SMEs risk failing cyber security assessments if they don’t protect home networks
November 2020 by A&O IT Group
With a second national lockdown now in place, are SMEs fighting a losing battle when it comes to cyber security certification?
With the nation back in lockdown and everyone working from home, many businesses have not considered the fact that their employees’ home networks now fall under the scope of regulatory and certification requirements. If an individual works from home more than 50% of their time, their network must be compliant with current regulations. The only exception would be if they have an always on VPN which all traffic passes through, which is highly unlikely, especially for SMEs.
“Now that the majority of the workforce is back to working from home, businesses need to realise that it’s their responsibility to protect their employees’ networks as, if they don’t, they’ll fail vital certifications,” states Richard Hughes, Head of Technical Cyber Security at A&O IT Group. “Part of the issue here is that businesses haven’t received clear guidance on what they need to have in place to achieve or maintain compliance with regulations such as Cyber Essentials for example.”
With the COVID-19 pandemic forcing the majority of the workforce to do their job remotely, workers are no longer protected behind office infrastructure. SMEs are being hit the hardest right now, and the last thing they need is to find out they are falling out of scope of cyber security requirements and increasing their cyber risk. In addition, the pandemic provided cyber criminals with another way of exploiting individuals and the businesses they work for. In its annual review, the NCSC highlighted that more than a quarter of the incidents which it responded to between September 2019 and August 2020 were related to COVID-19.
Previously, UK organisations could undergo assessments for the Cyber Essentials and Cyber Essentials Plus certifications without worrying about anything other than the security of their office environments. Now under new lockdown restrictions, the majority of the UK workforce will be doing their job from home so organisations need to once again ensure the security of their employees’ networks to protect their business as well as maintain compliance with industry certifications.
“Although it appears that this situation calls for a tactical solution, businesses need to think strategically to avoid introducing future risks. Companies will need to ensure that endpoint protection on user devices is up to the task given that most devices will now once again be connected to unmanaged and otherwise unprotected infrastructure,” continues Richard Hughes, at A&O IT Group. “Companies may feel they should postpone vulnerability assessments or penetration tests while systems are perhaps in a more fluid state than usual, but this would be ill-advised. The need for security assessments is even greater during this time of potential instability.”
The good news is, accreditation boards such as IASME, have measures in place to allow for remote assessments to be carried out. Without these, a number of companies would not be able to maintain compliance or be able to claim that their baseline security requirements are being met. Despite this, many SMEs still simply have too much remediation to do in a short time. “This year has seen the majority of our population working from home due to lockdown restrictions, going back to the office, taking on a more hybrid approach to where they work, and now working from home again. With this situation constantly evolving, SMEs need to ensure they aren’t fighting a losing battle when it comes to adequately securing their employees and business as a whole.
“There is a real possibility that business owners won’t have realised that the onus of ensuring their employees home networks falls on them, which is understandable bearing in mind everything else they have had to contend with this year. But we are calling for all organisations to look at what needs to be done to ensure their security and data integrity to cover all bases. Showing the governing bodies that you are taking steps in the right direction, will go a long way in maintaining certification and will bolster your home workers’ networks, giving you peace of mind,” concludes Richard Hughes.