Achilles heels: research highlights gaps in remote working security

The civil service’s wholesale shift to remote working has been a real success for both employers and staff, according to new research. But the survey of nearly 1000 UK civil servants also identifies some blind spots in departments’ work to guard against acquisitive online crime
The pandemic-inspired rush to mass remote working has created fertile ground for a number of industries, and none more so than cybercrime. The scramble to get millions of workers set up for home working in the spring of 2020 created huge opportunities for cyber criminals and state-backed hackers looking to exploit vulnerabilities in networks, servers and endpoints.
In the last year, the FBI, Interpol and the UK’s National Cyber Security Centre (NCSC, part of GCHQ) all reported big spikes in the prevalence of cyber attacks. An analysis by Interpol in the first four months of 2020 revealed an “alarming rate of cyberattacks aimed at major corporations, governments, and critical infrastructure”. In the UK, almost a third of incidents reported to the NCSC in the year to August 2020 were Covid-related – more than 200 altogether.
At the request of the UK’s Government Security Group and the Government Digital Service, the NCSC issued best practice guidance for civil servants using their own computers for work. In efforts to protect the most highly classified information, the NCSC’s Advanced Mobile Solutions (AMS) was adopted to ensure safe connection between remote devices and secret networks – more than 500 devices by the autumn of 2020. AMS now underpins Rosa, the single, collaborative IT platform for sensitive information classified up to and at SECRET level right across government; according to Stephen Thomas, head of Rosa GOST Team in the Cabinet Office, it’s “transforming how HM Government works”.
“Through Rosa, several government departments and industry suppliers are now mobile working at above OFFICIAL – something we only expect to increase as the UK moves towards more distributed working,” he says.
Missed in the rush to remote
However, while much attention has been paid to combating state-backed and intelligence-related cyber attacks, public servants also face rising levels of online acquisitive crime. Tariq Hussain, sales director for UK government at Dell Technologies, gives credit to UK intelligence agencies for their “cutting edge” work to protect national security, but warns that not enough is being done by individual civil service organisations to guard against lower-level ransomware threat actors seeking pay-offs.
“Some of this is down to budget availability,” he says. “Security has historically always been a ‘nice to have’. Everybody knows it’s important, but when budgets are being laid out, security is almost always at the back end.
“What we saw in the public sector at the start of the pandemic was a rush to buy laptops and computers and the tools to allow people to work remotely. Intense competition for equipment saw many organisations buying whatever they could get their hands on, with some having to buy equipment that would not have been their first choice. Then there was a rush to expand the digital infrastructure to support the rollout of devices. And while security should obviously have been at the front of all those conversations, it wasn’t.”
Hussain’s concerns are borne out by the responses to the Civil Service Remote Working Survey 2021, conducted in February and March 2021 by GGF and Dell Technologies. This survey, of 906 civil servants working across all grades, departments and professions, reveals high confidence in the security of most software, hardware and infrastructure, as well as in compliance by colleagues – but also highlights opportunities for civil service organisations to tighten up security in some areas.
On the positive side, some 97% of respondents reported high or moderately high confidence in the security of the devices supplied by their employers for remote working. Just over three-quarters had high or moderately high confidence in the security of their VPN. And nine in ten had high or moderately high faith in the security of their video-conferencing platform. In general, only 3% believed that their organisation had not taken appropriate security steps to enable secure remote working by staff (and 4% didn’t know). And most civil servants (72%) said they were confident that they were given sufficient training and guidance to ensure secure remote working.
Gaps in the armour
However, answers to subsequent questions suggested that this confidence may be somewhat misplaced. Fewer than one in five respondents confirmed that their organisation had checked that their personal wifi network settings are appropriately secured with adequate levels of encryption, and just 34% agreed that their employer had checked that their home working arrangements are compliant with data protection rules such as GDPR, PCI-DSS and the Data Protection Act.
Hussain says this underlines the importance of investing in training so that employees are alert to suspicious messages and robust reporting policies and processes are implemented and followed.
This is echoed by Dan Patefield, head of programme, cyber and national security at TechUK, the trade association for tech companies, who calls on employers to prioritise communication about security risks. Helping staff to understand the basics such as what their SSID (Service Set Identifier – the name of your home wifi network) is and what devices are connected to it, and identifying when and why it is necessary to use multi-factor authentication and encryption, can all help to bolster pre-emptive defences, Patefield says.
“Over the last 12 months we’ve seen a lot of organisations having more conversations about models like zero trust, where it’s assumed that everything’s a threat, rather than just giving everybody access to everything they might want,” he tells GGF. “You’ve got to take people on the journey with you, have a mature conversation, so they understand why you’re taking certain steps.”
Hussain emphasises that it is the duty of department heads to take responsibility for the security of their systems and data. “On a positive note, I think security has moved from been seen as under the ownership of the IT department to being under the purview of the heads of departments and organisations. Technology is now fundamental to everything everybody does,” he says. “If you consider how our government interacts with its citizens, we’ve seen everything move online, from collecting your waste to getting your prescriptions. And because of that, the security element has to sit with every single senior member of staff.”