The growth in home working has been predicted for many years, however it has often been limited to those who work in the technology sector, or been a requirement for those who travel extensively and hence need the ability to work anywhere, rather than just at home.
I remember meeting with a leading communications company many years ago. During the meeting they explained their future vision where everyone would work from almost anywhere, with voice, video and host systems seamlessly integrated, delivering the best customer and user experience. Fast forward five years and I had a déjà vu moment sitting in the same office being told the same story, the only difference being the quality of the PowerPoint. They seemed surprised when I mentioned the meeting five years before and that I was disappointed that instead of being able to join the meeting from home like they had predicted I had to get up early and travel over one hundred miles to hear the same story again!
The company I met had been successful selling home working and mobility solutions, but they had failed to understand the market limitations and estimated the size of the market correctly. Most importantly they had failed to consider many of the human behaviours that would limit home working adoption. Some of the major human factors are as follows:
- The belief that if staff are not supervised directly in an office location that productivity will fall.
- The ‘empire’ factor. This is where management actually enjoy being able to physically see their employees and be in control of their employees.
- Camaraderie – where it is thought that the team will function better with face to face interaction.
- Housing situation of employees – where it is considered that the housing situation of employees may not be suitable for home working. An example of this may be where an organisation employees a large number of university students. Housing may not be suitable for home working – either due to bandwidth, or noise pollution.
- The training consideration – existing classroom training may not be available online so employees will still have to attend an office.
- Fear of change – the fact that the organisation has always worked in the same way and individuals are reluctant to change.
In addition to the human factors they had also failed to consider the home working limitations created by compliance and regulatory considerations. Individuals who process credit card transactions or deal with personal or sensitive data have also been limited by home working solutions without the deployment of additional measures.
The human and compliance factors discussed above impacted the adoption home working for many years, some may wish to disagree, but growth in the market was by no way exponential. Companies who needed home workers had them, often limited to specific roles, or level (the need to work in the evenings or weekends). The concept was definitely not new. The growth in collaboration tools was far stronger, but perhaps more focused on linking office to office rather than office to home. Full time home working capability worked for some roles, and not for others with the normal mode of operation being the Friday working from home.
The major event to change the demand for home working was, and still is COVID-19. A rapid change in the demand for home working, a major change for the employee, and a massive change for many IT teams. Before the PRINCE project management teams had time to think of a project name, staff were leaving the building. Even the Agile team had just picked up the whiteboard pens before they realised they could not be in the same room together! A massive change faced businesses and organisations on a global scale.
Rapid decisions had to be made, often to prevent businesses suffering such dramatic losses; the existence of the business itself depended on quick decision making. The rapidity of these decisions meant that the normal due diligence was not in place when they were taken. Security and compliance staff were often not consulted in the decision to send staff home to work, or if they were, they did not have time to assess the situation in detail.
So this is the situation many businesses now find themselves in this situation, they now have, and will continue to have, far more home workers than ever before. The home workers fall into three categories:
- Those who used to homework in the past – perhaps not full time, but it was fine for their role, and the market and technology in use were well proven. We will call these ‘the Existing’. These home workers present the least risk to a business.
- Those doing a similar role to the existing group, but due to the human factor reasons discussed above such as the empire building or fears of supervisory control, they were not allowed to homework, however, the technologies in use are perfectly acceptable for their role. We will call these ‘the Expanders’. These home workers present some risk to a business, as they may not be familiar with processes and guidelines for working from home.
- Finally the third group – those now home working in a role that is not really suitable to be performed outside of the office. These are the roles above the traditional home working technology market penetration point; roles that home working technologies were never really suitable for, but because of Covid 19, and only because of Covid 19 are now home based. It is these roles that present the most risk to an organisation. We will call these ‘the Unexpected’.
In the following table the three types of homeworker (the Existing, the Expanding, and the Unexpected) are discussed along with some recommended actions for organisations and the home workers themselves to consider in relation to increasing security and protecting businesses and customers. Note that the same topic areas may be discussed for each user type; however there are variances in the recommendations specific to that user group. At the end is some additional generic advice for the individual rather than an organisation or company.
