ASIO’s Security Guide for Working From Home

Another week and the COVID-19 cases in Australia keep rising forcing hundreds of businesses to adopt a working from home model. While adopting a working from home model can be incredibly helpful to reduce typical overhead fees, it can also greatly increase security risks to your business.

In response to the growing home office solution that businesses have been embracing, ASIO have recently published ‘Security Manager’s Guide: Working from Home’ to assist business owners and managers in creating a secure environment for staff working at home. ASIO’s document identifies many common home office security risks and provides suggestions on how to mitigate these risks.

So what are the common security risks of working from home?

We’ve broken the common risks down into categories with the guidance of ASIO’s security guide.

Policies and Procedures

When asking staff to work from home, it wouldn’t be unprecedented to assume that common policies and procedures will be forgotten. The shift in environments may distract staff from adapting previous policies into their home offices.

In these cases, where the staff implement their own security measures based on individual risk tolerance, sensitive information such as financial details, customer contact details and supplier lists can easily be accessed by unauthorised persons. Security compromises could be as simple as leaving sensitive information on the table when friends or family come to visit.

To mitigate these types of risks at home, businesses are recommended to ensure that their policies and procedures are implemented during working-from-home periods.

ASIO state that an organisation’s policy and procedures should include clear guidance on the following:

  • What is allowed: printing, cameras, microphones, use of social media, bring your own device, connecting to WiFi networks and accessing websites?
  • What is not allowed; for example, financial transactions, processing of sensitive or personal data, or some information technology (IT) roles?
  • What is required for the transport and destruction of sensitive material and assets, including mobile devices and removable media?
  • Whether maximum storage periods apply for certain information or assets in a residential setting?

The recently published document also encourages organisations to consider:

  • A formal employee briefing and agreement that the employee understands and will comply with all procedures and security requirements.
  • The organisations security, workplace health and safety, and human resources policies and procedures apply when working from home should be followed.
  • Any financial expenses, taxation and insurance obligations incurred, either by the organisation and/or the staff member.
  • A regime for ongoing, regular compliance audits.
  • A process for employees to return information and assets to secure facilities, once the need for extended working from home arrangement has passed.

Security Awareness

The drastic change in environments for staff may result in reduced security awareness. The idea is that a reduction in contact time between security and staff will lead to varied levels of security awareness. Some staff may value security highly while to others, their homes create a false sense of security which can lead to enormous security issues.

As a result of varied security awareness, ASIO has recommended that organisations ensure that their workforce have been given appropriate security awareness training.

Some training tips provided by ASIO include:

  • Identifying continued security threats and risks.
  • Maintaining the need to know principle.
  • Being vigilant and reporting any suspicious activity or incidents.
  • Continuously seeking to identify and suggest improvements to security.

Mobile Device Security

Mobile devices that store and allow access to sensitive business information are found everywhere. Unfortunately these devices are mobile and therefore can easily be misplaced, lost or stolen. A combination of reduced security awareness, unimplemented policies/procedures and access to mobile devices can lead to disastrous outcomes for organisations.

The theft or loss of a mobile device such as a laptop with sensitive information could result in further security breaches, lawsuits or financial loss to your organisation.

In response to the importance of mobile device security ASIO has outlined several mitigations that an organisation can implement to reduce security risks associated with mobile devices.

  • Ensure that the organisation systems and applications, including virtual private networks, firewalls and remote desktop clients are up–to–date with the most recent security patches installed.
  • Implement multi–factor authentication for remote access systems and resources (including cloud services).
  • Virtual Private Networks (VPNs) allow remote users to securely access an organisation’s IT resources, such as email and file services. VPNs create an encrypted network connection that authenticates the user and/or device, and encrypts data in transit between the user and the organisation’s data. If your organisation is already using a VPN, make sure it is fully patched. Additional licenses, capacity or bandwidth may be required to support increased working from home arrangements.
  • Ensure that staff are informed and educated in cyber security practices, such as detecting socially engineered messages and not clicking on suspicious links or files.
  • Devices used for working outside an office environment are more vulnerable to theft and loss. Whether they are using their own device or the organisation’s, ensure staff understand the risks of leaving them unattended, especially in public places. When the device is not being used, encourage staff to keep it somewhere safe. Make sure devices encrypt data whilst at rest, which will protect data on the device if it is lost or stolen. Most modern devices have encryption built in, but encryption may still need to be turned on and configured.
  • Ensure staff understand the importance of keeping software (and devices) up to date, with regular reminders.
  • The majority of devices include tools that can be used to remotely lock access to the device, erase stored data, or retrieve back–up data. Organisations should use mobile device management software to set up devices with a standard protection configuration.
  • Make sure staff know how to report any mobile device problems. This is especially important in a security context, where this may indicate compromise to a device.

