While many organisations had already embraced the flexibility of home working, the impact of COVID-19 meant others were faced with quickly making it work – and without warning. In the rush to enable businesses to function remotely, it was inevitable that the security risks would increase. And, where there’s confusion, there’s usually a cyber scam ready to exploit it.
Now, three months on, data shows that employee preference is very much to remain working from home. In the UK, views of remote based jobs were 2.5x higher on LinkedIn in June compared to March and applications for these roles increased by 189%.
For very valid reasons, remote and home working is here to stay. Which means, as an employer, you need to manage this on an on-going basis.
The following tips are intended to help you put together a robust level of cyber security for your home based employees.
Give clear guidance
The biggest threat to information security is lack of awareness of where the risks lie, it’s how mistakes are made. Before we cover the technical issues, it’s worth emphasising that people generally ‘don’t know what they don’t know’. Sudden and enforced working from home will have taken many by surprise, they may feel that being able to work from a functioning laptop and send an email is a sign of success – without any awareness of the security issues.
We therefore recommend clear guidance on what they need to know. It will reduce their levels of stress and it will help your IT support team who will certainly already be under pressure. Remember, there’s no colleagues at home to ask and there is a danger of people doing their own thing.
Many remote workers are now used to online training so you might want to include the Top Tips for Staff e-learning package from the National Cyber Security Centre (NCSC). It takes 30 minutes and the training introduces why cyber security is important and how attacks happen, with guidance on using passwords and securing devices amongst other relevant topics.
Topics for guidance:
‘How to’ guides are helpful – you should make sure your policy and processes on the following are clearly laid out and accessible:
- How to use your Virtual Private Network (VPNs)
- How to protect your home Wi-Fi
- The software you use and how to keep it up to date – antivirus, security updates etc
- Bring Your Own Device (BYOD) guidance – if you are allowing your employees to use their own devices for work.
- Cyber safe use of collaboration tools
- •Incident management procedure – what to do in cases of compromise or loss of equipment
The importance of your line managers
As valuable as guidance is, there’s a danger in assuming it will be read. This is why we also recommend that line managers are tasked with reminding employees about cyber security and this conversation must be included in check-ins with their teams and in the induction process for new recruits, many of which will now be starting with the organisation working from home.
Cyber security has always been everyone’s responsibility – and non-office based working only makes it more so. The line manager has a critical role, acting as the glue between the employee and the organisation. They will be the person who team members turn to for clarity.
Device security – in and outside the home
Three months in from lockdown and we are just starting to go out again. While this might be good for the economy, the devices your employees have been using to work from home – many of them personal – will be going out with them. If you’ve read earlier Ascentor blogs, you’ll know we keep saying that ‘people are the weakest link’ in cyber security. This is one of the reasons why.
Most devices are lost or stolen away from the office or home. Simple security measures can go a long way to prevent data loss. Make sure all devices are setup to require passcodes and encrypt data while at rest. Most devices now have encryption built in, but it may still need to be turned on and configured. As an employer, you might consider mobile device management software to enable you to remotely lock access to stolen mobile devices, and erase or retrieve data stored on it.
Use of social media
We’ve noticed posts of people sharing their home workstations. While this can be fun and boost morale on Zoom or Skype calls, your employees could unintentionally be sharing more than they think. People have a tendency to put frequently used information on post-it notes stuck to screens – these often include passwords. It only takes one rogue entry to a system for untold damage to be done.
The same caution applies to the use of webcams. There is a risk of sharing too much information including details about home and family.
Reporting of problems / incident management
Should your staff encounter a problem that they feel could compromise cyber security, they should be aware of the process for reporting it. The emphasis here should be on speed of response and that it’s better to raise a concern, no matter how seemingly insignificant, than risk potential damage.
Your incident management plans should be sufficiently flexible to deal with the range of security incidents that could occur, including the loss or compromise of a device. As mentioned above, mobile device management should enable the remote disablement of stolen devices.
Secure use of collaboration tools
We are all using collaboration tools such as Slack, Microsoft Teams, Zoom and Google Docs far more since the start of lockdown. They present a convenient way to stay in touch, maintain team motivation and engagement – but they are not without their security risks. If an account is compromised, a bad actor can pose as a trusted employee to share malicious docs or, within file-sharing apps such as G-suite or Sharepoint, gain access to sensitive data.
While it’s impossible to prevent a business from compromise via a collaboration tool, there are measures that help more secure collaboration. For example, using two-factor authentication wherever possible to avoid unauthorised access and restricting permissions only to those necessary. User-awareness training should be included.
Managing Shadow IT
Shadow IT is where employees download their own apps and software instead of the recommended company applications and collaboration tools. It’s nothing new – but home working means more of it is almost certainly going on in your organisation. Do your employees communicate via WhatsApp without official approval? That’s shadow IT. Often done with the best of intentions, it opens up additional vulnerabilities.
The best way to manage Shadow IT is to acknowledge that it’s happening. By understanding what your users are trying to achieve with their Shadow IT solutions, you’ll be better able to serve their needs and manage the security issues. We’ve covered Shadow IT in our blog article ‘What is Shadow IT and how do you manage it?’
Manage your boundaries
Traditionally, boundaries applied to actual premises. Network security focused on physical hardware with security policies based on internal working and the management of firewalls were usually down to the IT dept. On premises firewalls would secure every device connected to your network, whether that be at an HQ or a network of offices. The growth in remote working has seen cloud based firewalls increase in usage, offering remote access to networks while maintaining secure connections.
If you are using a cloud-based firewall you can take a few additional measures to ensure it provides robust connectivity and a secure environment for remote based employees. Deploying a next generation firewall, known as a Firewall-as-a-Service (FWaaS) provides a simple and flexible architecture to provide connectivity to all employees, no matter where they are working. You can also set up fast, secure and fully managed VPN connectivity and increasing security measures such as multi-factor authentication at login to add an additional layer of security. Cloud service providers, such as Amazon Web Services, Microsoft Azure, or Google Cloud, give businesses the ability to provide consistent, secure connectivity to employees working from anywhere.
Beware of scams and Business Email Compromise (BEC)
The COVID-19 pandemic has seen a rise in attempted phishing attacks. Scammers use email or text messages to trick employees into giving them personal information. It often works by sending a message that appears to be from a well-known source (i.e. a colleague, manager or client), looks legitimate and may claim to be urgent.
Home-based workers are even more vulnerable to phishing because they are dispersed and it’s not so easy to check the validity of messages with others. That’s why employers managing a remote workforce should include awareness of the threats from phishing and how to focus on identifying, combating, and responding to an attack when working from home.
Working from home carries increased risks but it doesn’t have to be open season for cyber criminals. Many of the aspects of good remote or home based cyber security are the same as they would be if office based. Good cyber security practices are fairly universal. The threats increase at home when there’s a lack of available information and guidance, which is why consistent and clear communication is so important.
Don’t assume that the message has got through because you’ve created a policy or guide – your line managers need to emphasise good home-based cyber security along with other communications.