Working from home, is your office data security compromised?

Key security considerations for home and mobile workers

In many cases executive IT and security professionals trust their Information Security departments to provide adequate security to protect employees while operating in their business environment. However it is rare for users to extrapolate this security to a home environment.

What does this mean in practical terms? Well, an enterprise will normally provide a risk analysis of a security threat and then provide adequate controls to mitigate that risk to an acceptable level. And users need to consider the same things when at home. So what are the considerations which IT directors should take into account when looking at cyber security provisions for mobile workers?

Key security questions outlined below:

1. Is the home network secure? Consider the following points; do employees use wireless and have they enabled the security features? In practical terms this means, do they use WPA with a key which is sufficiently complex to avoid dictionary attacks?
2. Do they have an up to date Anti Virus package which is set to receive automatic updates to avoid the latest attacks. Does it offer full malware coverage? Do they ensure the AV package is running (be aware that some viruses will disable the AV if it can)
3. Is their firewall capability enabled at their router and if so, do they look at the logs?
4. Do they scan their systems regularly and do they check the reports?
5. Is their software regularly checked for the availability of security updates, and are these installed when they become available?
6. Is their software up to date – or do they run older versions which may not be as secure?
7. Do they use custom software where vulnerabilities aren’t automatically installed, and if so, how do they ensure they are manually update?
8. Do they use reputable file sharing and Instant Messaging technology and sites? Is the technology up to date?
9. What do they do if they observe unusual behaviour on their system (e.g. if the system behave slowly)?
10. Do they look at the URL they are connected to and ensure it is what they expect?
11. If they connect to systems which request payment details – do they check that the website is reputable, that the SSL certificate is valid, signed and belongs to the organisation that they expect?
12. Do they all understand the implications of opening attachments/files from unexpected emails?
13. Do they understand that reputable organisations will never request authentication details via emails?
14. Do they set their browser and AV to ensure add-ons, Active X controls etc. aren’t installed without user action required to confirm?
15. Do they avoid offers of “free scans” and pop up offers in general?
16. Do they use a standard password for all logins – or do they mitigate risks by using separate passwords for different applications?
17. Do they have complex passwords and do they change them regularly?
18. Do they treat any unsolicited messages/mails with suspicion?
19. Do they use public systems and if so, do they change the passwords they utilised, when they return home?
20. Do they use any software provided by their financial institution to improve security e.g. one time passwords, extra keystroke protection etc?
21. Do they check their credit card statements, online bank accounts etc. for any unusual or unexpected transactions?
22.  Do they encrypt very important files on their disk – in case of theft? E.g. (password files, bank details etc.)
23.  If they have to replace disks or systems do they ensure all data is deleted on their old systems? Is the engineer reputable who comes to replace/repair disks?
24.  Are all members of the family aware of these risks and act in the same way?
25. Do they ever check running processes to see if there is anything unusual and how do they validate unusual vs. usual?

The above list outlines key security considerations; however the important thing to be noted when reviewing your organisation’s, or even your own personal cyber security, is that no single control will protect users from attacks. IT directors and individuals simply have to make it as difficult as possible for hackers to get through.

Robin Adams, is director of fraud, security and risk management at The Logic Group