Employees' home networks could lead to SMEs failing security assessments
With the pandemic forcing more people to work from home, businesses in the UK -- particularly smaller ones -- may not have considered the fact that their employees' home networks now fall under the scope of regulatory and certification requirements.
According to a report from support solutions company A&O IT Group, if an individual works from home more than half of their time, their network must be compliant with current regulations.
The only exception would be if they have an always on VPN which all traffic passes through, which is highly unlikely, especially for SMEs. Previously, UK organizations could undergo assessments for the Cyber Essentials and Cyber Essentials Plus certifications without worrying about anything other than the security of their office environments.
"Now that the majority of the workforce is back to working from home, businesses need to realise that it’s their responsibility to protect their employees' networks as, if they don't, they'll fail vital certifications," says Richard Hughes, head of technical cyber security at A&O IT Group. "Part of the issue here is that businesses haven't received clear guidance on what they need to have in place to achieve or maintain compliance with regulations such as Cyber Essentials for example."
Fortunately accreditation boards such as IASME, have measures in place to allow for remote assessments to be carried out. Without these, many companies would not be able to maintain compliance or be able to claim that their baseline security requirements are being met. Despite this, many SMEs still simply have too much remediation to do in a short time.
The situation is complicated by the use of employees own devices and by increased use of cloud platforms. "Policy and training is often acceptable for a number of areas," says Hughes. "But in terms of having the devices patched with the latest software within 14 days, that would be where remote management might come in."
In the cloud systems like Office 365 which are managed remotely by the provider aren't a problem, but if businesses are running their own operating systems and software stacks, on AWS for example, then they are very much included in assessments.
"There is a real possibility that business owners won't have realized that the onus of ensuring their employees home networks falls on them, which is understandable bearing in mind everything else they have had to contend with this year," adds Hughes. "But we are calling for all organizations to look at what needs to be done to ensure their security and data integrity to cover all bases. Showing the governing bodies that you are taking steps in the right direction, will go a long way in maintaining certification and will bolster your home workers' networks, giving you peace of mind."
You can find out more about how SMEs can ensure they stay within the rules on the A&O site.