Work From Home is going to become the new norm for many organizations across
the world thanks to mother nature. Covid has forced many industries to evolve
at an accelerated rate. Financial Technologies, for example, has experienced a
growth of adoption rate that under normal circumstances would probably be
observed across 5 to 10 years.
If there is one great thing about us humans, we can adapt to new conditions.
Overall, we are great at rolling with the punches.
Working from home, as is the case with any new dynamic, will introduce new
challenges and questions that need to be answered with regards to data
protection.
These are some of those questions...
1. Now that I am working from home, is my employer at least partially responsible for the security of my network and personal data?
This might seem like a reach but think about it...
Organizations are constantly targeted by cybercriminals because looking
to steal sensitive data about users, employees, patients, etc. Instead,
cybercriminals could go after that same information by targeting users
directly, and they do, but chances are that most of you reading this have never
been the victim of a cybercrime.
Going after individual users is a lot of work, and the payout is small. On
the other hand, a large organization can have thousands of employees,
customers, patients, etc. Organizations are also more likely to have the funds
and willingness to pay a ransom for data encrypted.
In other words, if you are a cybercriminal, you can hit a bunch of small
banks and with each attack, you increase the likelihood that everyone discovers
you or your technique. That doesn’t make much sense, it is better to try to hit
the bigger bank once. High risk, but also high reward.
However…
That was the old way, now we are in the new WFH era, where the corporate
network extends to your home. Most home networks are not protected with
enterprise-grade cyber tools which makes them a softer target. Additionally,
now it is worth it to go after home users because they are usually connected
through their corporate or personal devices to the organization they work for.
It's kind of like this, I hit a little bank that is connected through a tunnel
to the big bank. Security is a lot easier to break, and with a little luck, I
can get the loot from the little bank as well as the big one.
In this new world era, now your personal information is at risk because your
home network is a gateway to the corporate network. When cybercriminals start
targeting home users looking for access to corporate data, anything that gets
caught up in the path will get picked up with the rest of the data. That means
your personal, financial, medical information, etc.
Are you concerned that working from home will make you a target for
cybercrime? You should be. Is your employee making an effort to ensure that
your new working environment is secured? If not, then you should bring it up.
Organizations who truly value their employees will not hesitate to invest in
the security of their employees, no matter where they are.
Check out this blog from Varonis (a very reputable Cybersecurity
organization)
https://www.varonis.com/blog/cybersecurity-statistics/
Attacks are on the rise, vastly motivated by money, and not surprisingly
most breaches are the result of human error. Someone left the back door open.
This brings us to question number 2.
2. If my home network is breached, my corporate device is compromised, and after some time the organization finds out that corporate information has been stolen, am I liable?
This is another very valid question.
If your home network is not sufficiently protected, and a breach occurs that
leads to organizational data being stolen or encrypted by ransomware, will you
be blamed for the breach?
The one uncontested benefit of having an office is that you can control the
environment. You can set clear network boundaries and rules that must be
followed if employees, users, patients, customers, etc., are to have access to
network resources. In the WFH era, those boundaries are blurred and the rules
are not always followed. Maybe you are supposed to log into VPN to do your work,
but you don’t because it is slow, or hard to sign up for, and you are behind on
your work and your boss is on your case about meeting deadlines. Maybe you were
issued an organizational device to do your work on, but that device is slower
than your device, and you have taken it upon yourself to the personal device
instead.
What happens when corporate data gets stolen, along with yours. Who’s fault
is it? More importantly, who’s responsibility is it?
Pretty soon work from home will come with an End User License Agreement. If
employers cannot fully protect their data from cybercriminals in the WFH era,
they will try to shift the blame to limit liability. This is often what
happens, if you cannot assert control, then you distance yourself to mitigate
damage.
When the next organizational data breach happens as a result of the
corporate network being penetrated from a WFH employee’s home network. How can
that WFH employee prove that he/she did not participate in the crime?
It seems as if data breaches are happening all the time. Some organizations
have measures in place to mitigate damages and recover, others have insurance
to just pay the damages and keep going. One thing has always been certain, the
attackers are always thought to be, for the most part, someone outside the
organization.
In the WFH era, however, it is a lot harder to “keep your eye” on things
(things meaning people). All it takes is one lawyer making the argument that
they are not sure how the attack originated, or if the employee might have had
any involvement. Next thing you know WFH positions will come with End User
License Agreements. Once the liability is shifted, there is no way to turn that
tide.
The bottom line, your home network needs to be protected.
You need endpoint protection (Anti Virus) on any computer that is being used
for work, and if possible a real firewall. These technologies are not cheap,
and your employer should in the very least share the cost of these items with
you. Everyone benefits from good network hygiene.
Organizations that truly value their human capital will take a proactive approach to data security. Some have already begun making preparations for the future. Endpoint protection software and firewall appliances are being installed on employee devices and home networks, some organizations are also offering their employees credit monitoring services for free or at heavily discounted prices.
If you are a WFH employee, and your network has not gotten better, safer, since you started working from home, it is time to have a conversation with your employer about data protection and network security. Be proactive, ask the questions.
If you must take matters into your own hands…
Start with endpoint protection. It is easy to implement since in most cases
it is just software that you install on a device. If you like to go a step
further, get a real firewall router device for your network. Read more on both
of these topics
https://jmdevlabs.blogspot.com/2020/12/network-security-tips.html
J.
Comments
Post a Comment