Homeworker type | Recommendation | Risk addressed |
Existing | Make sure the infrastructure is secure, work with your communication provider to determine your security requirements – for example the use of VPNs and Encryption. For existing home workers this is a step that has usually been done, but it is always good to check and get up to date advice. This may not be the case in the other user types if they have been deployed rapidly. Do not assume if your organisation has added home workers that they are all working using the same technologies. | Reduces risk of data loss and exploitation by utilising the most appropriate security technologies |
Ensure devices have updates installed when required – make sure your organisation has a patch policy. Staff in the existing group should be used to this process. | Reduces risk of malware and viruses | |
Make sure employees are familiar with the relevant policies, such as data protection and home working policies. Staff in the existing group should be familiar with these processes, however, it may be appropriate to run a refresher course online, especially in response to the increased fraud rate as a result of Covid 19 | Reduces risk of non-compliance with policies | |
All staff should be trained in to recognise social engineering, fraudulent attempts to exploit staff to obtain information, and email phishing scams. Home workers can be more susceptible to social engineering due to the fact that they don’t have someone close by to check things with. Many organisations have already introduced this training for home based workers, but not all, check if this is the case with your company. | Reduces risk of data loss and fraud | |
Utilise appropriate Virus protection (often in addition to those that may come with the operating system) | Reduces risk of malware and data loss | |
Expanding | Make sure the infrastructure is secure, work with your communication provider to determine your security requirements – for example the use of VPNs and Encryption. Note, if home workers have been deployed rapidly as a response to Covid 19, they may not be using the same technology as existing home workers. Do not assume they are all working using the same technologies. | Reduces risk of data loss and exploitation by utilising the most appropriate security technologies |
Ensure devices have updates installed when required – make sure your organisation has a patch policy. Staff in the ‘expanding’ group may not be used to this process as office based workers often leave their machines on all of the time. | Reduces risk of malware and viruses | |
Make sure employees are familiar with the relevant policies, such as data protection and home working policies. Staff in the expanding group may not be familiar with these processes (particularly the home worker policy). Even if they are, it may be appropriate to run a refresher course online, especially in response to the increased fraud rate as a result of Covid 19 | Reduces risk of non-compliance with policies | |
All staff should be trained in to recognise social engineering, fraudulent attempts to exploit staff to obtain information, and email phishing scams. Home workers can be more susceptible to social engineering due to the fact that they don’t have someone close by to check things with.. Many organisations have already introduced this training for home based workers, but not all, check if this is the case with your company. In the case of the Expanding group, it is good to check they have received such training, as this may have been overlooked in the rush to get staff working from home. | Reduces risk of data loss and fraud – Note there has been an increase in the cases of fraud during the Covid 19 pandemic. All organisations should consider regular updates to staff to keep them informed on the latest threats and techniques being used by the fraudsters. | |
Utilise appropriate Virus protection (often in addition to those that may come with the operating system) | Reduces risk of malware and data loss. – This applies to all user types. | |
Unexpected | Make sure the infrastructure is secure, work with your communication provider to determine your security requirements – for example the use of VPNs and Encryption. Note, if home workers have been deployed rapidly as a response to Covid 19, they may not be using the same technology as existing home workers. Do not assume they are all working using the same technologies. The unexpected group may need additional technologies to support them in their role – for example if they take credit card payments over the phone additional software may be required to protect the credit card data. This may have been overlooked at the time of deployment and may be required to comply with PCI DSS regulations. Examples of this may be DTMF suppression software. | Reduces risk of data loss and exploitation by utilising the most appropriate security technologies |
Ensure devices have updates installed when required – make sure your organisation has a patch policy. Staff in the ‘expanding’ group may not be used to this process as office based workers often leave their machines on all of the time. | Reduces risk of malware and viruses | |
Make sure employees are familiar with the relevant policies, such as data protection and home working policies. Staff in the Unexpected group may not be familiar with these processes (particularly the home worker policy). Even if they are, it may be appropriate to run a refresher course online, especially in response to the increased fraud rate as a result of Covid 19. In addition staff in the expanding group may require the introduction of new content to existing policies to cover their role. | Reduces risk of non-compliance with policies and ensures staff are working to company standards to reduce fraud risk | |
All staff should be trained in to recognise social engineering, fraudulent attempts to exploit staff to obtain information, and email phishing scams. Home workers can be more susceptible to social engineering due to the fact that they don’t have someone close by to check things with. Many organisations have already introduced this training for home based workers, but not all, check if this is the case with your company. In the case of the Unexpected group, it is good to check they have received such training, as this may have been overlooked in the rush to get staff working from home. They are also the most likely group to have not been trained in this subject. | Reduces risk of data loss and fraud – Note there has been an increase in the cases of fraud during the Covid 19 pandemic. All organisations should consider regular updates to staff to keep them informed on the latest threats and techniques being used by the fraudsters. | |
Utilise appropriate Virus protection (often in addition to those that may come with the operating system) | Reduces risk of malware and data loss – This applies to all user types | |
Additional Information | Conduct a network security evaluation. Speak to your communication provider about the best way to test the security of your communications environment, evaluate your organisations work practices, and evaluate your staff training.
|
Home Working:Information for the individual
- Obtain as much information as possible to support your security strategy in the best possible way. One key source of information is the Verizon Risk Report (Other sources of information are available but this is the one I am most familiar with).
- As an individual working from home, sign up to news letters from trusted well know organisations to stay up to date with security threats. This could save you from being in the awkward position of being the cause of a data breach.
- Consider who can see or hear what you are saying or typing on your screen. Is where you work overlooked? Do you live and work in accommodation with shared areas, such as student accommodation or shared houses. Have you got trades people working in your home at the moment? Or do you work with the windows open in the summer – could the person next door be writing down sensitive information you deal with on the phone?
- Also consider where you keep important work data, try and lock files and laptops out of sight when not in use, this may prevent the need for you to report a data loss. Remember fines for a data breach under GDPR can be up to 4% of an organisations global turnover. Seldom will a career survive being the cause of such a fine.
- Make sure you change the password on your home network, if you are not sure how to do this, your internet provider should be able to tell you how.
- Make sure you read the policies of the company you work for. Make sure you stick to the rules as failure to do so could be very bad for your career. Also remember to try and keep your private and work life separate. If the kids school account needs topping up with dinner money, or that eBay auction is close to ending, it is always best to use your personal device, not your work device.
To conclude, we are seeing a fundamental shift in the way we work and the way in which we will continue to work. It is inevitable that during Covid 19 difficult and rapid decisions have been and will continue to be made. It is important that all decisions are reviewed as we learn more about the situation we face. We need to remember that decisions made quickly may not always be the right ones, but they may have seemed right at the time, and not to seek retribution on those who were brave enough to make tough decisions in stressful times. This applies as much to any other decisions we make in response to Covid 19, not just those in relation the topics discussed in this document. May I finish by wishing you success in protecting the work that you do and the data that you process, and may I wish you and your loved ones keep well in the overall Covid 19 situation.
Author: Michael Cheshire, Advanced Communications Specialist at Verizon
Leave a Reply
You must be logged in to post a comment.