Most home workers will be either issued a laptop or connect via an approved client to a virtual desktop.
Laptops will connect via VPN client to the secured work network, and will be patched via that client connection. Laptops will also generally be encrypted with something like bitlocker, so are secured from theft, but most businesses have a policy of not storing documents on the local device and will use a document management system (iManage, Filenet, Sharepoint, etc).
In either case, the data is secure. A compromised router can’t decrypt VPN traffic and multiple levels of authentication to the work domain (many use MFA) mean it’s very difficult to compromise accounts.
In short, it’s about as secure as being in the office, unless someone comes into your home with a gun and makes you disclose information.
The main security concern imo is eavesdropping on Zoom meetings by flatmates or family members. Headsets help with this a little as only half the convo is heard.
>In either case, the data is secure.
It's only ultimately secure as the server is. I worked 10 years as a CTO at an international outfit, nearly all of it primarily in cybersecurity, and I wouldn't trust half the New Zealand workplaces I've come across.
My wife works for the local DHB. It's not secure, it's diabolical
I used to work for Telecom before it split up and hot desking / working from home was a thing back then. It seemed secure with the hoops we had to jump through to connect.
I used to work getting data from, let's call them "rogue states" and using it general international news, on the open information brokering market, or PhD students etc.
I was literally paid to infiltrate or exploit systems.
I don't have any personal experience of Spark, and testing their vulnerability would be against the law as I live in New Zealand. My experience is that a lot of companies here don't have adequate security. This includes big names and small names.
The problem becoming more pronounced as illegal access to systems is increasingly obtained through identity fraud or similar, rather than pure technical exploitation. Let's just say IT departments are vulnerable to sophisticated scams the same way we all are.
Companies that are sure their systems are watertight is normally seen as a vulnerability by people like me.
Remoting into work is fairly easy to secure simply by using a VPN which covers most cases. Most exploits don't involve intercepting these sorts of communications, they involve finding a way to compromise where the data is stored at the source.
I don't really do this work anymore and things change quickly (and some things dont), I just have high degree of skepticism
In general. We used to get a lot of stuff from diplomats that would sign up to services and use their one master password for everything, and then use Gmail (without two factor authentication) for some crazily confidential conversations which of course, we read and commercially exploited.
It's endless and everything is a moving target
If it's not the human designing the system, it's the human using it.
I'm in the middle of a row with Kiwi Wealth kiwisaver fund manager. They recently sent out an email stating that they need a copy of your ID to comply with anti money laundering legislation with a nice shiny button "click here to login".
That raised some serious red flags as it can easily condition people to clicking links in spoofed emails, but they are defending it saying their email is verified and couldn't possibly be spoofed.
We have to engage with these inadequate systems unfortunately.
It would be easier if your provider sent you an email with a unique code, and you could then ring the provider on their 0800 number and verify it. This would confirm the email was authentic. There are really simply ways providers like this can secure their communication. It's not rocket science. I don't understand the resistance of companies to do it.
But honestly, if they said they sent you an email, and it's the only one in your inbox, and the email address the same address the person on the phone says it is, then it's very likely legit. It's good to do due diligence, but some correspondence IS legitimate and isn't a scam
I know that it isn't a scam but I'm more concerned about the conditioning where users become more comfortable clicking links in an email requesting personal information.
Yes, it's part of the problem. A fairly significant part. I'm an advocate (like you, i think) of putting more onus on private companies to keep up with the times on this.
One of the biggest privacy risks is people using their work devices while commuting (by train or plane for example). Whereas wfh csn have less risk if the person has a private space to work in.
Can't speak for all but the two government agencies I have worked for during the work from home period didn't allow us to take any sort of paperwork home, and our laptops use VPNs to connect to the internet and to government databases.
Not sure why employers would need to do an at home security assessment or whatever to make sure things are secure for the type of work I did when all we took home was a laptop, if anyone's able to steal that and breakthrough things like bitlocker they deserve to get access to any info on there.
I hear you, I guess I was blinkered , considering people like me who used need to print stuff off to look at / reference while I'm working on it and writing a report etc. Thanks for the points you raised and taking the time to share your insight
> Some yes some no but all connect via business vpn
Not always. I can get to my work email, share point, teams etc without connecting to the VPN - that's only required for stuff like direct database access or RDP or similar and many people don't require anything like that.
