Organizations risk failing cyber security assessments on home networks protection

With various levels of lockdowns in place in many European countries, are smaller companies fighting a losing battle when it comes to renewing cyber security certification? Richard Hughes believes this is the case…

With many organizations operating with a majority of employees working from home, many businesses have not considered the fact that their employees’ home networks now fall under the scope of regulatory and certification requirements. If an individual works from home more than 50 percent of their time, their network must be compliant with current regulations. The only exception would be if they have an always on VPN which all traffic passes through, which is highly unlikely, especially for small and medium sized enterprises (SMEs).

Businesses need to realise that it’s their responsibility to protect their employees’ networks. If they don’t, they’ll fail vital certifications. Part of the issue here is that businesses haven’t received clear guidance on what they need to have in place to achieve or maintain compliance with certification, such as Cyber Essentials in the UK, for example.

With the COVID-19 pandemic forcing the majority of the workforce to do their job remotely, workers are no longer protected behind office infrastructure. SMEs are being hit the hardest right now, and the last thing they need is to find out they are falling out of scope of cyber security requirements and increasing their cyber risk. In addition, the pandemic provided cyber criminals with another way of exploiting individuals and the businesses they work for. In its annual review, the NCSC highlighted that more than a quarter of the incidents which it responded to between September 2019 and August 2020 were related to COVID-19.

Previously, UK organizations could undergo assessments for the Cyber Essentials and Cyber Essentials Plus certifications without worrying about anything other than the security of their office environments. Now under new lockdown restrictions, the majority of the UK workforce will be doing their job from home so organizations need to once again ensure the security of their employees’ networks to protect their business as well as maintain compliance with industry certifications.

Although it appears that this situation calls for a tactical solution, businesses need to think strategically to avoid introducing future risks. Companies will need to ensure that endpoint protection on user devices is up to the task given that most devices will now once again be connected to unmanaged and otherwise unprotected infrastructure. Companies may feel they should postpone vulnerability assessments or penetration tests while systems are perhaps in a more fluid state than usual, but this would be ill-advised. The need for security assessments is even greater during this time of potential instability.

The good news is that accreditation boards such as IASME, have measures in place to allow for remote assessments to be carried out. Without these, a number of companies would not be able to maintain compliance or be able to claim that their baseline security requirements are being met. Despite this, many SMEs still simply have too much remediation to do in a short time.

There is a real possibility that business owners won’t have realised that the onus of ensuring their employees home networks falls on them, which is understandable bearing in mind everything else they have had to contend with this year. But we are calling for all organizations to look at what needs to be done to ensure their security and data integrity to cover all bases. Showing the governing bodies that you are taking steps in the right direction, will go a long way in maintaining certification and will bolster your home workers’ networks, giving you peace of mind.

The author

Richard Hughes, Head of Technical Cyber Security at A&O IT Group.