In the first of a four part series, Dr Robert Rowlingson takes us through home security.
Since writing a book on home computer security I’ve become increasingly aware of how poor security on home computers is having an effect on enterprise security. But the converse is also true; good home security can have a beneficial influence on the enterprise.
There are several ways in which deficiencies in home computer security can impact businesses. Firstly, malware on home computers is being used by criminals and hacktivists to commit fraud and to disrupt legitimate business use of the internet, through botnets for example. Secondly, more and more staff are telecommuting, or working from home, which may involve transferring documents to the home PC, or using a business laptop in an insecure environment.
Last, but not least, the trend for employers to allow staff to use their own personal smart phones and tablets for work (known as Bring Your Own Device or BYOD) means not only that potentially sensitive information resides on the same device as entertainment and social media apps, but also that personal devices are brought inside the security perimeter, possible carrying malware.
Further evidence for a business need for home computer security comes from the increasingly professional cyber-crime threat. Attackers may find their biggest and most attractive targets in large commercial and governmental networks, but what I call ‘hacklets’ – seemingly minor attacks on unimportant targets such as home users, can be another way in to the intended target. Information thus gathered can be used to construct convincing spear phishing email attacks on business targets.
OK, I have written a book on home computer security so I may be biased, but I think companies can get better employee engagement on security by making it relevant to their personal needs at home.
It is widely recognised that it is difficult to raise the cyber security awareness of employees. One reason may be that there is little incentive for employees to worry about security, at least not as much as there is for senior managers. However, if companies provided security training which included help with home computer security, privacy, and e-safety, the employee would learn something useful to them outside the workplace, andalso start to understand the principles of security better.The security mind-set and behaviours developed in the home setting, would then also be practiced at work. That’s what we have been doing in BT, with ‘knowledge calls’, or briefings, on both home and corporate cyber security.
It’s not just technical. Information security is grounded on some simple, basic principles or tenets that are not rocket science, and need to be reinforced with home users. In my book I talk about ‘digital common sense’ and helping people take away a ‘philosophy of security’. I’d like to think this sort of raised awareness could help Joe Public, and business, alike. If corporate security awareness training includes home computer security advice, staff can see some personal benefit in it, and thus take notice. There could be a win-win for business and home users in this way.
Future blogs in this series will look at some of the issues around home computer security and how the experience of security professionals can help it improve.
Next week will see Dr Robert return with the second in the series. Stay tuned.
Dr Robert Rowlingson is a principal R&D consultant in cyber security in BT Research and Innovation, and the author of the BCS book The Essential Guide to Home Computer Security.
Read his blog at www.homeinfosec.blogspot.com.