Personal Security

When hiring a new team member, most businesses have a formal induction and training procedure to ensure that the staff member has been taught all of the correct safety protocols. This covers everything from fire escape plans to OH&S in the workplace. When sending staff home to work businesses are still required to ensure that staff have access to a safe and secure working environment.

In regards to personal security at home ASIO have outlined the following:

  • Using ongoing, varied and regular security awareness updates, reminding staff of the continued security threat
  • Conducting virtual personnel security briefings for new staff, separating staff and those undertaking new roles.
  • Conducting virtual interviews for employment screening, ongoing human–resource (HR) matters or security investigations;
  • Encouraging line managers to regularly contact staff through team and one–on–one contact methods. This assists business objectives and improves staff wellbeing.
  • Line managers should be aware of changes in personal circumstances that put additional stress on their employees, such as financial concerns and ill–health. Concerns should be reported and managed in collaboration with the line manager, security and the organisation’s HR area.
  • The organisation should ensure that the workforce has remote access to work health and safety and employee counselling services, if required, during periods of high anxiety.
  • Frequent reminders to the workforce of the importance of reporting security concerns, even when working remotely, and how to do so.
  • Assisting staff to manage their digital footprint; such as, managing privacy settings on social media, protecting personal information and limiting discussion of working–from home arrangements and locations, especially on social media.
  • Long–term working from home can erode an organisation’s shared security culture. Organisations should monitor security culture as much as they can, and provide ongoing education and awareness to staff on their security responsibilities.

Physical Security

Physical security is a critical factor for maintaining sensitive information and keeping business assets secure. Unfortunately, many homes have not been designed with security elements such as the CPTED principles which can lead to higher risks of security breaches and/or theft.

Criminals all around Australia are aware of the current COVID-19 outbreak and the security risks that they can use to their advantage. Implementing physical security measures at home offices can protect both the employees and the information/assets of the organisation.

ASIO has outlined two main factors of improving physical security for staff working from home.

  • The exterior—use adequate lighting and a well–designed landscape and garden to allow natural surveillance
  • The perimeter—using barriers and security hardware to remove the opportunity of easy access, such as locks and alarm systems. Some systems can be used safely and effectively even when the residence is occupied.

Home Risk Assessment

The current COVID-19 situation in Australia has caused major shifts in working environments. Businesses that have adopted a working-from-home model are encouraged to conduct a risk assessment to identify and consider potential threats to the newly adopted structure of home offices.

If an organisation is conducting a risk assessment of their home offices, ASIO has also recommended that businesses consider the following:

  • Are occupants or personal property inside the residence a desirable or high–value target?
  • Have changes to the security environment exposed occupants to new security threats or increased risk?
  • Is there a credible threat to the organisation and/or the occupants?
  • Does the local area have a high or increasing crime rate?
  • Is the crime rate high compared with other local regions or cities?
  • Are there industrial, commercial or government facilities located in the local area which are prone to criminal activity?
  • Are there physical signs of antisocial behaviour in the local area, such as graffiti and vandalism?
  • Are there recurring complaints or concerns from local residents about security, or fear of crime.

Existing Offices/Workplaces

If your organisation has adapted to a working from home model think about your existing workplaces and their current security measures. As the workplace environment changes so should the security measures. If your organisation currently have any unoccupied workplaces ASIO have noted that the following should be considered:

  • Ensuring an organisation’s guard force are aware of any changes to security policy regarding entry and exit, removal of sensitive material from the site and increasing vigilance to those breaching the rules either by accident or deliberately.
  • If fewer members of the workforce are present, to observe and enforce good security behaviours and having a greater reliance upon technical measures to prevent deliberate or accidental security breaches.
  • Frequent reminders to staff on both the physical and technical security measures that should be adopted. These should include guidance on when and how to report security concerns.
  • Recognising signs of disgruntlement from within the workforce, specifically where staff are being put on temporary absence, receiving reduced pay or conversely from those required to continue working whilst covering for absent staff.
  • Auditing open–source information and increasing deterrence communications during periods of heightened vulnerability. Further information can be found in ASIO–T4 Security managers guide: Deterrence Communications.

Conclusion

The COIVD-19 outbreak has caused mass disruptions in the way organisations conduct work. Businesses are rapidly adapting to the current situation and many are implementing working-from-home models to continue their work.

