In the wake of the Covid-19 pandemic, many, if not most organisations, have already crossed the “working from home”, or at least the “working while on the road” bridge. Although it is a measure of curbing the fast spread of the virus, it leaves many unprepared organisations vulnerable to cyber security attacks.
“If you’re on the IT team, you’re probably used to preparing laptops for staff to use remotely, and setting up mobile phones with access to company data,” says Paul Ducklin, Senoir Security advisor at Sophos
The global concerns over the current novel coronavirus outbreak, and the need to keep at-risk staff away from the office, means a number of companies may soon and suddenly end up with lots more staff working from home. It is vital that protecting staff be done alongside protecting the organisation as well.
“Should you have a colleague who needs to work from home you can no longer use the tried-and-tested approach of getting them to come in for whatever reason,” notes Paul adding; “You may just end up needing to set up remote users from scratch, entirely remotely, and have them be green at it.”
Below are five tips for working from home safely as discussed by the Sophos cyber security team.
- Make sure it’s easy for your users to get started
Look for security products that offer what is called an SSP, short for Self-Service Portal. What you are looking for is a service to which a remote user can connect, not just with an office laptop but their own as well. They can set it up safely and easily without needing to hand it over to the IT department first. Many SSPs also allow the user to choose between different levels of access, so they can safely connect up either a personal device (albeit with less access to fewer company systems than they’d get with a dedicated device), or a device that will be used only for company work.
The three key things you want to be able to set up easily and correctly are: encryption, protection and patching. Encryption means making sure that full-device encryption is turned on and activated, which protects any data on the device if it gets stolen; protection means that you start off with known security software, such as anti-virus, configured in the way you want; and patching means making sure the user gets as many security updates as possible automatically.
Remember if you do suffer a data breach, such as a lost laptop, you may well need to disclose the fact to the data protection regulator in your country. If you want to be able to claim that you took the right precautions, and that the breach can be disregarded, you’ll need to produce evidence. The regulator will not just take your word for it!
2. Make sure your users can do what they need
If users genuinely can’t do their job without access to server X or system Y, then there’s no point in sending them off to work from home without access to X and Y. Make sure you have your chosen remote access solution working reliably first. Test it on yourself before expecting your team to adopt it.
If there are any differences between what they might be used to and what they are going to get, explain the difference clearly. For instance, if the emails they receive on phone will be stripped of attachments, don’t leave them to find that out on their own. This is not only frustrating, it is also annoying. Find ways bypassing the problem such as asking colleagues to upload the files to private accounts instead. As a user, try to be understanding if there are things you could do in the office that you have to manage without at home.
3. Make sure you can see what your users are doing
Don’t just leave your users to their own devices (literally or figuratively). If you have set up automatic updating for them, make sure you also have a way to check that it’s working, and be prepared to spend time online helping them fix things if they go wrong. If their security software produces warnings that you know they will have seen, make sure you review those warnings too, and let your users know what they mean and what you expect them to do about any issues that may arise. Don’t patronise your people, but don’t leave them to fend for themselves either. Share a little cybersecurity love and you are very likely to find that they repay it.
4. Make sure they have somewhere to report security issues
If you haven’t already, set up an easily remembered email address, such as security911@yourcompanyDOTexample, where users can report security issues quickly and easily. Remember a number of cyberattacks succeed because the attacker tries over and over again until a user makes an innocent mistake. If the first person to see a new threat has somewhere to report it where they know they won’t be judged or criticised (or, worse still, ignored), they’ll end up helping everyone else.
For that reason, teach your users, in fact, this goes for office-based staff as well as teleworkers, only to reach out to you for cybersecurity assistance by using the email address or phone number you gave them. If they never make contact using links or phone numbers supplied by email, then they are much less likely to get scammed or phished.
5. Make sure you know about “shadow IT” solutions
Shadow IT is where non-IT staff find their own ways of solving technical problems, for convenience or speed. If you have a group of colleagues used to working together in the office, but who end up flung apart and unable to meet up, it is quite likely they might come up with their own ways of collaborating online by using tools they’ve never tried before. Sometimes, you might even be happy for them to do this, if it’s a cheap and happy way of boosting team dynamics. For example, they might open an account with an online whiteboarding service – perhaps even one you trust perfectly well – on their own credit and plan to claim it back later.
The first risk everyone thinks about in cases like this is, “What if they make a security blunder or leak data they shouldn’t?” But there is another problem lots of companies forget about, namely; what if, instead of being a security disaster, it’s a conspicuous success? A temporary solution put in place to deal with a public health issue might turn into a vibrant and important part of the company’s online presence.
As a result, make sure you know whose credit card it is charged to, and make sure you can get access to the account if the person who originally created it forgets the password, or cancels their card. Known as “shadow IT” this is not just a risk if it goes wrong – it can turn into a complicated liability if it goes right!
Most of all, if you and your users suddenly need to get into teleworking, be prepared to meet each other halfway. As a user, should your IT team suddenly insist that you start using a password manager and 2FA (two factor-authentication login codes) you have to type in every time then just say yes. Even if you hate 2FA and have avoided it in your personal life because you find it inconvenient.
“As the systems administrator, do not ignore your users even if they ask questions you think they should know the answers to by now, or ask for something you already said no to,” concludes Pual.” It might very well be that they’re asking because you didn’t explain clearly the first time, or because the feature they need is in fact, important when it comes to doing their job properly.”
Write to us firstname.lastname@example.org