of the technology used to protect devices and the knowledge and skills to better protect themselves.
Steven Furnell is a Professor of Cyber Security in the School of Computer Science at the University of Nottingham. His research interests include the usability of security technology, security management and culture, cyber-crime and abuse, and technologies for user authentication and intrusion detection. He has authored more than 330 papers in refereed international journals and conference proceedings, as well as books, including Cybercrime: Vandalising the Information Society and Computer Insecurity: Risking the System.
Professor Furnell is also the Chair of Technical Committee 11 (security and privacy) within the International Federation for Information Processing, and a board member of the Chartered Institute of Information Security.
To find out more on the topic of home working and cyber-security, please click here.
For the Department for Digital, Culture, Media & Sport’s (DCMS) full Cyber Security Breaches Survey, please click here.