Top 5 WFH Cyber Risks for 2021 and how should the DPO mitigate these risks?

The world is changing. The way we work, the way our businesses operate and how they interact with one another, are all evolving at a rapid pace during this pandemic. As technology continues to advance, cyber threats are becoming increasingly prevalent and can impact your organisation’s ability to function effectively.

With the digital economy, cybersecurity has become an integral part of every aspect of modern life – especially at the workplace. From mobile devices and cloud-based applications to social media platforms and online shopping portals, it seems like most things that people use on a daily basis may be vulnerable to attacks. Moreover, if hackers gain access to these systems, they may steal sensitive data or even shut down the critical services of a business completely.

Here are the top five work from home (WFH) cyber risks that organisations face today:

1. Phishing scams

With the increase in companies implementing WFH measures for employees, global phishing scams have become more prevalent. Phishing, a method that cyber criminals use to fraudulently obtain sensitive information, such as your login details, can lead to a number of adverse effects on a business, including monetary losses, intellectual property loss, reputation damage, as well as operation delays and disruptions. These negative effects could converge to lower the organisation’s value, sometimes irreparably.

Best practices:

• Check sender address in digital correspondences
• Contact the sender to verify if unsure
• Check for clues, such as grammatical errors
• Create awareness of phishing and scams through training/newsletters
• Subscribe to regulatory agencies’ newsletters

To get a better understanding and have a hands-on approach to information and cyber security from a management perspective, check out the Information & Cyber Security for Managers – EXIN Certification course here.

To read more about data protection trends and the important role of the Data Protection Officer (DPO), read our Data Protection 101 guide.

2. Weak passwords

In many cases, hackers gain access to corporate networks through weak combinations of usernames and passwords that are easy to guess and exploit.

Best practices:

• Use a strong, difficult-to-guess password
• Use a password manager
• Do not share/expose passwords
• Always use multi-factor authentication where possible

3. Unencrypted file sharing

File sharing enables organisations and their employees to share and edit electronic documents with ease. Small and large organisations have increasingly used file sharing applications for more convenient collaboration and to raise productivity. However, data security nightmares can occur if files are shared without encryption, especially those with sensitive personal data.

Best practices:

• Password-protect files and folders before sharing
• Use separate modes of communication to send the encrypted file/folder and password
• Use existing secure mail functions available in email systems (Gmail/Outlook)

4. Unsecured home Wi-Fi

As employees are working from home, they are utilising their home Wi-Fi network to access the organisation’s network and systems for work purposes. This may be a risk as home Wi-Fi may have security gaps that hackers can exploit to access the organisation’s network.

Best practices:

• Check Wi-Fi encryption settings
• Use a strong, difficult-to-guess password
• Share Wi-Fi access using QR codes
• Disable the Wi-Fi Protected Setup (WPS) feature
• Update your router’s firmware

5. Working on personal devices

Employees may choose to use their own personal devices for work purposes, and the organisation should factor this in as a risk. For instance, the employee's family members might surf the Internet after the employee has finished their work for the day on the same computer. Family members might accidentally click on phishing emails, resulting in a virus or malware being installed on the device, and the employee may then expose the company's network unknowingly, resulting in unauthorised access.

Best practices:

• Ensure that personal devices are password-protected
• Ensure that the storage of these devices are encrypted
• Create a non-admin profile for shared use by family members

How can an organisation’s Data Protection Officer (DPO) help mitigate these risks?

The organisation must ensure that there is a plan to address these WFH cyber risks head-on. It is vital to implement new policies and procedures, train staff members in best practices and create a plan to monitor employee behaviour. The organisation can consider focusing on the following three key areas:

• Employee training 
  • Empower employees with the knowledge to identify phishing emails
  • Teach the dos and don’ts of WFH
• WFH policy
  • Develop, implement and communicate the WFH policy
  • Create a Call Tree to facilitate notification during incident handling
  • Ensure staff perform regular software updates
• Infosecurity policy
  • Ensure that there is an escalation process (regulators, DPO and management) that is communicated to employees
  • Set up a standard operating procedure (SOP) for the loss of a personal device that has been used for work purposes

As a result of repeated breaches in the new normal of dispersed WFH workforces, cybersecurity and data protection are now in the spotlight. In order to mitigate cyber risks, it is imperative that data protection offices work closely with IT departments to monitor, operationalise and communicate new or updated policies and best practices to all employees.

This article was adapted from our webinar. Join us in our webinars discussing the latest updates in data protection and privacy by checking out our events calendar here.