Remote IT security: Reinforce the human firewall
Business security is highly regulated in office environments, but cannot be guaranteed when managing a rapidly deployed remote workforce. Richard Sergeant investigates the risks firms are experiencing and what they can do to mitigate the risks.
The spike in cyberattacks and coronavirus-related vulnerabilities in recent months has left businesses exposed after hurried arrangements to move to remote working.
As handlers of sensitive client data, accountants have heightened business security risks. Organised criminal gangs specifically target accountants and bookkeepers for this very reason.
“If they can gain access to systems, a simple change of details to things like bank account details on invoices can see cash sent and laundered before it’s even realised,” said Foxability business technology consultant Jonathan Fox.
“Accountants might see this as an IT problem, but the reality is that it is a business issue that can impact the bottom line with the loss of cash, as well as reputation and client relationships,” added Fox.
The weakest link
There is a galaxy of technical security systems out there, yet basic data and IT security are driven much more by staff behaviour.
Pulse Cyber Security senior consultant Richard Jackson trains firms in a holistic approach to safeguarding businesses systems and processes.
“There is a real overconfidence on how good we are when it comes to prevention and protection, especially as the evidence suggests the weak link lies with your employees, not the software,” said Jackson
According to Pulse Cyber Security, 75% of data losses are caused by individuals, and these risks can be dramatically reduced by providing good education and policies.
“Staff can create a human firewall but, to do that, everyone needs to be on board and make it part of the business culture – the same way health and safety has become,” said Jackson.
Security starts at home
As the home becomes an extension of the office environment, an equal level of business security must be considered. Security goes beyond the laptop. Every home office should be assessed in terms of security – lockable cabinets, adequate wifi passwords, home security and, of course, sharing devices.
“With children at home, we should not be allowing them to use iPads or laptops that are also used for work emails,” commented Jackson.
A stolen laptop from the house can be a serious security issue and be difficult to explain to the company. Locking work devices away each night could be a simple answer to a potentially high risk.
It is good practice to check if the current insurance on devices covers them being taken or used out of the office – an emerging issue after hastily purchased laptops were distributed in March.
GDPR hasn’t gone away either. It’s unlikely that the ICO has the capacity or the goodwill to go in strong on remote working at the moment, but any breach or loss will still need to be reported in the usual manner and may bring unwanted scrutiny.
According to Jackson, if a GDPR situation continues, the company’s nominated Data Protection Officer (DPO) will need to assess and revise current arrangements.
If staff are working from home, then a GDPR overhead will be created. “It is likely that a fundamental review will be required, including risks assessment on a home-by-home basis and a rewrite of the business continuity plan,” said Jackson.
Impact on insurance
For Howden divisional director Paul Gillett, the lack of businesses purchasing cyber liability insurance is a serious concern. “Less than 10% of SMEs buy cybersecurity cover, and most providers believe that robust IT procedures at home do not exist,” said Gillett. But again, human input is the primary issue, such as staff offering advice outside of their areas of expertise which is not identified to the insurer as an area of activity.
With so many individuals trying to adapt to remote working, there’s also a wider impact that a less experienced accountant, responding under pressure, in the heat of the moment, may provide guidance and support in good faith. However, “mistakes could come home to roost here, and professional indemnity claims could arise when fresh pairs of eyes.”
Gillett predicts that insurers concerns around the increase in human errors arising from remote working may contribute to a further hardening of the market when insurance renewals are due.
Time is not something that many firms have had over the last couple of months, and client support has been the number one priority. However, even with lockdown easing, remote working (not least to prevent a second wave of infection) is likely to be looked at more carefully.
Jackson recommends that every firm, “Review its business continuity plan, ensure home working is properly covered and create an official policy for home working, including non-data security issues.”
Fox suggests providing guidance to staff on actions that can be implemented immediately: including:
- Don’t share passwords for email, Xero, or Zoom.
- Implement two-factor authentication (2FA) wherever possible
- Create a weekly task to delete the contents of your downloads folder.
- Ask all homeworkers to change their home wifi password.
Regardless of your level of confidence, this seems a timely reminder that quality processes and policies are as essential as ever.