ASIO's Security Guide For Working From Home
Another week and the COVID-19 cases in Australia keep rising forcing hundreds of businesses to adopt a working from home model. While adopting a working from home model can be incredibly helpful to reduce typical overhead fees, it can also greatly increase security risks to your business.
In response to the growing home office solution that businesses have been embracing, ASIO have recently published a Security Manager's Guide: Working from Home to assist business owners and managers in creating a secure environment for staff working at home. ASIO's document identifies many common home office security risks and provides suggestions on how to mitigate these risks.
So what are the common security risks of working from home?
We've broken the common risks down into categories with the guidance of ASIO's security guide.
Policies and Procedures
When asking staff to work from home, it wouldn't be unprecedented to assume that common policies and procedures will be forgotten. The shift in environments may distract staff from adapting previous policies into their home offices.
In these cases, where the staff implement their own security measures based on individual risk tolerance, sensitive information such as financial details, customer contact details and supplier lists can easily be accessed by unauthorised persons. Security compromises could be as simple as leaving sensitive information on the table when friends or family come to visit.
To mitigate these types of risks at home, businesses are recommended to ensure that their policies and procedures are implemented during working-from-home periods.
ASIO state that an organisation's policy and procedures should include clear guidance on the following:
- What is allowed: printing, cameras, microphones, use of social media, bring your own device, connecting to WiFi networks and accessing websites?
- What is not allowed; for example, financial transactions, processing of sensitive or personal data, or some information technology (IT) roles?
- What is required for the transport and destruction of sensitive material and assets, including mobile devices and removable media?
- Whether maximum storage periods apply for certain information or assets in a residential setting?
The recently published document also encourages organisations to consider:
- A formal employee briefing and agreement that the employee understands and will comply with all procedures and security requirements.
- The organisations security, workplace health and safety, and human resources policies and procedures apply when working from home should be followed.
- Any financial expenses, taxation and insurance obligations incurred, either by the organisation and/or the staff member.
- A regime for ongoing, regular compliance audits.
- A process for employees to return information and assets to secure facilities, once the need for extended working from home arrangement has passed.
The drastic change in environments for staff may result in reduced security awareness. The idea is that a reduction in contact time between security and staff will lead to varied levels of security awareness. Some staff may value security highly while to others, their homes create a false sense of security which can lead to enormous security issues.
As a result of varied security awareness, ASIO has recommended that organisations ensure that their workforce have been given appropriate security awareness training.
Some training tips provided by ASIO include:
- Identifying continued security threats and risks.
- Maintaining the need to know principle.
- Being vigilant and reporting any suspicious activity or incidents.
- Continuously seeking to identify and suggest improvements to security.
Mobile Device Security
Mobile devices that store and allow access to sensitive business information are found everywhere. Unfortunately these devices are mobile and therefore can easily be misplaced, lost or stolen. A combination of reduced security awareness, unimplemented policies/procedures and access to mobile devices can lead to disastrous outcomes for organisations.
The theft or loss of a mobile device such as a laptop with sensitive information could result in further security breaches, lawsuits or financial loss to your organisation.
In response to the importance of mobile device security ASIO has outlined several mitigations that an organisation can implement to reduce security risks associated with mobile devices.
- Ensure that the organisation systems and applications, including virtual private networks, firewalls and remote desktop clients are up to date with the most recent security patches installed.
- Implement multi-factor authentication for remote access systems and resources (including cloud services).
- Virtual Private Networks (VPNs) allow remote users to securely access an organisation's IT resources, such as email and file services. VPNs create an encrypted network connection that authenticates the user and/or device, and encrypts data in transit between the user and the organisation's data. If your organisation is already using a VPN, make sure it is fully patched. Additional licenses, capacity or bandwidth may be required to support increased working from home arrangements.
- Ensure that staff are informed and educated in cyber security practices, such as detecting socially engineered messages and not clicking on suspicious links or files.
- Devices used for working outside an office environment are more vulnerable to theft and loss. Whether they are using their own device or the organisations, ensure staff understand the risks of leaving them unattended, especially in public places. When the device is not being used, encourage staff to keep it somewhere safe. Make sure devices encrypt data whilst at rest, which will protect data on the device if it is lost or stolen. Most modern devices have encryption built in, but encryption may still need to be turned on and configured.
- Ensure staff understand the importance of keeping software (and devices) up to date, with regular reminders.
- The majority of devices include tools that can be used to remotely lock access to the device, erase stored data, or retrieve back up data. Organisations should use mobile device management software to set up devices with a standard protection configuration.
