Now the Covid-19 pandemic is again a reason for companies to ask their employees to work from home as much as possible, it’s good to have a look at the risks that transfer from the office environment to the home environment. Maybe you’re glad that colleagues do not irritate you anymore by constantly telling to lock the laptop when you are away. When you go to grab a coffee it’s not necessary anymore to remove your hardware token from the laptop . Does working from home increase or decrease risks?
Access to hardware
When working at the office, colleagues may help to remind each other in locking the laptop or desktop when leaving the workspace. Also, most office areas are secured with a reception, and keycards per department. There are no annoying colleagues to ask to lock your computer when you are away. Whilst there are no other persons at home beside a partner and/or children, what’s the risk? However, when a computer still has its hardware token overnight, and you’re not at home, the security of multi-factor authentication is not operating effectively anymore.
When your computer gets stolen and a hardware token remained in the laptop, only one type of authentication needs to be passed with brute force. The computer does not reside in a multi-layer shell with departments and access level restrictions anymore. Theft is more likely to be performed at home given that offices are more secured then homes. When not locking your computer when you are away from the computer, company sensitive information can be leaked if your computer faces a window.
Access to network
Files and shares are often structured in a library like Sharepoint or online disk space, which can be secured with multi-factor authentication. Bring-Your-Own-Device and Use-Your-Own-Device policies started to appear. Since files are all located in secured online environments, it seems to be a safe and secure location that is accessible over the internet. When employees use their own device, it is uncertain if the devices are secured appropriately. What if a hacker can access secured spaces when hijacking a device that has access to the secured locations? And what about the network layer which is less secured in most home situations when compared to office locations? Using new technologies and working in the cloud makes us more flexible, but let’s not lose the way we see risks. Layered security should be implemented using different techniques.
Measures should transform when processes are transformed
From an audit perspective, when changing processes, keep an eye on the controls that disappear and evaluate whether or not compensating controls must be defined. A clear risk and control framework will support a safe transformation. Also, you should be realistic in the way controls will be executed. Now, most people need to work from home. There are no colleagues that check whether or not your screen is locked when you walk away from your office space. Also, there is no IT department checking the firewall settings of home devices.
Since we need to innovate with the situation during the COVID-19 pandemic, innovation speeds up. Although, high-speed innovation is possible and the Agile method is incorporated in many companies, asking an internal audit department, risk department, or hiring a risk specialist will help to innovate safely and securely.
