As staff are increasingly encouraged to work from home to counteract health concerns surrounding the coronavirus, Grant Thornton has recommended accountants ensure their home networks are as secure as possible.
Grant Thornton technology advisory partner Matthew Green told Accountants Daily that there are many risks associated with working from home that could give cyber attackers access to a firm’s private information.
“If I’m the IT guy or the person who is in charge of looking after the [corporate] network, I know what I’m looking after and I’ve got a view of what I’m managing from a security perspective,” Mr Green said.
“Whereas once I give everyone permission to work from home and actually encourage them to do so, my attack surface [for hackers] has just increased potentially exponentially outside the traditional office network environment.
“You’re reliant on your home Wi-Fi to provide your connection to the internet so you can get your email and log onto your cloud applications and do the work that you are normally doing.
“But what we have there is a real mixed bag in terms of how these home networks are set up and configured, how much knowledge the users have of their home network and how to have a secure home network.”
The human element
According to Mr Green, the use of work laptops and devices at home can generally be safe since IT staff can set up a virtual private network (VPN) to mitigate risks by creating a “secure tunnel” for work-related data.
However, he believes staff — especially staff who do work on home computers and personal devices — should still be consistently trained on good cyber security.
Mr Green said that, although many might see cyber security training at work as a chore, it can provide the awareness and skills to increase home security and make it safer to work from home.
“As users, we really should want to do [security training] because heaps of us want to use our home computers for really sensitive stuff,” Mr Green said.
“That work-based training can apply directly to home; it’s things like having good passwords, having antivirus and anti-malware software installed, it’s patching devices and upgrading the software when it becomes available, and knowing how to spot a dodgy email.
“[These are] some pretty basic things that could actually make quite the difference.”
He believes that any organisation that is not training staff on cyber security is “running a huge risk”, and that good cyber health for a firm does not exclusively come from the technology.
“The defensive mechanisms from a security perspective are often seen as just technology, but the reality is that people are as much a defensive mechanism as the technology,” he said.
“If we look at recent data breach statistics, employee behaviour is a key contributor to data breaches.
“The human element is a really strong factor in causing breaches or, flipping it around, if we’re training them and they’re aware, defending against a data breach or a hack.”
Regular training sessions on how to spot dodgy emails and generate strong passwords, coupled with cyber health checks, are the best ways for organisations to keep information safe, Mr Green added.
“[Accountants] need to know what risks they’re exposed to and how well they are or aren’t prepared from a technical perspective,” he said.
“[Training sessions] don’t have to be long and arduous, they can be short and bite-sized these days… and really suited to the modern-day attention span.
“It’s got to be part of a program for every organisation. It’s just part of doing business now.”