Högskolan i Skövde

The rapid growth of remote work has brought new challenges in ensuring cybersecurity in home-office environments. Based on a structured literature review and semi-structured interviews with industry professionals, this study investigates and identifies cybersecurity best practices for home-office environments post Covid and aims to fill existing research gaps by providing valuable new insights. Ultimately, the findings can support organizations and individuals to improve their cybersecurity posture when working from home. 

The findings from the literature review and interviews were merged and presented as consolidated themes, being the main results and contributions of this thesis. Furthermore, the results are reviewed in comparison to two well established standardized frameworks, ISO270001/2 and NIST CSF. The results highlight the importance of implementing easy-to-use functions for employees to report phishing attempts, avoid shaming those who have fallen victim for phishing  attacks and instead learning from their gained knowledge, reviewing and updating VPN configurations to withstand attacks specifically targeting VPN connections, enforcing as much security as possible and including what cannot be enforced in awareness raising programs and training, implementing Multi-Factor Authentication (MFA) via authenticator apps instead of via text-message based methods, and comprehensive security awareness training that is up to date with current trends in cyberattacks and risks. Physical security aspects differ between on-site offices and home-office environments and companies need to take this into consideration and raise awareness to their employees on the risks with working from home. Furthermore, companies need to raise awareness about the risks of using outdated or unsecured devices for work, plug-and-play devices such as routers with pre-configured passwords provided by network providers, and co-living scenarios such as flatmates overhearing sensitive work calls. 

While the reviewed frameworks include guidance in terms of controls for remote work, they do not address the specific case of home-office environments. Existing best practices predominately focus on remote work and while many of them can be useful for home-office work, they are two different strategies and thus differ in terms of risks and threat landscape. With the undeniably huge impact Covid has had on work life, sending complete workforces to their homes, best practices need to be updated by taking the specific challenges of home-office environments into account. 

Since the cyber threat landscape and attack methods continuously change and adapt, conducting an impact assessment of this study’s findings to evaluate their long-term effectiveness and sustainability would be a suitable suggestion for future work to extend this research.