// EXPERT PROFILE //
SMEs risk failing cybersecurity assessments
IF THEY DON ’ T PROTECT HOME NETWORKS
With the COVID-19 pandemic forcing the majority of the workforce to do their job remotely , employees are no longer protected behind office infrastructure . SMEs are being hit hard and the last thing they need is to find out they are falling out of scope of cybersecurity requirements and increasing their cyber-risk . Richard Hughes , Head of Technical Cyber Security at A & O IT Group , discusses whether SMEs are fighting a losing battle when it comes to cybersecurity certification and adequately securing their employees and business as a whole .
“
AT THE VERY LEAST THE
ROUTER MUST STILL BE IN
SUPPORT AND RECEIVING SECURITY
PATCHES FOR ANY DISCOVERED VULNERABILITIES .
wWhere does the onus lie when it comes to protecting employees ’ home networks ?
While an organisation has no direct responsibility for the security of an employee ’ s home network , they can easily find themselves failing certifications such as Cyber Essentials if the network and home router do not meet certain standards required .
Additionally , with employees working from home , their network forms part of a wider attack surface for the organisation and so it is certainly in the interests of the organisation to either ensure the network is secured or mitigate the risk by other means such as an always on corporate VPN keeping business data secured on the network .
What steps do SMEs need to take to ensure the security of their employees ’ networks in order to protect their businesses and maintain compliance with industry certifications like Cyber Essentials ?
In truth it would be almost impossible for an organisation to ensure that a home router is compliant . At the very least the router must still be in support and receiving security patches for any discovered vulnerabilities , and default passwords must be changed for strong passwords . Then it gets even more complex as any firewall rules should have a written business case which would be impossible to enforce .
Realistically you would need to take access away from the employees as after all you would not allow your employees to make changes to the corporate firewall configuration . Often with home routers , the ISP would also have full access to the configuration which again is outside of the control of the organisation .
One viable but fairly costly option is to provide employees with a corporate router / firewall which is centrally managed and then create a separate extension to the corporate network within the employees ’ home .
Another option would be to mitigate the risk by utilising an always on VPN that routes all traffic through the corporate network , but this would also require some central infrastructure as it must be a corporate VPN and not a commercial VPN which , if not trusted , could be worse than no VPN at all .
34 intelligent
. tech
Intelligent SME . tech