4 min read

The security-compliance risks of home-working

Featured Image

One year after the first lockdown, almost half of businesses plan to
continue allowing team members to work at home full-time and 82% will probably allow one day a week, according to Gartner [1]. In future, offering flexible work patterns could be essential to recruit and retain talent. Despite this, there is evidence that almost no progress has been made towards making remote working secure.

A survey by US security firm PC Matic (likely to be equally representative
of the UK situation) polled a cross section of firms in early 2020 and again
in 2021 [2]. Only 39% of employees have been issued with company-secured devices for home working - exactly the same proportion as a year before. Only 9% have been issued antivirus software, again, the same as in 2020. Only about 40% connect with their workplace using a VPN, yet again,
reflecting minimal change. Permanent commitments to remote working in the absence of new security policies are the recipe for a perfect storm.

Even if employers eventually issue secured work devices with firewalls,
antivirus, VPNs and robust logins, there remains a dearth of training in
secure practices. Work often takes place in insecure locations, unshredded
documents are left in bins, and employees discuss work over mobile phones and social media.

The Citizens Advice Bureau report that a full third of British households
have been targeted by scammers in the past year [3]. Consequently, public awareness is growing and there is clear evidence that people are turning away from businesses and payment processes they do not trust. Businesses, therefore, face a two-pronged threat; losing customers on the one hand, and failing to comply with GDPR and payment card industry data security standards on the other.

Telephone payments

Taking card numbers over the phone was never a sound practice, but doing so when your cashiers are working remotely is even less acceptable, either to customers or to the payment card industry. The legal responsibility for fraudulent losses lies with the merchant, and there could be additional fines and sanctions when poor data protection is the cause.

Elaborate solutions have been proposed to overcome some inherent flaws of telephone payment systems. For example, some automatically shut off call recording when the account number and CV2 are read out. Such systems are expensive, provide little benefit, and provide negligible reassurance to customers.

Many smaller businesses adopted smartphone virtual terminal apps when they hastily adapted for remote-selling and remote-working, but these overcome none of the problems. Card numbers and other private details are often taken in public where they can be seen or heard by others, or in circumstances when the identity and integrity of the cashier cannot be confirmed.

There is a far better solution - never take a card number! Paytia's system
forwards the customer to a secure automated payment portal. Their card
number is typed directly into the system that clears the payment and
notifies the merchant when it completes successfully. At a stroke, the
business is relieved of all the risks attached to gathering and storing
data, securing the line and preventing eavesdropping, and the customer is no longer asked to share their private details with strangers.

Formulate an action plan now

Security improvements should be a priority for every British business,
whether your telesales, cashiers and customer service teams are in the
office, roving or home working.

Begin by producing clear company policy documents to address remote working and payment processes, and back it with a staff training program.
Multi-factor logins, VPNs, firewalls and antivirus suites solve many issues
but standardising work devices will make it easier for IT staff to roll out
patches and troubleshoot issues. Cloud services that enable IT staff to
monitor remote devices and connections can also help.

Most important, however, review the data you need to gather. Not collecting data that you don't need is the safest way to minimise the serious fraud and compliance dangers of home working.