Skip to main content

Who's Responsibility is it?

Work From Home is going to become the new norm for many organizations across the world thanks to mother nature. Covid has forced many industries to evolve at an accelerated rate. Financial Technologies, for example, has experienced a growth of adoption rate that under normal circumstances would probably be observed across 5 to 10 years. 

If there is one great thing about us humans, we can adapt to new conditions. Overall, we are great at rolling with the punches. 

Working from home, as is the case with any new dynamic, will introduce new challenges and questions that need to be answered with regards to data protection. 

These are some of those questions...

1. Now that I am working from home, is my employer at least partially responsible for the security of my network and personal data?



This might seem like a reach but think about it...

Organizations are constantly targeted by cybercriminals because looking to steal sensitive data about users, employees, patients, etc. Instead, cybercriminals could go after that same information by targeting users directly, and they do, but chances are that most of you reading this have never been the victim of a cybercrime.

Going after individual users is a lot of work, and the payout is small. On the other hand, a large organization can have thousands of employees, customers, patients, etc. Organizations are also more likely to have the funds and willingness to pay a ransom for data encrypted.

In other words, if you are a cybercriminal, you can hit a bunch of small banks and with each attack, you increase the likelihood that everyone discovers you or your technique. That doesn’t make much sense, it is better to try to hit the bigger bank once. High risk, but also high reward.

However…

That was the old way, now we are in the new WFH era, where the corporate network extends to your home. Most home networks are not protected with enterprise-grade cyber tools which makes them a softer target. Additionally, now it is worth it to go after home users because they are usually connected through their corporate or personal devices to the organization they work for. It's kind of like this, I hit a little bank that is connected through a tunnel to the big bank. Security is a lot easier to break, and with a little luck, I can get the loot from the little bank as well as the big one.

In this new world era, now your personal information is at risk because your home network is a gateway to the corporate network. When cybercriminals start targeting home users looking for access to corporate data, anything that gets caught up in the path will get picked up with the rest of the data. That means your personal, financial, medical information, etc.

Are you concerned that working from home will make you a target for cybercrime? You should be. Is your employee making an effort to ensure that your new working environment is secured? If not, then you should bring it up. Organizations who truly value their employees will not hesitate to invest in the security of their employees, no matter where they are.

Check out this blog from Varonis (a very reputable Cybersecurity organization)

https://www.varonis.com/blog/cybersecurity-statistics/

Attacks are on the rise, vastly motivated by money, and not surprisingly most breaches are the result of human error. Someone left the back door open. This brings us to question number 2.

2. If my home network is breached, my corporate device is compromised, and after some time the organization finds out that corporate information has been stolen, am I liable?



This is another very valid question.

If your home network is not sufficiently protected, and a breach occurs that leads to organizational data being stolen or encrypted by ransomware, will you be blamed for the breach?

The one uncontested benefit of having an office is that you can control the environment. You can set clear network boundaries and rules that must be followed if employees, users, patients, customers, etc., are to have access to network resources. In the WFH era, those boundaries are blurred and the rules are not always followed. Maybe you are supposed to log into VPN to do your work, but you don’t because it is slow, or hard to sign up for, and you are behind on your work and your boss is on your case about meeting deadlines. Maybe you were issued an organizational device to do your work on, but that device is slower than your device, and you have taken it upon yourself to the personal device instead.

What happens when corporate data gets stolen, along with yours. Who’s fault is it? More importantly, who’s responsibility is it?

Pretty soon work from home will come with an End User License Agreement. If employers cannot fully protect their data from cybercriminals in the WFH era, they will try to shift the blame to limit liability. This is often what happens, if you cannot assert control, then you distance yourself to mitigate damage.

When the next organizational data breach happens as a result of the corporate network being penetrated from a WFH employee’s home network. How can that WFH employee prove that he/she did not participate in the crime?

It seems as if data breaches are happening all the time. Some organizations have measures in place to mitigate damages and recover, others have insurance to just pay the damages and keep going. One thing has always been certain, the attackers are always thought to be, for the most part, someone outside the organization.

In the WFH era, however, it is a lot harder to “keep your eye” on things (things meaning people). All it takes is one lawyer making the argument that they are not sure how the attack originated, or if the employee might have had any involvement. Next thing you know WFH positions will come with End User License Agreements. Once the liability is shifted, there is no way to turn that tide.

The bottom line, your home network needs to be protected.

You need endpoint protection (Anti Virus) on any computer that is being used for work, and if possible a real firewall. These technologies are not cheap, and your employer should in the very least share the cost of these items with you. Everyone benefits from good network hygiene.

Organizations that truly value their human capital will take a proactive approach to data security. Some have already begun making preparations for the future. Endpoint protection software and firewall appliances are being installed on employee devices and home networks, some organizations are also offering their employees credit monitoring services for free or at heavily discounted prices. 

If you are a WFH employee, and your network has not gotten better, safer, since you started working from home, it is time to have a conversation with your employer about data protection and network security. Be proactive, ask the questions.

If you must take matters into your own hands…

Start with endpoint protection. It is easy to implement since in most cases it is just software that you install on a device. If you like to go a step further, get a real firewall router device for your network. Read more on both of these topics

https://jmdevlabs.blogspot.com/2020/12/network-security-tips.html

 

J.

 

 

 

 

 




Labels:

Comments

Post a Comment

Popular posts from this blog

Your Router is Under Attack

The coronavirus spread quickly but it’s possible cyber criminals moved even quicker in distributing all manner of pandemic-themed scams. Exploit attempts against several consumer-grade routers and IoT were amongst the top Intrusion detections in 2020. This stems from criminals trying to take advantage of “The New Normal” of the network perimeter extending to the home. The barriers that existed between a corporate office network and a home network were eroded in 2020. Networks were turned inside out, with most workers now accessing critical networked resources and applications from their homes. This change happened suddenly, which left little time to plan an effective cybersecurity strategy. As a result, ‘PWING’ an outdated and insufficiently secured home office now also means PWING the corporate network. When the dust settles, who is going to be blamed for that? Some organizations are still trying to figure out how to effectively scale their enterprise security protections out to their
Post a Comment
Read more

My Review of BlackBerry | Cylance

  Most of us associate the Blackberry brand name with its relative dominance in the early 2000s when almost everyone who had a smartphone had a Blackberry. Nothing lasts forever. Unfortunately for the brand, 2007 marked the introduction of touch screen phones with the new iPhone unveil. Android phones also arrived on the scene soon after. What most of us do not know is that Blackberry also provided to their users a secure and at the time revolutionary way for users of Blackberry devices to communicate with each other. In essence, security has always been a part of the Blackberry brand. It takes a lot of courage, work, and time to reinvent yourself as a company. Many do not succeed. For Blackberry, the road to reinventing itself as a cybersecurity brand has not been without its few bumps. Today, Blackberry is recognized as one of the top cybersecurity companies offering protection for enterprises and consumers alike. This review will look at Blackberry | Cylance’s ratings against
4 comments
Read more