Work from home without compromising cybersecurity

How do you have personnel work from home without compromising cybersecurity? With the outbreak of the coronavirus pandemic, more and more organisations are requiring or requesting their personnel to work remotely, generally from home. This practice is also known as telecommuting, and involves your personnel working from their houses, flats or another location remote from the office using the Internet, telephone and other forms of telecommunication. This practice is a necessity for limiting the spread of the virus in the short-term by enabling self-isolation and social distancing, but it also has many other long-term benefits – such as increased productivity, lower staff turnover and lower levels of stress. But, whether you want to take advantage of having your employees work from home to prevent the transmission of COVID-19 or for other reasons – you can’t afford to ignore the cybersecurity implications of your personnel doing work from their own premises, on their own equipment and on their own terms. Let’s discuss working from home and cybersecurity.

Data protection laws require cybersecurity

Relevant data protection laws (such as the GDPR in Europe, CCPA in US state of California, DPA in the UK or POPIA in South Africa) generally require those processing personal data to take appropriate steps to prevent unauthorised access to personal data. What’s appropriate usually depends on:

the sensitivity and volume of the personal data in question;
the prevalence and severity of the risks to that personnel data; and
and the resources and level of technology available to the organisation processing the personal data.

But, the context in which an organisation processes personal data often affects these factors and organisations tend to turn to cybersecurity frameworks for guidance as to what would be appropriate in a particular context.

A popular and robust cybersecurity framework is the ISO 27000 family of standards issued by the International Organisation for Standardisation. It specifically sets out the requirements for an ISMS (information security management system), but it is also useful for understanding cybersecurity more generally – even if you have no intention of creating an ISMS.

Control 6.2.2 of ISO 27002 says that an organisation should implement:

a policy; and
supporting security measures;

to protect information while personnel are working from home. Let’s examine how these safeguards are necessary to have personnel work from home without compromising cybersecurity.

A policy in terms of ISO 27000

ISO 27002 says that the policy should set out requirements for working from home by considering:

dangers associated with personnel using their own premises – such as the physical security of the work-from-home environment and the risk of others sharing the space gaining unauthorised access to information;
communications security requirements of how your personnel will be working remotely – such as the need for remote access to your internal systems and how sensitive the information and systems that your personnel will access is;
digital security requirements for your personnel working remotely – such as whether your personnel need virtual desktop access to stop them from processing information on their own equipment, network infrastructure requirements for home networks and wireless services and the need for endpoint protection, firewalls and other technical safeguards; and
risks associated with personnel using their own equipment – such as the need for intellectual property policies and procedures to stop disputes regarding the ownership of material that personnel develop on their own equipment, the need for private equipment access to your personnel’s own equipment to check its security or during an investigation and licensing fees for software licensed to your organisation that personnel install on their own equipment.

Security measures in terms of ISO 27000

ISO 27002 also says in terms of security measures your organisation should consider:

providing workstation equipment to your personnel for working remotely, particularly where your organisation doesn’t allow your personnel to use their own laptops, desktops or other devices or wants to avoid the risks associated with them doing so;
defining working from home rules for your organisation, including the kind of work that your personnel can do remotely, when they can work remotely and the kinds of information and internal systems that they may access remotely;
providing communication infrastructure, including ways of accessing your internal systems remotely, such as virtual private networks (VPNs), mobile routers or wired connections;
physical security of your personnel’s space and equipment;
family and visitor rules and guidance for access to equipment and information;
support and maintenance, insurance, backup or business continuity and audit and security monitoring procedures for equipment and infrastructure that your personnel are using remotely; and
access control changes and return of equipment when your personnel stop working remotely.

Other issues

ISO 27000 doesn’t speak specifically about a number of other issues that have affected working from home in the wake of the coronavirus, such as:

video conferencing security – with more and more of your personnel having confidential conversations over video conferencing software, do you know whether those services have true end-to-end encryption so that no one (not even the service provider) can intercept those conversations?
phantom IT – with your personnel that were working from company equipment and infrastructure potentially working from their own equipment and infrastructure, how do you make sure that they use the communication, collaboration, file hosting and other cloud-based services that your organisation has control over rather than other services that you don’t?
connectivity – with your personnel doing business over residential Internet connections shared between multiple devices within the same household, how do you make sure those connections are secure and data on work devices is inaccessible to non-work devices?