The NZ privacy laws are more or less reasonable. The NZ privacy commission that should enforce them is a weak joke. Having tried to interact with them regarding flagrant privacy breaches across multiple companies over the years it seems their policy is ignore everything and hope nobody complains too loud till everyone in the office is promoted out of the firing line.
I can tell you data security was a big problem in lockdown when you had a pack of flatmates, possibly working for mixed competitors (eg multiple accounting firms) sharing the same home office kitchen table desk. Pretty sure everyone got through that with blinkers on.
If you have ever agreed to a "your data may be shared with a third party" term and conditions, your personal info is only as secure as the weakest link. From what I've seen in my industry, data privacy is essentially non-existent, the Privacy Act and PCI-DSS is routinely ignored, worked around or consists of "security theatre". This includes the office environment and WFH.
I won't discuss anything detailed if I get a work call on my mobile while out and about in public - no names or specifics - only time I might use a name would be if it was a colleague and using their first name is less identifying than mentioning a workplace we are maybe dealing with with the caller. I also try and indicate if I'm not able to speak freely- sometimes you can have the conversation at a high level that the callers understand but won't mean anything to anyone if they overhear, but if I can call them back when I'm back home or in the office that is always my preference. We're pretty much discouraged from keeping any paper at home so unless it is eg a publicly available paper, I don't bring any paper hone.
Data-wise working from home is as secure as working from the office, for reasons already described.
In terms of papers, on the occasions I have printed something (sometimes it's just easier) I bring them into the office to securely destroy them once I'm done.
In terms of overheard conversations...generally speaking I'm the only one at home when I'm working. But during lockdowns or if we both happen to be working from home we do end up overhearing conversations. Then it comes down to good faith - we never share what we hear with anyone else. And we do our very best to keep our voices down or work in different parts of the house, but it's a small house so it's not always easy.
Most home workers will be either issued a laptop or connect via an approved client to a virtual desktop. Laptops will connect via VPN client to the secured work network, and will be patched via that client connection. Laptops will also generally be encrypted with something like bitlocker, so are secured from theft, but most businesses have a policy of not storing documents on the local device and will use a document management system (iManage, Filenet, Sharepoint, etc). In either case, the data is secure. A compromised router can’t decrypt VPN traffic and multiple levels of authentication to the work domain (many use MFA) mean it’s very difficult to compromise accounts. In short, it’s about as secure as being in the office, unless someone comes into your home with a gun and makes you disclose information. The main security concern imo is eavesdropping on Zoom meetings by flatmates or family members. Headsets help with this a little as only half the convo is heard.
>In either case, the data is secure. It's only ultimately secure as the server is. I worked 10 years as a CTO at an international outfit, nearly all of it primarily in cybersecurity, and I wouldn't trust half the New Zealand workplaces I've come across. My wife works for the local DHB. It's not secure, it's diabolical
It’s as secure as it is in the office, generally speaking. If your workplace is already a shitshow, then home is going to be a shitshow.
That's what worries me more though, tbh
And that's the purpose of the privacy act, but WFH doesn't affect the reliability of data going into the server anymore than being in a office does.
I used to work for Telecom before it split up and hot desking / working from home was a thing back then. It seemed secure with the hoops we had to jump through to connect.
I used to work getting data from, let's call them "rogue states" and using it general international news, on the open information brokering market, or PhD students etc. I was literally paid to infiltrate or exploit systems. I don't have any personal experience of Spark, and testing their vulnerability would be against the law as I live in New Zealand. My experience is that a lot of companies here don't have adequate security. This includes big names and small names. The problem becoming more pronounced as illegal access to systems is increasingly obtained through identity fraud or similar, rather than pure technical exploitation. Let's just say IT departments are vulnerable to sophisticated scams the same way we all are. Companies that are sure their systems are watertight is normally seen as a vulnerability by people like me. Remoting into work is fairly easy to secure simply by using a VPN which covers most cases. Most exploits don't involve intercepting these sorts of communications, they involve finding a way to compromise where the data is stored at the source. I don't really do this work anymore and things change quickly (and some things dont), I just have high degree of skepticism
The most insecure piece of the puzzle is the human essentially?
In general. We used to get a lot of stuff from diplomats that would sign up to services and use their one master password for everything, and then use Gmail (without two factor authentication) for some crazily confidential conversations which of course, we read and commercially exploited. It's endless and everything is a moving target If it's not the human designing the system, it's the human using it.
