Home working – cyber security considerations for business
By Gerry Grant, CSO.
There are lots of articles and advice around home working currently being shared and most of it is pretty decent. While home working might be nothing new for your organisation, the scale of rollout will likely be unprecedented and it’s important that we get as much right from the outset.
For my part, I wanted to share my thoughts on some of the things that we all need to think about in terms of being able to maintain a good level of cyber hygiene at this time.
Will staff be using personal or company laptops? Many organisations may not have the capacity to issue all employees working from home with company hardware. If staff must use personal devices, then ask them to ensure that they have and continue to apply software and operating system updates. There have been several important updates to Windows 10 recently and these should be applied before being used for any corporate work.
Antivirus & web filters
Antivirus and DNS protection should be installed, and a record of the host device name kept so that it can be removed at a later time if required. Setting device web filters will allow staff to browse ‘work’ appropriate content while protecting them from malicious websites.
If you’re providing company laptops, make sure that they are fully patched prior to issue and advise staff to continually check for any new updates that need applied. These devices may be off your network for some time and might not get updated with any automatic patches that your IT department apply.
Tracking & data protection
Remote working also increases the risk of misplaced devices. Utilise laptop tracking and data protection tools such as Prey, so that if the worst happens, data can be wiped remotely.
Educate users on how to use encryption tools installed on their devices. On Windows machines there are options to encrypt the hard drive. Those options will depend on the type of licence installed but is either BitLocker or if it is a Home edition, then look under Security and click on ‘Device Encryption.
Consider how you will manage use of external drives, USB’s and other removable media. To manage this risk, it’s worth enabling device control within your endpoint protection. Stipulate that staff only use devices that they trust and make sure that all files on them are encrypted and password protected to prevent unauthorised access if they are lost or stolen.
How will staff access company systems and data? Encourage the use of collaboration tools such as Office 365 or the GSuite, if you are already using them. This will help reduce the need to connect directly to any corporate or company servers to access files. For added protection, ensure that two factor authentication is turned on.
If your employees do need to connect to the server, then they should be doing so via a VPN (Virtual Private Network).
We are already seeing evidence of an increase in phishing emails related to COVID-19 and working from home. The whole team needs to understand the risks. Talk to your staff about phishing emails and ask them to be extra vigilant at this time. Remember too that phishing also extends to SMS, other forms of messaging and telephone calls. It is worth choosing a specific channel such as Teams (currently available FOC), Slack or even WhatsApp to keep your employees up to date with your companies latest COVID-19 and working from home updates.
Remind staff of the importance of strong passwords and password hygiene. Ask them to consider things that they might not have even thought about. Criminals will be looking for that low hanging fruit right now, so it might be a good idea to change any default passwords on home routers and printers, create new device passwords or allow fingerprint or facial recognition access. Using a password manager is the safest approach and there are many online options including LastPass and Dashlane available.
On the theme of GDPR, consider your policy on printing outside the office and communicate this with staff. If printing is necessary, then an option may be to provide shredding machines.
Finally, in the event that a security issue does arise, staff need a forum for quick reporting. A simple email address or direct dial to the appropriate person may suffice. Make sure that details are added to online directories and accessible from any voice devices.
Our offer of support
The majority of our staff are now working remotely and even though the process of getting everyone up and running was a straightforward one for us, we appreciate that we are in the fortunate position in-terms of our skill set. If you’re grappling with a move to home-working, then we’d like to offer our help. It’s in our best interest to support one another at this time, so please get in-touch and we’ll lend a helping hand if possible.