Director Principle Point
Columnist
Share this content

Remote IT security: Reinforce the human firewall

Business security is highly regulated in office environments, but cannot be guaranteed when managing a rapidly deployed remote workforce. Richard Sergeant investigates the risks firms are experiencing and what they can do to mitigate the risks.

20th May 2020
Director Principle Point
Columnist
Share this content
Hacker literally spying your data file using cyber binoculars
istock_Marco_Piunti_aweb

The spike in cyberattacks and coronavirus-related vulnerabilities in recent months has left businesses exposed after hurried arrangements to move to remote working.

As handlers of sensitive client data, accountants have heightened business security risks. Organised criminal gangs specifically target accountants and bookkeepers for this very reason.

“If they can gain access to systems, a simple change of details to things like bank account details on invoices can see cash sent and laundered before it’s even realised,” said Foxability business technology consultant Jonathan Fox.

“Accountants might see this as an IT problem, but the reality is that it is a business issue that can impact the bottom line with the loss of cash, as well as reputation and client relationships,” added Fox. 

The weakest link

There is a galaxy of technical security systems out there, yet basic data and IT security are driven much more by staff behaviour. 

Pulse Cyber Security senior consultant Richard Jackson trains firms in a holistic approach to safeguarding businesses systems and processes.

“There is a real overconfidence on how good we are when it comes to prevention and protection, especially as the evidence suggests the weak link lies with your employees, not the software,” said Jackson

According to Pulse Cyber Security, 75% of data losses are caused by individuals, and these risks can be dramatically reduced by providing good education and policies.

“Staff can create a human firewall but, to do that, everyone needs to be on board and make it part of the business culture – the same way health and safety has become,” said Jackson.

Security starts at home

As the home becomes an extension of the office environment, an equal level of business security must be considered. Security goes beyond the laptop. Every home office should be assessed in terms of security – lockable cabinets, adequate wifi passwords, home security and, of course, sharing devices. 

“With children at home, we should not be allowing them to use iPads or laptops that are also used for work emails,” commented Jackson.  

A stolen laptop from the house can be a serious security issue and be difficult to explain to the company. Locking work devices away each night could be a simple answer to a potentially high risk. 

It is good practice to check if the current insurance on devices covers them being taken or used out of the office – an emerging issue after hastily purchased laptops were distributed in March.

GDPR

GDPR hasn’t gone away either. It’s unlikely that the ICO has the capacity or the goodwill to go in strong on remote working at the moment, but any breach or loss will still need to be reported in the usual manner and may bring unwanted scrutiny.

According to Jackson, if a GDPR situation continues, the company’s nominated Data Protection Officer (DPO) will need to assess and revise current arrangements.

If staff are working from home, then a GDPR overhead will be created. “It is likely that a fundamental review will be required, including risks assessment on a home-by-home basis and a rewrite of the business continuity plan,” said Jackson.

Impact on insurance

For Howden divisional director Paul Gillett, the lack of businesses purchasing cyber liability insurance is a serious concern. “Less than 10% of SMEs buy cybersecurity cover, and most providers believe that robust IT procedures at home do not exist,” said Gillett. But again, human input is the primary issue, such as staff offering advice outside of their areas of expertise which is not identified to the insurer as an area of activity. 

With so many individuals trying to adapt to remote working, there’s also a wider impact that a less experienced accountant, responding under pressure, in the heat of the moment, may provide guidance and support in good faith. However, “mistakes could come home to roost here, and professional indemnity claims could arise when fresh pairs of eyes.”

Gillett predicts that insurers concerns around the increase in human errors arising from remote working may contribute to a further hardening of the market when insurance renewals are due.

Top recommendations

Time is not something that many firms have had over the last couple of months, and client support has been the number one priority. However, even with lockdown easing, remote working (not least to prevent a second wave of infection) is likely to be looked at more carefully.

Jackson recommends that every firm, “Review its business continuity plan, ensure home working is properly covered and create an official policy for home working, including non-data security issues.”

 Fox suggests providing guidance to staff on actions that can be implemented immediately: including:

  • Don’t share passwords for email, Xero, or Zoom. 
  • Implement two-factor authentication (2FA) wherever possible 
  • Create a weekly task to delete the contents of your downloads folder.
  • Ask all homeworkers to change their home wifi password.

Regardless of your level of confidence, this seems a timely reminder that quality processes and policies are as essential as ever.

Replies (1)

Please login or register to join the discussion.

avatar
By C.Y.Nical
22nd May 2020 08:28

Home networks are potentially a problem if there are insecure WiFi links between devices and the router, if other devices are connected to the router while business traffic is taking place, or if the router is configured insecurely. In my experience the average user would find these risks difficult to understand and mitigate. Would it be overkill to pay for a separate business line and a dedicated router which does not broadcast its SSID and has a WPA-PSK ("password") which is installed on approved devices by the business and not divulged to the user? That wouldn't solve the problem of stolen laptops but it would make it quite difficult for anyone to breach security between the router and the business device. It would also make it difficult for the user to potentially breach security by using an un-approved device to connect to the business network. If it is overkill to have a separate business line the business's router could be connected upstream of the household router and an instruction given that business devices are never to be connected other than directly to that router. Would that work?

There are other measures which could and should be taken to make home working secure and effective. I can see a business opportunity!

Thanks (0)