Blog: Red Teaming

Housemates. The new Red Team?

Richard Wagener 06 May 2020

You have the VPN set up, you have 2FA, you have a good enforced password policy, firewalls are in place, you even managed to squeeze in some remote training to make employees more aware of potential phishing. You stop, breathe a sigh of relief, and then think…

I’ve no idea who my employees live with

Those who can are working from home. It has become an acceptable situation where spouses, partners or housemates are now living AND working together. Should you as a business owner be worried about data that is sensitive to your business that is inadvertently being shared with people that your employees live with?

There is a whole new set of risks that you don’t face when your staff are working from the office, it’s likely now more than ever that there are unknown people who have really easy access to your employee’s home office setup.

Start by gathering basic information:

  • Are they sharing a working space where there is potential for someone to see sensitive information on their screen?
  • Do they have a secure area to print documents?
  • Where are they storing physical files?
  • Can someone see what’s on their screen while they work?
  • Are they in earshot of someone when making phone calls?

What can I do to help them?

The answers can help determine what they need help with to make sure they have everything they need to stay secure when working in a shared work environment, or working from home in a shared space. Here’s a simple example.

Q: Are they sharing a working space where there is potential for someone to see sensitive information on their screen?

A: Get them a privacy screen protector.

Remember printers?

Printing is of course a big security risk as well, is it a shared printer in the house, could someone grab sensitive company information by picking up their printed material and your employee walks away thinking my document didn’t print, and I will just try again? Instantly you are dealing with a serious potential data leak. Another question to ask is the printer connected on the Wi-Fi or is it plugged into their device directly? Does it have up to date drivers on it?

Even if its printed in a secure way, there are still other variables to consider. Where are the sensitive documents stored? Are they left on a desk or in an unlocked drawer? The ideal solution here is of course a locked drawer in a secure locked room, where access is controlled. At a minimum as an employer you should be ensuring that employees have a lockable drawer that can be used if they are printing documents that may contain sensitive business or personal information.

Shred, burn, burn again?

There is another consideration to keep in mind when dealing with printing from home, how does it get disposed of? Are your employees potentially throwing paper away in with their normal rubbish? The question has to be considered carefully and with full view of how paper is traditionally disposed of within your office space? Is it shredded, disposed of by a company that specialises in disposal of office paper?

The answers to these questions should help you form a new policy for how paper should be handled and managed in a work from home situation.

Another possible solution that is not immediately apparent is you could encourage staff to not dispose of any work-related paper and keep all printed documents in a secure location until they can be disposed of securely back at the office, making sure each employee has a shredder would also be a possible solution.  Another resolution could be arranging with the company that traditionally collects paper from your office (for example: weekly) to rather go to remote workers homes on a rotational basis to collect paperwork that needs to be disposed of securely.

We DO have locks in this house!

If you live with a spouse, a roommate or young children, it’s important to lock your device when you step away for whatever reason. Even a cat might be able to jump on a keyboard and unintentionally send an email. No need to tempt your roommates, family members or children by leaving something unlocked.

Devices including PC’s, phones or personal devices where work systems are being used or accessed also need to be locked or shut down whenever your employee walks away from the device or leaves the room or house. It’s a habit we do automatically in the office, but some training may be required if everyone is working from the comfort of their own homes.

Another important element to check with employees is the local Wi-Fi network. Is it secure, who else is using it, how secure and complex is the password being used? Is the default password still in use?

Call time

Phone calls or video calls are also to be considered carefully. These calls, if they are likely to contain sensitive company or client information, should be done out of sight and earshot of anyone that employees are living with. Asking for the room or a bit of space from a housemate scheduled in advance should be ample for doing everything possible to isolate yourself while dealing with sensitive information over the phone or a video call.

If privacy cannot be managed, then reverting to an email conversation or a written chat may be necessary to ensure privacy is adhered to.

Please, everybody, just because you are working from home and you feel you can ‘trust’ the people you live with, doesn’t mean you should.

A note for employers

If you’re up for it why not have your employees housemates sign NDAs, just to cover all angles?

No, we aren’t serious.