Cyber security

Enterprise Security Begins At Home

In the first of a four part series, Dr Robert Rowlingson takes us through home security. 

Since writing a book on home computer security I’ve become increasingly aware of how poor security on home computers is having an effect on enterprise security. But the converse is also true; good home security can have a beneficial influence on the enterprise.

There are several ways in which deficiencies in home computer security can impact businesses. Firstly, malware on home computers is being used by criminals and hacktivists to commit fraud and to disrupt legitimate business use of the internet, through botnets for example. Secondly, more and more staff are telecommuting, or working from home, which may involve transferring documents to the home PC, or using a business laptop in an insecure environment.

Last, but not least, the trend for employers to allow staff to use their own personal smart phones and tablets for work (known as Bring Your Own Device or BYOD) means not only that potentially sensitive information resides on the same device as entertainment and social media apps, but also that personal devices are brought inside the security perimeter, possible carrying malware.

Further evidence for a business need for home computer security comes from the increasingly professional cyber-crime threat. Attackers may find their biggest and most attractive targets in large commercial and governmental networks, but what I call ‘hacklets’ – seemingly minor attacks on unimportant targets such as home users, can be another way in to the intended target. Information thus gathered can be used to construct convincing spear phishing email attacks on business targets.

OK, I have written a book on home computer security so I may be biased, but I think companies can get better employee engagement on security by making it relevant to their personal needs at home.

It is widely recognised that it is difficult to raise the cyber security awareness of employees. One reason may be that there is little incentive for employees to worry about security, at least not as much as there is for senior managers. However, if companies provided security training which included help with home computer security, privacy, and e-safety, the employee would learn something useful to them outside the workplace, andalso start to understand the principles of security better.The security mind-set and behaviours developed in the home setting, would then also be practiced at work. That’s what we have been doing in BT, with ‘knowledge calls’, or briefings, on both home and corporate cyber security.

It’s not just technical. Information security is grounded on some simple, basic principles or tenets that are not rocket science, and need to be reinforced with home users. In my book I talk about ‘digital common sense’ and helping people take away a ‘philosophy of security’. I’d like to think this sort of raised awareness could help Joe Public, and business, alike. If corporate security awareness training includes home computer security advice, staff can see some personal benefit in it, and thus take notice. There could be a win-win for business and home users in this way.

Future blogs in this series will look at some of the issues around home computer security and how the experience of security professionals can help it improve.

Next week will see Dr Robert return with the second in the series. Stay tuned.

Dr Robert Rowlingson is a principal R&D consultant in cyber security in BT Research and Innovation, and the author of the BCS book The Essential Guide to Home Computer Security.

Read his blog at www.homeinfosec.blogspot.com.

Trackbacks

  1. […] blame the average home user for poor home computer security there is increasing evidence that home computers are one of the weakest links in the security of the web. But why is home computer security so difficult to achieve? It’s quite instructive to look at the […]

  2. […] People still represent the easiest way to circumvent controls and the fact remains that it is still often logistically easier to physically steal or compromise an IT device than to hack in remotely. This is especially true if robust physical controls are not fully appreciated and invested in and if appropriate action is not taken on the events that these systems generate. […]

  3. […] to be supported by additional information and advice for home users. As I argued in previous posts, enterprise security and home security are increasingly intertwined. As security professionals we need to pitch our […]

  4. […] Banks always tells you to cover the keypad when using cash machines or chip and pin devices, why isn’t your organisation telling you to do the same for the password to their network? Or are […]

  5. […] to be supported by additional information and advice for home users. As I argued in previous posts, enterprise security and home security are increasingly intertwined. As security professionals we need to pitch our […]

  6. […] always tells you to cover the keypad when using cash machines or chip and pin devices, why isn’t your organisation telling you to do the same for the password to their network? Or are […]

Speak Your Mind

*