Unprecedented times have left many businesses unprepared, implementing new and untried working patterns in haste which introduces unexpected risks. Working from home has become the default option for many organisations that have been fortunate enough to adapt and continue, but not by choice. It’s helped them to keep operating as best they can, but it has the potential to introduce new cybersecurity hazards to manage.
Let’s first think about what ‘working from home’ looks like. Unlike in an office, where people sit in standard-issue ergonomic chairs at standard-issue desks working on standard-issue laptops, there’s no standard definition for a home working space. Some of us might be lucky enough to have a desk in a quiet room all to ourselves. Others may be sharing a small living area with a partner, or other housemates, not to mention children and pets! They might not even have their own desk but instead are working at a kitchen table or balancing a laptop on their knees while sitting at the sofa. Let’s consider for a moment about the privacy, or lack of it, in those different environments.
New World Man (or Woman)
Next we come to hardware. Some organisations issue employees with managed laptops that are more locked down than a high security prison. But others, and in particular SMEs, might be relying on staff using their own personal PCs, laptops, tablets, or smartphones. If that’s the case, does the business have a way of knowing what data – confidential, sensitive, personal – is being stored or processed on the personal device, whether the device is encrypted or has had the latest cybersecurity patches applied, or if the anti-virus and other software is up to date?
Instead of the safety blanket cybersecurity from office IT, some businesses are leaving it to chance that a patchwork quilt of user-installed apps will provide protection. That’s a high-risk approach, to put it mildly.
Let’s assume for a minute that the person working on their home laptop is cybersecurity conscious and actually cares about privacy and security. What if they are visiting insecure websites in their spare time? Or, if the employee is a software developer working from home who has a question and decides to share code they’re working in into an open forum for advice? Are they unwittingly disclosing the organisation’s intellectual property by doing so?
Distant Early Cybersecurity Warning
In the current climate of working from home, businesses have choices to make. They can either dictate what staff can and can’t do, and rigidly police that (or failing that, hope for the best). Or they can talk to their people, listen to what they have to say and get an understanding of the environments they are working in, and facilitate them as much as possible. In my opinion, employers owe a duty of care to provide their people with the tools to protect them from harm, to a degree at least.
Keep in mind that just because some employees are IT-savvy, that doesn’t make them cybersecurity experts. So, it can help to have someone on standby to give advice and guidance on what to do in an open and non-judgemental way – let’s face it, we can’t all be expected to know which anti-virus product is the best at any point in time, and for every type of device.
That’s especially important when there are lots of phishing scams circulating. An accidental click on a link could give attackers access to sensitive data or let them in to the company network. Businesses that don’t have a fulltime cybersecurity professional, or in-house IT manager, should work with their usual IT support provider who can provide advice in return for a retainer. Staff may need to have someone on standby to reach out to if they encounter a (potentially serious) problem.
Leave That Thing Alone
Working from home is huge cultural challenge as much as a technical one. I believe it’s important that the leaders and managers of a business set the right tone. They need to remind staff that it’s OK to make a mistake. None of us want to send an email to the wrong recipient, accidentally click on a suspicious link, or open a PDF, Word or Excel document with a macro embedded. But who among us have never made that kind of mistake? The most important thing is that staff know they can (and must) call it out if they think they made such a mistake, which might lead to a data breach or may have caused a malware or ransomware infection. The worst thing they can do is say nothing – which is why open, regular, open, and hopefully honest communication is essential.
Here are some tips to strengthen the technical side of cybersecurity.
Make sure your remote access solution is secure
There have been recent real-world examples of networking hardware being attacked by criminal through newly discovered vulnerabilities, so you need to check if the hardware and software your business has in place is up to date and secure. Ask your IT or network provider for advice if you’re not sure.
Secure your email service
Email is a critical business tool at any time. Many companies, especially small businesses, use the Microsoft 365 suite, which comes with the Outlook email application. rather than assuming the default installation will be enough, run the cybersecurity self-assessment tools and apply the extra security features available. Take the extra steps to make it harder for attackers to breach, or else you could be exposing important financial or sensitive information. If you don’t have the in-house skills to do it, ask your IT support provider to do this for you. (There’s a similar offering for Gmail)
Ensure laptops/devices have hardware encryption
This control is a must: encryption is fundamental. If the business doesn’t already have this enforced on all laptops and mobile devices (including removable storage such as USBs), you might need to give the IT manager the ability to connect remotely to an employee’s system to set up the encryption or facilitate it so the employee can do it themselves.
This alone will significantly reduce your exposure if you do suffer a breach.
Make multi factor authentication (MFA) – also referred to as two-factor authentication (2FA) – mandatory for all remote workers
This is another essential cybersecurity control to put in place because it greatly reduces the chances of bad guys using compromised passwords to access your information. Apply this control for company email and for accessing any critical systems or applications, wherever you possibly can.
Now’s a good time to refresh cybersecurity awareness training
There are other steps you can take to promote good employee behaviour that help to protect important systems and data.
- Encourage staff to use a password manager
- Stress the importance of not sharing passwords (which often rises when remote working), including with your kids
- Where necessary, suggest that screen filters are used to make shoulder-surfing harder
- Remind staff not to open links or documents from suspicious sources or with unwarranted content, such as those with Coronavirus / COVID-19 information, as there are a large number of malware-infected scams out there
- Remind staff about the need to protect confidentiality
- Ask staff not to defer critical updates to software
- Remind staff that surfing illicit websites, amongst other things, can be dangerous to your device, and a breach of company rules from a company one
- Staff must not visit sites like illegal movie websites because they pose a risk of ransomware and malware infection
- Remind staff not to leave company devices in the care of children or other family members
There’s a lot of talk in political and economic circles about how this crisis is an opportunity to ‘reset’. The same is true of businesses. A time of upheaval like the one we’re living through is actually a very appropriate time to review security in all forms. Now is the time for examining your Business Continuity Plan in detail to see if it’s truly fit for purpose. Take the lessons learned in the past few weeks to refresh and strengthen your plan. In our next blog, we’ll take a closer look at how to do this.
Have you signed up to our monthly newsletter? Every month we send out the latest cybersecurity and data protection news, trends and advice from around the globe. Sign up here