What are the cybersecurity risks of working from home?

In Take 5, Sheridan's thought leaders share their expert insight on a timely and topical issue. Learn from some of our innovative leaders and change agents as they reflect on questions that are top-of-mind for the Sheridan community. 

More people are working from home than ever before, and cybercriminals are trying to cash in. According to a Statistics Canada survey, 42% of Canadians experienced at least one type of cybersecurity incident in the first nine months of the COVID-19 pandemic, and 36% of those Canadians experienced a loss as a result of the incident.

In this installment of Take 5, Nick Johnston of Sheridan’s Honours Bachelor of Applied Information Sciences (Information Systems Security) degree discusses the cybersecurity risks of working from home, what employers and employees can do to minimize them, and how the movement towards remote work is impacting the cybersecurity industry.

1. What are the cybersecurity risks of working from home?

When you’re in your office, you’re connected to your employer’s Wi-Fi or network, which allows them to control communication between all of your devices and the outside world, including email and file sharing. But when you’re working from home, you’re on your own network with other devices in your home, which increases your exposure.

There are other things about working remotely that can make you more vulnerable, like how we tend to be more relaxed when we’re at home. We might not be quite as diligent with security practices such as locking our screens when we leave our desks, or as vigilant about phishing — fraudulent communications designed to trick you into revealing sensitive information. For example, you may be more likely to click on a phishing email about returning to work because we’ve all been so eager for information during the COVID-19 pandemic.

2. Why are employers’ networks typically safer than a home network?

In a typical office, you’re safeguarded by network security features such as firewalls and spam filtering. There’s also virus and malware detection that takes place through the use of an Endpoint Detection and Response (EDR) utility, which identifies things happening on your machine that might impact security.

Even if you’re running an EDR utility on your machine at home, it takes a little longer for that information to make it back to your IT security team. So, if you get hit by something like ransomware that will try to encrypt your files and then demand a ransom for access to them, your IT department might not be able to stop it before it affects the data on your machine.

3. Are there any particular sectors or types of businesses that are most targeted by cybercriminals or most vulnerable to attacks?

Every year, Verizon publishes a great report about data breaches. In the last couple of years, it seems that education, health care and government have been the industries most affected by breaches.

Cybercriminals going after government information makes sense, and the targeting of education and health care could be related to budgetary constraints or some of the protected/personal health information (PHI) data that is available. PHI is extremely valuable to cybercriminals for a number of reasons, including blackmail and extortion (they can threaten to leak your conditions or medications), fraud (they can pretend to be you to get medical equipment and prescriptions) or traditional identity theft.

Conversely, cybersecurity in the manufacturing sector has really made great strides in a short period of time. That could be because of the industry’s long history of examining its processes and looking at structured approaches to improvement.

4. What measures can employers and employees take to offset increased risks of working from home?

Email vigilance is a big one, since the most significant vector for attacks tends to be phishing. When you get an email that sounds threatening or a bit too urgent, take a few seconds to think about it. There’s nothing wrong with showing a co-worker and asking, “Hey, does this look right to you?”

It’s also important to have technical discipline, such as not using the same passwords all the time. If a website you use is breached and cybercriminals discover your password, they’re going to try to use that password everywhere else. Using a password manager — an online tool which enables you to store unique passwords for every website without having to worry about remembering them — can help a lot.

Using a VPN (Virtual Private Network) allows you to have a more secure connection with your workplace and any resources you might need.

And don’t do things like turn off anti-virus because you think it speeds up your computer (that’s not a thing anymore) or not allow your computer to do updates. Employers can put the update schedule and the antivirus software and the VPN software on their employees’ laptops, but there’s also accountability on the employee’s part to make sure they are using those things.

5. What impact will the increase of work-from-home arrangements have on cybersecurity in the next five years?

Without getting too jargony, there’s a term in cybersecurity right now called Zero Trust. Traditionally, company networks have been like a castle that is surrounded by a wall or a moat, which is the firewall that forms a perimeter. Everyone inside the castle walls was trusted — a good guy, someone on my team. Now, with so many people working remotely and using so many different resources to do their jobs, the concept of Zero Trust says there is no internal anymore. There is no trusted safety perimeter.

What makes the Zero Trust model a bit trickier or more complicated is that we need more authentication measures to prove people are who they say they are. You may need to type in your password again, or you may get a multifactor authentication prompt. Security will look at what time you’re logging in and what country you’re logging in from so that it can build patterns and baselines, and whenever you deviate from those, the standard will be to ask for more information.

On the whole, however, I’m a bit of an optimist about where cybersecurity is right now. We’re no longer bombing down dirt roads when we go on the internet. We’re on a controlled highway. That said, there can still be collisions, accidents and treacherous conditions, so we still need to be diligent and vigilant.

Nick Johnston is the coordinator of Sheridan's Honours Bachelor of Information Sciences (Information Systems Security) degree and a member of the program's first graduating cohort in 2008. Prior to returning to Sheridan as a professor, Nick worked as a forensic technology services senior consultant for KPMG and was Vice President, Global eDiscovery, Forensic Technology and Information Security Services for Duff & Phelps. Nick also holds his Master's degree in Computer and Information Systems Security/Information Assurance from the University of Davenport.

Interested in connecting with Nick Johnston or another Sheridan expert? Please email communications@sheridancollege.ca

This interview has been edited for length and clarity.