The relatively new work-from-home arrangement has exposed organisations to a series of cybersecurity threats and risks. Corporate data can be accessed (via hacking and other means) from laptops and home PCs that may not have the same level of security as in-office setups and, hence, are likely to be more vulnerable to cybercrime.
According to a leading research, 71 percent of technology teams globally reported increased data theft risk, leakage, and breaches brought on by work-from-home. Since the lockdown, the world has observed increased rates of phishing attacks and malicious websites.
A common risk in the work-from-home scenario is that apart from official communication apps installed on endpoint devices, employees have started opting for alternate mediums/channels including web-based collaboration platforms and mobile phone internet calling apps for official communication. These alternate channels of communication, if not aptly governed by an organisation's IT policy, pose the risk of exposed official communication to external attacks.
Organisations tend to have data protection and cyber security policies in place for employees who are virtually connected to the office network. However, when employees use other networks (home networks, public WiFi networks, etc) for work purposes, they go beyond the perimeter of protection offered by the company’s policies and tools.
Further, within office premises, the I.T. team can configure the network access, WIFI, firewall rules, and Data Loss Prevention (DLP) checks so that any non-compliance can be red flagged immediately and the risk of data loss or a possible attack can be mitigated at an early stage. However, in a home or public environment, this may be challenging.
Firewall configuration in a home environment versus an office environment can be different as the purpose of internet access is different.
Company-provided assets tend to come with special configurations to ensure data privacy and the ability to recover data if the system crashes. Company-provided assets also have encryption on their laptops to ensure that only the person who has the right and credentials to access the system will be able to login.
Beyond infrastructure-related challenges, remote working has also exposed the limited knowledge of data privacy and cybercrime amongst employees. On-the-job trainings need to be provided to employees at large on how to identify suspicious emails, access official data over the cloud using multi-factor authentication, and how to backup data in a secured manner. Some other considerations include:
Being cautious with files received via email from unknown senders, especially if they prompt for a certain action you would not usually do (such as changing an office account password, etc.).
Ensuring authenticity of sources to carry out transactions in one’s personal life. Ideally one should avoid clicking on promotional links in emails from unknown sources, and instead, search or filter for goods and services on authentic retailer websites with positive user reviews.
Using different passwords for different applications and accounts accessed. Most people tend to use the same password for accessing multiple portals and transacting for ease of remembering them. But should this password be hacked, the hacker can access all other platforms and compromise the user’s digital identity.
Note: The authors of the article are Jayant Saran, Partner, Forensic – Financial Advisory, Deloitte India; Sachin Yadav – Director, Deloitte India; Rahul Vallicha – Manager, Deloitte India, and Prachee Ratnaparkhi – Assistant Manager, Deloitte India.