Working From Home: How ISO 27001 Can Reduce The Information Security Risk

The new reality

Chances are, some if not all employees in your organisation are currently working from home. This new reality is unlikely to go away any time soon. Home-working can look and feel attractive to employees and organisations alike. It helps organisations lure and retain top talent from anywhere in the world. It can save money whilst giving back precious commuting time to employees. And, as we’ve discovered during the COVID-19 pandemic, it can allow you to maintain business continuity when you just cannot get to the office.

But, if not done right, working from home introduces significant additional risks to your business systems and critical information, with potentially disastrous consequences. A recent report by Malwarebytes on the impact of COVID-19 on business security found that since the start of the pandemic, remote workers have caused a security breach in 20% of organisations. The global 2020 Cost of a Data Breach Report found that when the majority of your workforce are working from home, the average cost of each data breach increases by $137,000.

Increased information security risks to your organisation

Examples of just some of the information security risks introduced by your increasingly remote workforce are:

• Employees accessing and sharing your critical information over poorly secured Wi-Fi or VPN connections;
• Employees using personal devices that may not have up-to-date software or anti-virus protection, opening the door to malware and malicious attacks;
• Reduced physical security, increasing the chances of devices or printed information being stolen;
• Visitors to the home accidentally seeing sensitive information;
• Increased difficulty for organisations to monitor all of the above and more.

How ISO 27001 certification can help

Of course, there are many precautions that organisations can take. In our experience, implementing a systemic approach to information security within your business, such as an information security management system (ISMS), can reduce the chance of potential threats and vulnerabilities going unnoticed. It can also ensure measured and proportionate responses to all risks.

An ISO 27001 ISMS can help you manage risks associated with home-working by:

• Identifying your key business needs, along with applicable legal and regulatory requirements. This helps you to understand and justify your home-working risks. You can then prioritise risks for treatment.
• Defining the rules, roles and responsibilities for secure remote working and mobile device use. This helps you to design and communicate your strategy for safe home-working to all employees and designate accountability.
• Identifying and classifying your critical information, then implementing security controls based on this classification. This helps you to focus your largest efforts on your most critical or at-risk information.
• Implementing technical measures such as secure log-on procedures, encryption and information back-ups. This helps to protect your information from unwanted access, theft or accidental loss.
• Using a training program to increase your employees’ awareness of information security risks and the acceptable use of business systems and devices when working from home.

Summary

Working from home can bring significant benefits to an organisation and its employees. But in order to reap the benefits, organisations need to take the very real information security risks seriously. Implementing an ISO 27001 Information Security Management System will help you to identify your main risks and prioritise corrective action. It will empower your employees with the knowledge and responsibility to be the guardians of your information security when working from home.

If your business is ready to make the step towards ISO 27001, get in touch.