There can’t be many businesses today that don’t use remote working to some extent throughout the working day. Even those without a culture or need to offer remote working will have employees or directors taking work home, or working from hotel suites, conference venues and public transport at times.
This more casual form of remote working, one that may not be accounted for when analysing how business IT networks are used, is often missed in cyber security policies and procedures. However, it is one important factor that can put organisations at risk of cyber attacks and data breaches.
Remote working, whether a formalised arrangement between a business and an employee, or an ad hoc ‘needs must’ requirement to get work done, can leave your business IT network, systems and devices vulnerable.
The first step for managing security and remote workers is to understand where your business is at risk. This should be followed with an awareness raising campaign within the organisation so that all employees understand how their actions may compromise security and what steps they must take to protect company networks and systems. Cyber security policies need to include the specific risks associated with remote working, with procedures and guidance in place for working away from the office. This will also need to explain what actions need to take place if a remote worker believes they have exposed the company to a cyber attack, and any disciplinary measures that may be taken.
The following top tips provide an excellent starting point, but if you would like to discuss what processes your organisation should be using in more detail, please get in touch with our technical sales and account management team.
- Keep mobile devices and laptops safe
Lost and stolen mobile devices and laptops are easy pickings for cyber criminals if insufficient security measures are in place. The first line of defence is to look after these business assets: keep them with you and in sight at all times, and never leave them in hotel safes, cars etc. Next up is securing the devices themselves with good password hygiene and encryption on laptops. Finally, installing mobile device management apps such as AirWatch and MaaS360 give employees a chance of securing and recovering lost mobiles or tablets.
- Excellent password hygiene
Strong passwords will not only protect your devices and systems being accessed if a mobile or laptop is lost or stolen, they also protect businesses from hackers. Good password hygiene includes using long passwords with multi-characters, two-step authentication processes, and unique passwords for different systems and logins.
- Ensure up-to-date security protection is in place
Any devices that are owned by the organisation should be properly protected with antivirus, web filtering, firewalls, device encryption and other preventative software, but so too should your employees’ own devices if they are using them for remote working. This can be a difficult area to negotiate as your employee may feel this impinges on the personal use of their device: Your cyber security policies will need to address issues like these, either restricting staff from using their own devices for certain business critical activities, providing secure company owned devices, or making your cyber security protection mandatory.
- Use of public wifi
Public wifi can be vulnerable to malicious attack, presenting issues for those employees who may need to work from a hotel or conference. While it is good advice to only connect to trusted networks this is not always feasible. Therefore, your remote working / cyber security policy should stipulate that employees should not use public wifi for any sensitive, business critical activities. It is advisable to draw up some guidelines that explain what systems and activities staff can and cannot access when using public wifi.
- Email encryption and best practice
Email is perhaps the most used digital technology by staff members who are away from the office, and one that can open a backdoor to cyber criminals. Encryption and robust management of corporate email is a must. The installation of applications such as Mimecast is a no brainer, but raising awareness of the vulnerabilities of email will also help embed best practice in your organisation. This can include training in spotting cyber threats like phishing emails, and also policies on what information should not be communicated in an email – for example logins and passwords.
- Using public computers
While the majority of people will have their own laptop or mobile device that they use for remote working, occasionally someone may need to use a public computer such as in a business suite in an airport. Employees should be aware of the security implications of this and adhere to the following guidance: keep screens private (position them away from other people), don’t use public computers for any sensitive information, use ‘private browsing’ where possible, never use ‘remember me’ or ‘save information’, and clear your browsing history and delete any downloads before closing the browser.
- Using devices when out and about
Employees should also be aware of physical threats when using devices when in public places like cafes, hotels, airports etc. Just as you would hide your PIN when using an ATM, employees should be discreet when keying in passwords and logging into systems. They should also be aware of the risk of snooping and eavesdropping, not just online, but also from other people in the vicinity. Can someone see and potentially grab a discreet photo of company sensitive information while they work in a public space?
- Removable devices
USB sticks and other removable devices can be a source of malware and should be checked first. Many conferences hand out USB sticks that may be infected, often unbeknown to the organisers. Also don’t allow anyone to plug in a USB device into your computer, for example to share information in a meeting. Always get your IT department to security check removable devices.
- Monitoring and policy enforcement
24/7 network monitoring and security will help your organisation identify threats and monitor users on your networks. We partner with OpenDNS to protect our clients’ data and provide automated enforcement of corporate security policies. Remote workers and their mobile devices can be monitored using this solution to protect your organisation’s network. More details can be found here.
- Negligence and accidental risks in the home
Even when your employees are working from home using your secure VPN, VDI or remote desktop, there can be other risks that need to be considered. Children and pets can be a surprising threat! Cats have a habit of jumping on computer keyboards and inquisitive minds might press a few keys when a laptop is unattended. These kinds of risks should be addressed in your remote working / security policies to ensure that your staff take every feasible step to protect your systems at all times.
By Carl Henriksen, Managing Director, OryxAlign