Here is part 3 of the Cyber Essentials (CE) blog series: Top 7 things you need to know before you start your assessment.
We will discuss in this article who are Home Workers from a Cyber Essentials perspective.
Let’s start with what or who is a home worker – from a Cyber Essentials perspective.
Generally speaking this is a member of staff/contractor or volunteer who works for you and spends over 50% of their time based at their home address (in other words out of the office).
However note, that sales or other staff who are based out of the office, for example at clients offices, having meetings at cafes etc are excluded.
The next element, you need to clarify is whether home workers/users are setup with a VPN (generally a secure connection to the HQ or other office in your CE scope) and importantly whether it’s configured to always be on.
If the answer is yes, no other controls are required and you can effectively ignore home workers in this use case – however I would still advise you state this clearly in your answers.
Also remember that the home worker’s computer is always in scope (regardless of whether it’s personal or company supplied), so you will need to ensure all appropriate controls are in place.
If the answer is no, you’ll need to add their home firewall into your CE scope.
VPN and ISP managed Router
Let’s look at instances where you have one or more home workers, and they access the internet without a VPN (this is generally the case). In this scenario you will need to ask the home worker whether they have their own router or are using their ISP supplied router (e.g SKY/BT/Talktalk etc).
If it’s an ISP managed router, the only requirement is to change it’s administrator interface password and also ensure it’s configured in NAT mode (in 99.9% of instances this will be the case, but you still need to check) and also confirm they haven’t open up any ports on the router.
If the home worker has replaced the router, they then become responsible for ensuring it’s
- under support,
- the administrator password has been changed and
- importantly it is running the latest firmware (it’s difficult to tell whether router updates includes security fixes, so we always advise our clients to play it safe and ensure you are running the latest version). Most home routers fall out of support within two to three years, so we always advise you purchase a business grade router (Draytek’s are our favourite)
For smaller organisations where everybody works from home, we advise you designate a directors office as the HQ site (from a cyber essentials perspective – this is important if you going for Cyber Essentials Plus) and treat all other locations as home workers.
Just before we finish, I also wanted to advise the following :
Ensure you add home workers to all applicable answers even if it’s to remove ambiguity, common ones include:
- List of networks
- Network equipment
- Operating systems
- 14 day firmware update requirement
So in summary, home workers may complicate your Cyber Essentials assessment, so be cautious to ensure you conduct an appropriate survey and complete all appropriate answers.