Hybrid Working? Review your risk profile …
As if Covid hadn’t caused enough problems, cyber criminals are now using it to steal your corporate data. Remote working employees give them plenty of opportunities to exploit lax security protocols and the natural tendency to assume it could never happen to me. It’s a good idea to find out how secure your systems are – and how you can close the loopholes before disaster strikes.
New ways of working demands new safeguards
Think back a couple of years. IT departments everywhere were racing to adapt to a new way of working. Luckily, remote-access technology meant they could connect computers in spare bedrooms to corporate systems. Under pressure to fix things fast, improvisation was the name of the game and sometimes even the most basic remote working cyber security safeguards were ignored. (Does “we’ll sort it out properly later” ring any bells?)
Who’s in control?
Let’s take BYOD (or bring your own device) for example. If you didn’t have enough company laptops to go round, you probably asked your people to use their own devices at home. So far, so pragmatic, until you realise what this means for the security of your data. Last year a global study* found that more than two thirds of office workers use work devices for personal tasks – and vice versa. What’s more, 30% of remote workers have let someone else use their work device. “Mum, can I just borrow your laptop for a minute?”
The problem with this mixing of work and home is that it gives hackers a huge new opportunity to infect corporate networks. First they identify a company employee through their use of a VPN. Then they wait for them to visit a public or commercial website and infect the computer. Once the employee reconnects to the corporate network the code is deployed – and the hackers may get access to your systems.
25% of employees report increase in fraud
There has also been a massive increase in phishing. According to a Deloitte survey, a quarter of all employees have noticed an increase in fraudulent emails, spam and phishing attempts in their corporate email since the beginning of the Covid crisis. This is bad enough when it corrupts a home computer. It’s potentially disastrous if it contaminates a corporate system.
The Governance Challenge
Maybe working from home – the ultimate place of safety for most of us – makes people careless. Perhaps we unconsciously assume that nothing bad can happen here. There’s certainly a sense that employees have picked up bad habits and found cyber security ‘workarounds’ since they’ve been out of the office. For example, are you certain that your staff are storing sensitive data properly? Is anyone holding business-critical files locally instead of using a corporate cloud or server solution? What about video conferencing? Even this can be a weak point, as malicious parties use the ‘live chat’ feature to spread phishing links and attachments.
Is your Support up to the task?
Lack of technical support probably doesn’t help either. Too often, people simply don’t know what to do or who to contact if something unusual happens on their device. According to one report**, 42% of younger employees have made cyber security mistakes while working from home that no one will ever know about.
Access Control becomes Mission Critical
As you can see, there’s plenty to consider, so where to start? In a nutshell, it’s time to get serious about access control. Ideally, you should encourage staff to keep personal and work activity separate using different devices. If that’s impossible, work out if you can disable or restrict access to insecure devices such as home printers, monitors and USB sticks.
In any case, if you allow remote workers to use your corporate IT systems from home, you need to apply multi-factor authentication or ‘MFA’. This means a user has to provide two or more pieces of evidence to prove their identify, such as a physical object (USB stick, ID card), a piece of knowledge (password, PIN), a physical characteristic (fingerprint, face recognition) or proof of location.
Make security part of the conversation
As ever, communication is vital. Your IT team should already be staying up to date with threat updates and keeping employees informed. Make this a two-way conversation by asking staff to report suspicious emails and files – and give them easy ways to do so. One click on an email should be enough to alert the specialists.
Finally, remember that this is still unfamiliar territory for most of us. Make sure your employees don’t feel isolated, encourage them to ask for help and try to avoid a blame culture. Team spirit is more important than ever and while of course you need to make it clear what you expect from your people, they should also feel they have the tools and knowledge they need to avoid the many remote working cyber security pitfalls that come with this new way of working.
*HP Wolf Security Blurred Lines & Blindspots, May 2021