• Blog

Thinking Like an Auditor

  • Assess Your Cyber Risk at Home

    May 14, 2020 | By Toby DeRoche, MBA, CIA, CCSA, CRMA, CICA, CFE

    To all the auditors now working from home, welcome to the club! I have worked from home for the past 10 years, so from that perspective the COVID-19 pandemic has not had much of an impact on me. Of course, it has turned the rest of my life upside down just like everyone else. As someone who has worked remotely for a long time, I want to stress the idea of home network security for everyone just starting out. Maybe it’s because both my wife and I are paranoid auditors, and it could be the fact that I’ve had my identity stolen no less than 4 times in the past 15 years.

    My personal digital environment is large. In my home, at this moment, there are 2 desktop computers, 4 laptops, 4 iPhones, 4 iPads, 3 Apple TVs, 2 Amazon Fires, 2 PS3s, 2 smart TVs, a telephone, a wireless printer, and a thermostat connected to my home network. Of those 25 devices connected to my network, one laptop and one iPhone are for my job. The iPhone is only used for work email only (and sometimes an actual phone) with multifactor authentication. Same with my work laptop. Most days it feels like jumping through flaming hoops to get to anything on my laptop, but I would rather live with those extra steps than be the cause of a data breach for my organization, Wolters Kluwer.

    Now it’s your turn. Take a critical look around your new home-based work environment and run through an assessment of your own contribution to your organization’s cyber risk. Here are some critical questions to ask yourself:

    • When was the last time I changed my WIFI password?
    • Do I know how to see which devices are connected to my network?
    • Am I using equipment provided by my job, or do I use my own laptop, phone, or other devices?
      • If it is my equipment, if the security patching up to date?
      • Do I have a VPN with multifactor authentication to get to my organization’s data?
       
    • If I am using a company laptop, do I also use it for non-work activities?
      • Do you check your personal email? If you open a suspicious email, you could infect your company network from a phishing attack.
      • Do you keep personal information on your work laptop or phone? You could be subject to a remote wipe of all data depending on company policies.
       
    • Do I need to print work information for work?
      • If so, do you also have a shredder?
       
    • Do I have a private place to work, especially if I deal with sensitive or confidential information?
      • Is your work subject to privacy laws like HIPAA, GDPR, or other regulations? You may need to revisit the rules around remote work to ensure you are in compliance.
       
    • Do I use unapproved sites or services or work purposes that have not been vetted by my IT Security team? These could include:
      • File sharing sites like Dropbox
      • Web conferencing sites like Zoom
      • Collaboration sites like Slack
       

    Hackers and cyber criminals are always looking for new and inventive ways to break into an organization’s network. With all the craziness in the world today, they are stepping up their efforts and exploiting potential weaknesses with remote workers. If you have any concerns or doubts, work with your IT Security team to review your home network and how your work equipment and remote access fit into their security plan.

    Download: A Practical Guide to Auditing Remotely
  • View Demo
    Contact Us
    Request More Information