SMEs are at risk of failing security assessments by not protecting the home networks of their employees. That claims from cybersecurity and IT Managed Services provider A&O IT Group. The company points out that when an employee works from home more than 50% of the time, their network must be compliant with current regulations.
There is an exception to this, where the employee is using a corporate VPN through which all traffic passes. While organisations have scrambled to issue VPNs to their staff, the use of shared technology in the home means just relying on a VPN can be a risk in itself.
Richard Hughes, Head of Technical Cyber Security at A&O IT Group, said: “Now that the majority of the workforce is back to working from home, businesses need to realise that it’s their responsibility to protect their employees’ networks as, if they don’t, they’ll fail vital certifications.
“Part of the issue here is that businesses haven’t received clear guidance on what they need to have in place to achieve or maintain compliance with regulations such as Cyber Essentials for example.”
What security assessments are at risk?
According to A&O, this is about Cyber Essentials and the stricter Cyber Essentials Plus certifications. The requirements for both of these are laid out by the National Cyber Security Centre (NCSC). The difference between the two is that Cyber Essentials is a self-assessment approach, while Cyber Essentials Plus requires hands-on technical verification. Both are aimed at the SME community and were developed to improve the cybersecurity of smaller businesses.
Cyber Essentials details the scope of all equipment and software covered by the certification. Importantly, it also covers equipment that falls under Bring Your Own Device (BYOD). It sets out a set of processes and controls that an organisation uses to secure its IT infrastructure. Cyber Essentials Plus goes further by defining a set of tests to be carried out by the assessor organisation.
The problem that A&O is highlighting is that the basic scope of Cyber Essentials assumes an office-based environment. For most organisations, regardless of size, lockdown has changed what that environment is. The question for SMEs, in fact for any organisation, is how to expand that verification scope to the now borderless environments organisations have.
Take BYOD as an example. Many organisations created rules to allow some degree of security assessment/scanning of devices brought into the office. For employees working at home, they are using equipment not covered under previous BYOD controls. That equipment is also, for many, shared with other members of the family. Doing things such as caching passwords, storing data locally and patching, creates a significant problem in terms of certification.
Is it just SMEs that are affected?
Absolutely not. While A&O is calling out SME’s, these same issues extend to all organisations with a sudden explosion of remote workers. When asked why it was singling out SMEs, A&O responded:
“SMEs are more likely to have a smaller if any IT departments with no full-time staff responsible for IT security. In that case, it’s likely SMEs may be solely relying on cloud-based services and have little to no infrastructure of their own, for example, no corporate VPN for employees to connect to, causing the home network to be out of scope. They are also likely to have less comprehensive cyber security programs and in many cases do not have regular assessments scheduled, therefore when the time comes for reassessment for the Cyber Essentials certification that might be the only time they evaluate their security throughout the entire year.
“SMEs are also likely to have far less spending power and try to utilise older equipment for as long as they can. Additionally, many SME employees are working on home devices rather than their corporate desktops which is also a real challenge when it comes to maintaining their cyber hygiene.
“On the other hand, larger enterprises do not often have that problem. Instead they commonly have quarterly assessments of their infrastructure such as regular internal vulnerability assessments and, fundamentally for them, certification is more of a formality because what they’ve done throughout the year will be more of an assessment than what Cyber Essentials requires.”
Is that fair?
Yes and no. The acceleration to cloud-based services from all organisations has been marked during 2020. Increasing numbers of businesses are moving all their technology to the cloud, not just SMEs. Many corporates struggled to fund enough VPN licences for their staff and to ensure they had enough hardware and bandwidth to support them. It has been one of the drivers towards greater use of cloud services this year
In terms of equipment, most offices are still full of computers. While a few sensible organisations sent computers, screens, printers and other devices to employees homes, most didn’t. Some purchased new laptops, most didn’t. It means that there is no evidence at all that larger enterprises do not have significant numbers of staff working on home devices.
Internet access is another challenge for all organisations. Despite HMRC allowing employers to claim back business-level broadband for their home users, few companies have acted upon it. How many have tested and secured the home routers used by their staff? Most ISPs won’t allow that level of secure access, and there has been no boom in enterprise-grade router sales to indicate companies are buying and shipping routers to staff.
Regular security assessments are easier in an office and when you have staff. But talk to the staff at SOCs and security teams are spending as much time helping support desks as they are doing security at the moment. With home devices, forcing users to patch or even knowing what patch level they are at for operating systems and applications is impossible without a user agent. Legally, no organisation can enforce that on a device it does not own. It is one of the problems BYOD still causes organisations with their security assessments.
Enterprise Times: What does this mean
A&O is right when it talks about the risks for SMEs to their Cyber Essentials and Cyber Essentials Plus certifications. However, to say this is mainly an SME problem is disingenuous. It makes dangerous assumptions that larger organisations don’t have people using home equipment that is not properly patched and secured. It also ignored one of the biggest problems of corporate IT security, Privileged Access Management.
One of the Cyber Essentials controls is to ensure people don’t retain access to data once they change role. Most enterprises admit that users often retain access to data long after a change of role. It’s a difficult thing to police when you have thousands of users, and IT has no visibility into what access a specific role requires. It also has no visibility to the changing of roles.
All the issues that A&O has highlighted need to be addressed by every business. Security certifications are a problem for everyone, not just SMEs. However, any help that SMEs can get to make it easier to secure remote workers is important. What would help is a set of guidance from A&O rather than just telling SMEs they have a problem.
As Hughes said: “There is a real possibility that business owners won’t have realised that the onus of ensuring their employees home networks falls on them, which is understandable bearing in mind everything else they have had to contend with this year. But we are calling for all organisations to look at what needs to be done to ensure their security and data integrity to cover all bases. Showing the governing bodies that you are taking steps in the right direction, will go a long way in maintaining certification and will bolster your home workers’ networks, giving you peace of mind.”