WFH could heighten cyber security risks – experts

The work-from-home (WFH) arrangement appeared to be the safest way for employees and businesses to continue operating during the pandemic, but it also exposes companies to heightened cyber security risks, studies showed.

In a presentation at the virtual “Safeguarding your Online Presence in times of Pandemic”, Jefferson Erick Alindogan, director of Strategic Intelligence Business Profiles Inc., tackled work from home privacy and security challenges among companies during the pandemic.

Alindogan noted that a home environment with not enough security provisions from the company and the employee could be a source of data breach.

Alindogan cited a study by Fenwick which showed that 90 percent of American employees surveyed are now handling intellectual property, confidential and personal information in their homes. Also, 70 percent of survey respondents don't receive any proper training or mandatory standard procedures when it comes to information security.

Notably, 50 percent of respondents perceived the home working environment to be mildly and severely less secure, while 56 percent of Americans surveyed don’t have clear understanding or simply do not know on what steps to take in the event of a data breach/cyber attack.

There is also a perception that getting home security controls or measures or support from their companies is getting expensive.

Alindogan also corrected the notion that cyber security crimes only happen to large or multinational organizations.

“When we talk about cyber threats or cyber crimes, they are not only limited to big companies or multinational organizations,” he warned at The IFSEC Philippines webinar.

He cited the Verizon Data Breach Investigation Report to emphasize that cyber criminals also attack small businesses.

The study showed that 43 percent of breach victims were small businesses, and 34 percent of data breached involved internal actors. The same survey showed that 15 percent of companies found millions of files open to every employee.

“Cyber attacks do not discriminate,” he emphasized.

 “Cyber criminals do not care whether or not you're a man or a woman, child or an adult. Regardless of your class, or what not, cyber criminals are just there waiting for an opportunity for them to be able to take advantage.”

This is no secret also that most of cyber crimes have to do with money. The study showed that 71 percent of breaches were financially motivated and 25 percent is due to espionage.

The most common data targets are phone numbers and email accounts where scammers barrage data subjects with messages. The higher form of targeted data include complete name and photo or specific identifier and online credentials while the more serious kind of data targets are home/office address, government and medical information and bank/credit information.

As the world gets wired up, cyber criminals are getting more sophisticated to steal personal data for financial gains. Thus, the need to strengthen controls, especially for WFH employees is critical.  

Alindogan explained that WFH breaches happen when an employee works in an area at home that is not secure or accessible to other people, allowing others to get into and look into the work the employee is doing.

For instance, he noted of home office setup with unobstructed windows and no access controls for people to get in. The lack of access controls, he said, could not prevent outsiders or family members from reaching some of your company information or documents.

“The common office home setup may not appear a risk from a non-security perspective, but it could be vulnerable to cyber criminals,” he emphasized.

This problem all stemmed from minimum employee supervision since most employees are actually operating within their houses or their residences where supervision is very minimal. Aside from that, there is also increasing low compliance to company security policies.

Another reason Alindogan was looking into is that since most employees are working remotely, they're working outside IP protection.

“Basically they are on their own individually. They’re individualized when it comes to antivirus software's firewall. Because of no IP security support, employees are also very vulnerable when it comes to cyber crime,” he pointed out.

Another risk is relatively normal security and complacency, which caught many by surprise. He noted there were only minimum companies that were able to prepare, not only within their organization but also their employees.

With the real threats from cyber criminals, Alindogan stressed the need for prevention and protection. He urged enterprises to establish dynamic and all encompassing security policies. This should take into consideration the company’s core values, security policies and issues, new capability and support, and company-employee collaboration. “A security system is like a tree. It should never stop from growing,” he concluded.