What security considerations does remote working come with?
The COVID-19-driven influx of remote working has seen investment in conferencing tools and collaboration platforms skyrocket like never before. You only need to walk through Central London to gauge just how staggering the uptake may be. The sudden desertion of the once-bustling city streets are a stark reminder of how many people once commuted daily and, in turn, how many are now working from home.
Remote working was on a crescendo way before the coronavirus outbreak. This came as organisations began to strive for flexibility and to improve employee satisfaction. However, following Boris Johnson's recommendation on Monday that encouraged working from home, the remainder of companies that weren't already embracing remote working suddenly had to overnight.
Two days later, the chips have fallen and remote working is the new norm. Companies have kitted out their staff with the collaboration and monitoring tools of their choice and sent employees on their way.
Lulled into a false sense of 'my job here is done', what many organisations have become victim to is the unintentional oversight of how remote working affects their cybersecurity. What's more, many employees don't realise how their role in cybersecurity changes once they start working remotely. In a typical office environment, cybersecurity would usually be the responsibility of IT or dedicated cybersecurity teams. However, once the four walls of the office dissipate, the scales of responsibility tilt and the remote worker suddenly has a significant part to play.
With cyber attacks rife in today's increasingly digital environment (even the virus has spurred COVID-19-specific cyber threats), it is imperative that organisations and employees alike familiarise themselves with security best practices for remote working.
Avoid public WiFi
Remote working does not always equate to working from home. Today, people are literally running businesses from their local Starbucks. What's more, as companies strive to attract millennials, businesses are making it possible for recruits to work while they travel the world.
As ideal as it sounds, the problem with this style of working is that employees will often use public WiFi. What they may not know is that the simple act of connecting to a public network can lead to a swarm of problems. For instance, hackers can intercept public WiFi to steal your company data or distribute malware. There is also the risk of rogue WiFi networks that malicious actors set up for the sole purpose of data theft. These networks are cleverly named 'Free WiFi' or 'Open WiFi' in a bid to encourage people to connect.
To mitigate the risk, organisations should consider the following:
- Make clear to remote workers that public WiFi is to be avoided, ensuring to outline the associated risks it comes with
- Encourage remote workers to use hotspots provided by mobile carriers. To bolster this further, you may wish to use a private VPN for its encryption capabilities and to keep the criminals out
- Tinker all devices to ensure all auto-connect and discoverability settings are turned off
Despite the fact that the digital and threat landscape has outgrown password protection, passwords will continue to be a staple of security for the foreseeable future. For remote workers, the importance of passwords is evermore significant.
Firstly, in the event of a device being stolen, you don't want thieves to gain access easily. Hence, passwords such as 'password', '123456789', or 'qwerty' (I shuddered too) are a big no. Instead, it should be mandatory that all passwords are a mix of character and case types. Ideally, your passwords should look like if you'd sat on a keyboard, not the name of a pet.
Not only that, but two- or multi-factor authentication is a must. To keep up with your bolstered password protection, you should consider enterprise-focused password managers. That way, you can safely store your complex passwords without needing staff to remember them. It also alleviates bad physical security habits such as employees writing login details down on physical and digital sticky notes.
Configure all devices to ensure that software updates are automatic. To be on the safe side, schedule periodic audits also to ensure you are manually checking for this. Otherwise, if you operate on outdated software, you may be operating with vulnerabilities.
Organisations that don't consider the importance of software updates are shooting themselves in the foot – badly. It's a step that heightens your security measures with very little effort, as the software proprietors do the work for you and hand it to you on a plate.
Educate, educate, educate
At EM360, we are against the narrative that 'humans are the weakest link'. The connotations here are that employees are irresponsible and incompetent. Instead, organisations should take responsibility and educate employees on the importance of cybersecurity.
There are a number of ways you can engage your workforce in training and education. Firstly, you can carry out workshops on a periodic basis to keep prompting vigilance. You can also consider gamified cybersecurity learning platforms to keep it fun for your employees (remember, you don't want to drill fear into your staff, just awareness). What's more, you can also run simulated attacks to spot your workforce's weaker areas. Of course, these may necessitate a degree of financial investment. However, you stand to lose a lot more in reputational and financial cost in the event of a real attack.
Can't get enough of cybersecurity? Why not check out the impact of the digital landscape with Sandy Forrest at Atos?