DOINGDATATOGETHER
Is data secure
enough in the
home office?
In the rush to keep businesses going while staff were working from home, Wsecurity issues were sometimes handled poorly, experts tell David Lee
hen the UK locked down in late March and we were all told to work from home if we could, employ-
ers and workers faced up to a seismic change in their relationship.
The logistical challenges in shifting from largely office-based employ- ment to mass home working were immense.
And the need for speed – to main- tain operations, serve clients and customers and keep cash flowing – meant attention to data security was not always a major concern.
As David Goodbrand, a technology and commercial partner at law firm Burness Paull, says: “Some larger organisations were already well set up for home working in terms of data infrastructure and data privacy considerations. But they were very much in the minority – and a lot of businesses are playing catch-up.”
Adarma, an independent securi- ty services company headquartered in Edinburgh, says the pandemic caused “unprecedented business disruption and change, resulting in increased security risks as busi- nesses adjust to new ways of remote working”.
Rory Shannon, director of man- aged services for Adarma, says: “Remote working has its benefits. However, presented with an extend- ed level of freedom and independ- ence, as well as reduced influence of cultural norms and behaviours, staff may be more likely to stray from organisational processes and work- ing practices.
“The traditional working envi- ronment encourages adherence of ‘cyber hygiene’ and organisational policy by default and it’s important organisations support their staff in maintaining security best practices.”
David Goodbrand highlights three specific security challenges arising from the shift to home working:
I Increasing use of personal devices I An exponential rise in the use of third party apps and technology
I Remote working can amplifly known business risks.
In terms of personal devices, Goodbrand says: “Not all staff were issued with their own office laptop or mobile device. Out of necessity, many had to use their own devices to keep working.
“Personal devices do not necessar- ily have the same level of security measures baked in – such as end-to- end encryption, anti-virus software, firewalls and back-up tools.
“If personal devices are not prop- erly managed or updated, there is a heightened risk of compromise by malware, putting personal and work-related information at risk.”
Shannon highlights a range of challenges created by the use of personal devices by employees for work purposes – including a lack of software updates, inconsistency with other work devices in terms of allowing or blocking traffic through firewalls, and the use of prohibited or insecure protocols on the network.
In terms of the rise in third par- ty applications, Goodbrand says: “Apps and platforms have filled a void in the absence of normal work
communication and networking and we have all relied on them for day-to-day working – often from a standing start.
“Many of them, especially video- conferencing apps, faced questions about security capability and func- tionality.
“For organisations dealing with critical and confidential data, it’s a big issue if apps and platforms are not as secure as they should be. You have to look at what’s out there and make the best choice for your organ- isation.”
Goodbrand says firms should carry out data protection impact assess- ments when they introduce new technology or apps.
“Firms had to act quickly and there is a lot of retrospective activ- ity going on, but things are improv- ing,” he says. “Providers are acute- ly aware of security issues and they will continue to improve their tech- nology and security measures in
Threats are constantly changing and with clear intelligence on new Covid-19 related attacks, we see risks increasing
order to minimise vulnerabilities and threats.”
The third risk is more prosaic.
“Working from home means we are surrounded by family or flat- mates, and can be overheard by neighbours,” says Goodbrand. That introduces new risks – an “insider threat” – so avoid having sensitive conversations out loud, leaving con- fidential documents in open view or printing sensitive material at home.
He highlights the scale of the chal- lenge with reference to Burness Paull: “We went from three main offices [Aberdeen, Edinburgh and Glasgow] to almost 600 home offices. Not all businesses have got their head around the complexity of the ongoing data protection challenge that they now face.”
Mandy Laurie, an employment partner at Burness Paull, thinks
      VIRAL VILLAINS EXPLOIT THE PANDEMIC
Online criminals stay up-to-date with the news. When coronavirus first began to spread in Wuhan, the majority of malicious, coronavirus- themed files were submitted
from China and targeted Chinese speakers.
Adarma reports: “As the virus infected more countries, the malicious campaigns mirrored the spread of the virus with new campaigns being seen within days of countries being affected by Covid-19.”
An array of malware was distributed by these “Covid campaigns”, including variants of
HawkEye, TrickBot, Agent Tesla and more.
One of the most common techniques is “spear phishing” – using coronavirus-themed e-mails with malicious attachments.
    22