From King Arthur to the moon landings that (allegedly) didn’t happen, it’s surprising what people want to believe without any real basis in fact.
Cyber security is no different. It’s the perfect landscape for myths – and remote working only brings dangerous new ones.
Home workers are struggling with new systems and apps, often finding their own way and influenced by what they’ve seen or heard. At the same time they are a fast-growing gateway to your data, systems and ultimately, your organisation. Myths and home-workers can be a dangerous combination.
Here are some current myths surrounding home working and cyber security. If your employees believe any of these – your cyber security is at serious risk of breach.
Myth: I work from home using an Apple device – they are more secure
The great ‘Apple are more secure’ debate has been rumbling for years. Apple users pay a hefty amount more for their devices and they generally feel that the price tag carries a higher level of security built in than, say Windows or Android devices. Does it?
Not according to ITSP Magazine. As they put it, “While Mac users would like to believe that their systems are secure, the truth is that Macs really aren’t more secure than Windows PCs.”
The myth seems to date from the earlier days when Windows were more susceptible to viruses than Macs. Today, neither operating system is highly susceptible to viruses, but they are to vulnerabilities and malware. What’s more, an Apple user is just as at risk from an attack through social engineering, where hackers use more personal methods, such as phishing, to target logins and data.
Fact: The same types of threats and threat actors that target other platforms are also targeting Macs and will continue to do so. Mac users need to do just as much good cyber security safeguarding as those who use devices running on Windows or Android.
Myth: Lots of businesses use Zoom for work so it must be safe
A tough day at the office now sounds like ‘I’ve been on Zoom all day”. Since lockdown the use of the videoconferencing platform has skyrocketed. Right from the start, the security of Zoom was questioned amidst unwanted ‘guests’ crashing Zoom calls and requests for the service to offer end-to-end encryption. Like any app, Zoom has various levels of security settings but people are often too hasty to get on that call to set it up securely beforehand.
In all likelihood, your organisation, network or conference is using Zoom (other platforms are available) for sheer convenience. It doesn’t mean they are completely safe. And they certainly can’t be held to account for employees appearing onscreen in front of a list of ‘handy passwords’ they keep on a post-it note behind them. The same principle applies to any service your business is now using to stay connected and productive.
At the time of writing, August 2020, Zoom are in the process of introducing end-to-end encryption (E2EE) in a one-time process that will prompt the user for additional pieces of information, such as verifying a phone number via a text message.
Fact: A certain level of security is built in to Zoom and services like it. However, it also calls for a degree of common-sense and effort to select the right settings and to remain cyber safe while in use.
Myth: I’m using a VPN so that’s safe
Use of Virtual Private Networks (VPNs) has surged in the pandemic with research quoted by Cnet.com showing UK usage up by 35%, the US by 41% and France peaking at 80%. That increase doesn’t come without risk.
Prior to lockdown, VPNs weren’t something used day to day by all employees and some didn’t always have up to date patches. However, we’ll assume that organisations have now addressed their VPN security, given the increased usage. The real risk comes when people source their own VPN solutions and use them on company business, from home. It’s effectively another DIY workaround, an example of Shadow IT – a topic we’ve covered at length in an earlier blog.
With a VPN, a user’s data is essentially funnelled to a single company, whose servers may be located anywhere, and accessed by anyone. The biggest warning sign will be the ‘free VPN’. A home worker may be tempted to use one, believing it’ll meet a short term need. Free VPNs carry the risk of quiet malware installation, poorly configured encryption and poor privacy policies. There’s no such thing as a free lunch – or VPN.
Anyone wanting to source their own VPN should research what others say about them and make sure they’ve not been involved in any privacy or security scandals. This article could be helpful.
Fact: There are VPNs and there are VPNs. Company owned laptops and other devices might be fitted with VPN access but it still needs to be up to date in order to be safe for home use. Free VPNs are to be avoided.
Myth: Cyber security is the responsibility of my IT department
Long before home working came into our lives, this was a classic ‘pass the buck’ cyber security myth. That somehow the IT department had it all covered because cyber security was an IT issue after all so, no need to worry. That line just won’t cut it anymore, cyber security is of course everyone’s responsibility.
The risk comes when home workers who use company issued devices may still feel cyber security is the company’s responsibility, especially if there’s an IT help desk they can call. Complacency makes everyone a target – wherever they are. Ascentor often describe people as ‘the weakest link in cyber security’ for reasons just like this. If you are online, you’re a target and at even more risk in a remote home-based bubble.
Fact: Cyber security is everyone’s responsibility, no matter what their level in the business. Today’s devices and apps require users to have an understanding of security settings and beyond this, the basics of good cyber security. If you are going to work from home – you have to be secure from home.
Myth: I’ve got anti-virus on my home PC, so that’s safe to use for work
Employees using their own devices for work related tasks isn’t a new occurrence of course. But home working has caused a lot more people to want to use their own kit. That means there are more people wanting to access networks and your data from personal IT devices – and more often.
While an anti-virus is a good thing, it’s no defence when network entry is left wide open due to the usual mistakes of poor passwords and downloading malware. Poor configuration is also a big problem, failure to properly install that anti-virus renders it useless from the start.
Fact: Organisations are going to need to take steps to ensure that the use of personal devices by home workers is configured properly, has extra layers of security, such as two-factor authentication and the use of strong-passwords is encouraged – and they are changed regularly.
Myth: I’d know a dodgy email if I saw one
There’s a perception that phishing emails are all written in poor English and obvious a mile off. That may have been the case a few years back, it’s not now. There’s a very good chance that your finance officer could get an email that looks exactly like it was sent from your MD – in fact they might even get a computer generated voice message to go with it.
The MD says it’s urgent, it all looks legit. It’s been a stressful week. What would you do? Reading this you’d say you’d check, of course you would, but you are not there in the moment. That’s where the danger lies.
Fact: Phishing is getting very sophisticated. Emails, text and voice messages sound and look like the real thing. You need to invest in awareness training and set-up a clear process for employees to raise their concerns about suspicious messages. It should be more than OK to double-check, it should be mandatory.
The exact template of our future way of working is yet to evolve. But, we can be sure that more of us will be working from home and that will mean structural change for many organisations. We feel that the human aspects of cyber security deserve to be high up the priority list.
People believe things for different reasons, but ignorance shouldn’t be one of them – nor should merely having cyber security measures in place. They need to be used correctly too. Cyber criminals see home workers as the new weakest link in the security chain for good reason. Lack of awareness and complacency lower cyber vigilance – that’s a dangerous combination.
You might find this article helpful too
If you are an employer concerned about managing cyber security when working from home, this article will help you put together a robust level of cyber security for your home based employees.
For further information
If you have any questions about managing cyber security for your remote or home based workforce, or need advice on policies and guidance, please feel free to contact the team at Ascentor using the details below.