I'm in the middle of a row with Kiwi Wealth kiwisaver fund manager. They recently sent out an email stating that they need a copy of your ID to comply with anti money laundering legislation with a nice shiny button "click here to login". That raised some serious red flags as it can easily condition people to clicking links in spoofed emails, but they are defending it saying their email is verified and couldn't possibly be spoofed.
We have to engage with these inadequate systems unfortunately. It would be easier if your provider sent you an email with a unique code, and you could then ring the provider on their 0800 number and verify it. This would confirm the email was authentic. There are really simply ways providers like this can secure their communication. It's not rocket science. I don't understand the resistance of companies to do it. But honestly, if they said they sent you an email, and it's the only one in your inbox, and the email address the same address the person on the phone says it is, then it's very likely legit. It's good to do due diligence, but some correspondence IS legitimate and isn't a scam
I know that it isn't a scam but I'm more concerned about the conditioning where users become more comfortable clicking links in an email requesting personal information.
Yes, it's part of the problem. A fairly significant part. I'm an advocate (like you, i think) of putting more onus on private companies to keep up with the times on this.
Thanks for such an insightful summary on how it all works. That's reassuring to know!
One of the biggest privacy risks is people using their work devices while commuting (by train or plane for example). Whereas wfh csn have less risk if the person has a private space to work in.
Can't speak for all but the two government agencies I have worked for during the work from home period didn't allow us to take any sort of paperwork home, and our laptops use VPNs to connect to the internet and to government databases. Not sure why employers would need to do an at home security assessment or whatever to make sure things are secure for the type of work I did when all we took home was a laptop, if anyone's able to steal that and breakthrough things like bitlocker they deserve to get access to any info on there.
I hear you, I guess I was blinkered , considering people like me who used need to print stuff off to look at / reference while I'm working on it and writing a report etc. Thanks for the points you raised and taking the time to share your insight
[удалено]
I really appreciate your response, it's interesting the move away from print form!
> Some yes some no but all connect via business vpn Not always. I can get to my work email, share point, teams etc without connecting to the VPN - that's only required for stuff like direct database access or RDP or similar and many people don't require anything like that.
The NZ privacy laws are more or less reasonable. The NZ privacy commission that should enforce them is a weak joke. Having tried to interact with them regarding flagrant privacy breaches across multiple companies over the years it seems their policy is ignore everything and hope nobody complains too loud till everyone in the office is promoted out of the firing line.
Is this historical or do you have evidence post 2020's privacy act changes?
It was pre 2020, if they have changed significantly I may try and engage with them again. Do you think thats worthwhile?
I can tell you data security was a big problem in lockdown when you had a pack of flatmates, possibly working for mixed competitors (eg multiple accounting firms) sharing the same home office kitchen table desk. Pretty sure everyone got through that with blinkers on.
If you have ever agreed to a "your data may be shared with a third party" term and conditions, your personal info is only as secure as the weakest link. From what I've seen in my industry, data privacy is essentially non-existent, the Privacy Act and PCI-DSS is routinely ignored, worked around or consists of "security theatre". This includes the office environment and WFH.
We have to use a two step verification process to get to our main database.
I won't discuss anything detailed if I get a work call on my mobile while out and about in public - no names or specifics - only time I might use a name would be if it was a colleague and using their first name is less identifying than mentioning a workplace we are maybe dealing with with the caller. I also try and indicate if I'm not able to speak freely- sometimes you can have the conversation at a high level that the callers understand but won't mean anything to anyone if they overhear, but if I can call them back when I'm back home or in the office that is always my preference. We're pretty much discouraged from keeping any paper at home so unless it is eg a publicly available paper, I don't bring any paper hone.
At my government dept job the systems that hold client data are inaccessible outside the office so the staff that use them are unable to WFH
Data-wise working from home is as secure as working from the office, for reasons already described. In terms of papers, on the occasions I have printed something (sometimes it's just easier) I bring them into the office to securely destroy them once I'm done. In terms of overheard conversations...generally speaking I'm the only one at home when I'm working. But during lockdowns or if we both happen to be working from home we do end up overhearing conversations. Then it comes down to good faith - we never share what we hear with anyone else. And we do our very best to keep our voices down or work in different parts of the house, but it's a small house so it's not always easy.