At home with the hackers

With the majority of UK office workers now logging on from home, many for the first time, how worried should companies be about network security?

Home networks are three and a half times more likely to have a piece of malware operating on them than corporate networks, according to research (external link) by Hiscox partner BitSight. They are even more likely to have at least five types of malware present.

“That means they’re more likely to have had one thing go wrong on the network and even more likely to have lots of things go wrong,” explains Stephen Ridley, Cyber Underwriting Manager and Product Head, Cyber and Data Risks at Hiscox.

Home networks are inherently less secure because there is no expert employed to configure and maintain security systems (as there would be in an office environment). Without this technical oversight, people often fail to take even the most basic security steps. “People at home are less likely to be patching their software or changing default passwords on internet-connected devices, and they are more relaxed about the types of websites they go to,” says Stephen.

Even employees with good digital literacy are more likely to let their guard down in these anxious times, and fraudsters have been quick to exploit that vulnerability through phishing emails. “The volume of phishing emails being sent out isn’t actually any different from the baseline, but everything is playing on people’s fears, concerns and interest in what is going on at the moment,” explains Stephen.

Corona phishing

“There’s been a massive shift towards the content of phishing emails being about coronavirus-related matters, such as emails coming out pretending to be from HMRC, playing on the financial support that the government have issued. That is much more targeted than a generic phishing email and it’s much more likely to land.”

As people click on the links, fraudsters build up databases of thousands of email address and password combinations. “The more serious guys are looking to break into corporate networks, so they would be going to the Office365 log in page and trying those details on there,” says Stephen.

In the current context of the Covid-19 pandemic, with staff off sick or being furloughed, dealing with general maintenance let alone security breaches can be challenging. “Even if companies have processes in place to deal with cyber security, are they there to keep networks secure in the same way they would in general times?” asks Stephen. “And if an incident does strike a company, can it be dealt with as quickly and easily when a company is working remotely? Can you firefight from a distance?”

Best practice

Some of this pressure can be eased by employees taking some relatively simple but effective steps:

  1. Keeping devices up to date by regularly updating software
  2. Using secure passwords
  3. Changing the default password on a home router to something very secure

As for the steps companies can take, one easy win is to use multi-factor authentication (MFA). This involves entering a one-time code that is sent via a mobile phone or another physical device, which must be input alongside the username and password, much like a bank card reader. MFA means fraudsters who have harvested email and password details cannot access the corporate network without that physical device.

Another piece of best practice that Stephen highlights is using virtual private networks (VPNs) to ensure that workers accessing the network remotely are doing so over an encrypted line, keeping any data private.

But people are often the weak link in the chain, bypassing official processes to make their lives easier by transferring data using personal email addresses or cloud-based sharing services, for example. “The business then just doesn’t have that control or oversight on how that data is being used or where it’s located,” says Stephen, pointing to the GDPR issues this behaviour creates and the risk of corporate information entering the public domain. 

Academy training

To help companies navigate these issues and prevent problems from occurring, Hiscox offers online employee training to all of its customers with revenue of up to £10 million through its CyberClear Academy platform. The training helps employees spot phishing emails and understand how to keep business information and systems secure, including using personal devices for work and GDPR considerations.

Stephen cautions that there is only so far a business can go with cyber security, which makes cyber insurance an essential asset. Even if a business has an unlimited IT budget, there would always be something else that they could do, and hackers always find ways around systems if they are persistent enough.

“Almost all of our customers who have claims have security measures in place,” says Stephen. “It’s not like they’re doing the equivalent of leaving their home with the doors and windows open. But, much as criminals still burgle secured houses, they also manage to access secured networks, and that’s what the insurance is there for.”

Regardless of how a cyber incident occurs, whether it’s someone working on their home network or whether it’s someone working in the office, if the business systems are affected then Hiscox will get your business back up and running – fast.