- Make sure staff know how to report any mobile device problems. This is especially important in a security context, where this may indicate compromise to a device.
When hiring a new team member, most businesses have a formal induction and training procedure to ensure that the staff member has been taught all of the correct safety protocols. This covers everything from fire escape plans to OH&S in the workplace. When sending staff home to work businesses are still required to ensure that staff have access to a safe and secure working environment.
In regards to personal security at home ASIO have outlined the following:
- Using ongoing, varied and regular security awareness updates, reminding staff of the continued security threat
- Conducting virtual personnel security briefings for new staff, separating staff and those undertaking new roles.
- Conducting virtual interviews for employment screening, ongoing human resource (HR) matters or security investigations;
- Encouraging line managers to regularly contact staff through team and one on one contact methods. This assists business objectives and improves staff wellbeing.
- Line managers should be aware of changes in personal circumstances that put additional stress on their employees, such as financial concerns and ill health. Concerns should be reported and managed in collaboration with the line manager, security and the organisation's HR area.
- The organisation should ensure that the workforce has remote access to work health and safety and employee counselling services, if required, during periods of high anxiety.
- Frequent reminders to the workforce of the importance of reporting security concerns, even when working remotely, and how to do so.
- Assisting staff to manage their digital footprint; such as, managing privacy settings on social media, protecting personal information and limiting discussion of working from home arrangements and locations, especially on social media.
- Long term working from home can erode an organisation's shared security culture. Organisations should monitor security culture as much as they can, and provide ongoing education and awareness to staff on their security responsibilities.
Physical security is a critical factor for maintaining sensitive information and keeping business assets secure. Unfortunately, many homes have not been designed with security elements such as the CPTED principles which can lead to higher risks of security breaches and/or theft.
Criminals all around Australia are aware of the current COVID-19 outbreak and the security risks that they can use to their advantage. Implementing physical security measures at home offices can protect both the employees and the information/assets of the organisation.
ASIO has outlined two main factors of improving physical security for staff working from home.
- The exterior use adequate lighting and a well designed landscape and garden to allow natural surveillance
- The perimeter using barriers and security hardware to remove the opportunity of easy access, such as locks and alarm systems. Some systems can be used safely and effectively even when the residence is occupied.
Home Risk Assessment
The current COVID-19 situation in Australia has caused major shifts in working environments. Businesses that have adopted a working-from-home model are encouraged to conduct a risk assessment to identify and consider potential threats to the newly adopted structure of home offices.
If an organisation is conducting a risk assessment of their home offices, ASIO has also recommended that businesses consider the following:
- Are occupants or personal property inside the residence a desirable or higher value target?
- Have changes to the security environment exposed occupants to new security threats or increased risk?
- Is there a credible threat to the organisation and/or the occupants?
- Does the local area have a high or increasing crime rate?
- Is the crime rate high compared with other local regions or cities?
- Are there industrial, commercial or government facilities located in the local area which are prone to criminal activity?
- Are there physical signs of antisocial behaviour in the local area, such as graffiti and vandalism?
- Are there recurring complaints or concerns from local residents about security, or fear of crime.
If your organisation has adapted to a working from home model think about your existing workplaces and their current security measures. As the workplace environment changes so should the security measures. If your organisation currently have any unoccupied workplaces ASIO have noted that the following should be considered:
- Ensuring an organisation's guard force are aware of any changes to security policy regarding entry and exit, removal of sensitive material from the site and increasing vigilance to those breaching the rules either by accident or deliberately.
- If fewer members of the workforce are present, to observe and enforce good security behaviours and having a greater reliance upon technical measures to prevent deliberate or accidental security breaches.
- Frequent reminders to staff on both the physical and technical security measures that should be adopted. These should include guidance on when and how to report security concerns.
- Recognising signs of disgruntlement from within the workforce, specifically where staff are being put on temporary absence, receiving reduced pay or conversely from those required to continue working whilst covering for absent staff.
- Auditing open source information and increasing deterrence communications during periods of heightened vulnerability. Further information can be found in ASIO's T4 Security managers guide: Deterrence Communications.
The COIVD-19 outbreak has caused mass disruptions in the way organisations conduct work. Businesses are rapidly adapting to the current situation and many are implementing working-from-home models to continue their work.
Any businesses that have adopted a home office solution should carefully consider their security measures and when possible contact a Security Consultant to reduce the risks associated with working from home.