Any businesses that have adopted a home office solution should carefully consider their security measures and when possible contact a Security Consultant to reduce the risks associated with working from home.

For more information you may download ASIO’s working from home guide here.

Could Viruses Be The Future Terrorism?

There is a significant risk of pandemic terrorism.

There is nothing to stop extremists from deliberately infecting themselves with COVID-19 and spreading it through the community. This would have the potential for causing far more damage than a suicide bomber could achieve. Local extremists have this capability by self infecting and attending all public gatherings that are still available (e.g. shopping centers, Centerlink Offices, supermarkets (product and produce tampering etc.).

The Coronavirus outbreak has quickly swept throughout the globe killing and infecting tens of thousands of people and causing mass disruptions to the western global economy. From stock market downfalls to major countries closing their borders, COVID-19 is currently the only thing that everyone is talking about right now.

If COVID-19 was an intentionally dispersed disease with the aim to cause harm to western society in the pursuit of political aims, it would be the largest modern terrorist attack recorded.

The global reaction to COVID-19 has all the ingredients that appeal to extremists wishing to cause harm to the innocent. We’ve seen cases in Australia where individuals and groups have carefully planned and carried out attacks against the public with the purpose of seeking media attention.

Many extremists and terrorists seek media attention from their attacks because news coverage gives exposure by striking fear into the masses.

If we take a look at the situation with COVID-19 in regards to the global impact and news coverage it has demanded, we could see the potential for future players wanting to utilise viruses to cause mass harm.

What would the implications be if an extremist who knew they carried the virus, intentionally spread the disease as much as possible?

Viruses such as COVID-19 have the ability to cause global panic, economic stress, increased crime rates, closures, emotional pain, deaths and much more.

Could viruses be the future of terrorism? If so, developing strategies to prevent and manage an outbreak could be critical for governments, businesses and entities.

Today we are in uncharted waters. We need to put in place Business Continuity Plans that take into account previously inconceivable events and plan for drastic countermeasures that are harsh but enable survival.

Reasons Why You Should Work From Home

With the current Coronavirus disease (COVID-19) outbreak, many people may be pushed into the future by having to work from home. Over the next few weeks, the benefits of having staff work from home may come as a surprise to many business owners.

Now from a staff’s perspective imagine being offered a new job that paid up to $10k more than your current salary, offered more time with your family, more flexibility and most importantly a job that helped the environment by cutting down on your emissions. Accepting the job would be a no-brainer wouldn’t it?

Well, what if all of this was possible simply by working from home?

These days it isn’t uncommon to work from home, In fact around one in three employed Australians regularly work from home according to The Australian Bureau of Statistics. While working from home may come with challenges, there are also many benefits for the staff, business owners and the environment.

If you’re working for yourself or are in a flexible position at work, there are countless benefits to working from home. Here are a few reasons why you should consider working from home.

Environmental Benefits: 

  • No private vehicle or public transport fuel / electricity consumption or emissions (Transport represents 18% of Australia’s greenhouse gas emissions).
  • No need for industrial air conditioning and heating (which account for a significant portion of energy usage).
  • No need for concrete office block (Cement is the source of about 8% of the world’s carbon dioxide emissions).
  • No wasted energy on leaving lights on overnight.

Health advantages:

  • Improved control over managing the spread of viruses and germs (Less people confined to small public spaces such as public transport).
  • Private homes have fresh air, not circulated air conditioning.
  • Reduced stress. Feeling too overworked or stressed? Working from home allows you to take a break, meditate or go for a walk to reset the mind without being judged or being disruptive to your co-workers.
  • Easier to prepare healthy meals and follow a diet.

Cost advantages:

Cost savings can be made in the areas of:

  • Building maintenance contractors (fire systems, HVAC, etc.).
  • Car parking space and government levy.
  • Coffee machines / water coolers.
  • Commercial office cleaners.
  • IT network and associated staff.
  • Facility management.
  • Leasing agents.
  • Less waste (e.g. lunch at home instead of take away food, coffee in a non-disposable cup etc.).
  • Office space rental.
  • Reception staff and facilities.
  • Security staff and patrols.
  • Window cleaners.
  • Tax deductible home office expenses.

Time advantages:

  • No wasted time commuting.
  • No ad-hoc staff meetings.
  • No interruptions from passing staff.
  • Flexible work schedule.

 

With growing concerns to the environmental impact of running a business, many business owners are now looking to a working from home model to take advantage of the many benefits.