It looks like working from home is here to stay to some extent for the foreseeable future, which means that cybersecurity for remote workers is more important than ever. With over 70% of people working from home at least once per week, if you aren't already paying close attention to the cybersecurity risks of working from home, it's time to start.
Some people love working from home all of the time; some people love the office. Some people like a mix. But whatever your feelings on home working, it has created some technical challenges, particularly with cybersecurity.
At the start of the outbreak, many businesses asked staff members to work from home without any guidance or IT policies. It seems that, in general, very little has changed in terms of cybersecurity for remote workers.
Whether your team is working from home, the office or both in this post-lockdown new normal, it's still your responsibility as a business owner or senior manager to ensure that they are working securely.
Remote Work Cybersecurity Tips
- Centralised Storage
Make sure that you use a centralised and easy-to-access storage system for your data.
Is this quick and easy to access? You don't want a situation where people find the business storage system slow and clunky, because they'll end up storing data on their local devices. This is a huge risk - it could mean important data is lost if the device fails.
For storing files and folders, you must provide your team with a fast, flexible, and secure system. You want people to be able to access files and folders at the same speed as they would do in the office.
Secondly, is this storage system backed up? Even if your business uses Microsoft 365 to store data, you must have a third-party backup in place to have proper remote work cybersecurity.
- Home WiFi Security
Have you asked your team about the WiFi security at their homes? Their connection could pose one of the biggest cybersecurity risks of working from home. In your office environment, all computers should be protected by firewalls, and the WiFi should be secured and managed by your IT team.
However, this is unlikely to be the case at your employees' home addresses. We aren't saying you should be supplying each staff member with state-of-the-art firewalls to be used at home but for efficient remote work cybersecurity, you should be enforcing a policy of basic WiFi security.
This should include the following:
- Their WiFi password should be complex, secure, and not widely known.
- The name of the SSID (the WiFi name) should be changed, so it doesn't easily identify you. For example, you shouldn't use your family name or street address.
- Encryption should be enabled. This can be done via the router security settings and should be WPA or WPA2.
- The default router admin password should be changed so it can't be easily accessed.
All of these home WiFi controls are part of the UK Cyber Essentials framework. It's basic stuff. If people are working from home on BT routers, these things are usually in place, but you should always be sure.
- Device Encryption
An important cybersecurity risk of working from home is that there is a higher risk that portable devices could be lost or stolen. This is especially true if you are operating a hybrid home and office work model, and your employees are bringing their laptops between home and the office.
It's more important than ever to make sure that all of your devices are encrypted so that if the device is lost or stolen, the data can't be accessed.
It sounds a lot more technical than it is. For example, Microsoft provides a free encryption feature on Windows 10 devices called Bitlocker, but you have to ensure that it is enabled and properly enforced across all of your devices.
We've talked in-depth about passwords and two-factor authentication before, but it's still critically underused so we're revisiting it.
Two-factor authentication (or multi-factor authentication) is when you require an extra login step in addition to your username and password. This extra step is commonly an app on your phone generating a random 6-digit number.
When reviewing remote work cybersecurity, do an audit of all of the systems that your business uses. This includes email, cloud storage, accounting software, CRM systems – everything. Ensure that people are using strong passwords and two-factor authentication is turned on where possible.
If your team struggles to stay on top of strong, complex passwords – plenty of people prefer to use the same insecure password for everything because it's easier to remember - provide them with a password manager like Keeper Security.
- Use VPN for Applications
Lots of businesses still use applications that are stored on servers in their offices or in the cloud. We provide IT support to many law firms and accountants and they still use lots of these types of applications, which can pose a massive cybersecurity risk when working from home.
If that is the case and your business hasn't transitioned to SaaS applications, you should use a VPN to access those applications. A VPN creates a secure and encrypted connection to those applications.
- Email Security
There is an increased reliance on communication tools with people working from home because we're not seeing as many people face-to-face. This means extra care should be taken to ensure cybersecurity for remote workers and that these communications are secure. There are a few things you can do about emails to ensure remote work cybersecurity:
- Personal emails: Have a company policy that states that personal email accounts shouldn't be used. You must keep all correspondence in your company email system.
Former health secretary Matt Hancock used his personal email address for official business. As a result, the government has no record of much of his decision-making during the Covid-19 pandemic.
- Sensitive data: Email isn't always a secure communication method, so make sure that people don't share sensitive or private information over email without extra security such as encryption.
- Phishing: Make sure everyone is vigilant to phishing attacks. Phishing attacks are where cybercriminals send emails in the hope that you'll click on something and enter your personal details or click on an attachment.
These are on the rise – see our previous blog post on spotting phishing emails using the DAC method for more tips.
- Home Workspace
Consider the workspace that your team are using when they're at home. Aside from ensuring that people have a suitable environment in which to work, you have to think about cybersecurity for remote workers. Can your team be overheard when they're on the phone or a video call? Can other people in the household easily see their computer screens?
One of the cybersecurity risks of working from home is that employees who don't have a private office space risk working in the same room as other household members. When it comes to data protection, family members and other members of the household are third parties. They should not be able to see or access any business-related information or data.
Ensure that your team has a private space at home where they can't be overheard, and ensure that their computer screens are locked when not in use.
- Printing Documents
This is something that most businesses probably haven't thought about too much. If you print documents in the workplace, you probably have a means to securely dispose of these documents when people have finished with them.
The same can't be said at home. Your team might be printing documents and leaving them lying around for other people to see - this taps into the previous cybersecurity risk when working from home.
You have two options:
- Have a policy that your team understands on printing documents at home. Make them aware of the implications and how they can securely store them at home until they can bring them into the office and shred them.
- Put a technical control in place to prevent people from printing documents at home altogether.
- Double Down on Patch Management
Working from home means that people are working from different locations at different times, so patch management does become more tricky. It's even more important that your IT department or IT support company are doing this regularly and reporting to you, the business owner, on the status of your security updates.
We've made a post about the importance of patch management before, so check that out if you're interested in learning more.
- Video Conferencing Security
When we think of lockdown working, many people will have flashbacks to video conferencing with Zoom, Microsoft Teams, Google Hangouts or other video conferencing solutions. Unfortunately, at the start of the pandemic, the security of video conferencing was slow to catch up with the demand.
Zoom subscriptions, for example, grew by over 320%, but the platform suffered some security issues, especially with things like Zoombombing.
Security has tightened since then, but there are a few things to consider here, such as ensuring that the software on the devices is kept up to date and checking for encryption. End-to-end encryption means that the data is encrypted on the sender's device and can only be decrypted on the recipient's device.
Encryption scrambles everything up so it can't be intercepted and read by anything apart from sender or receiver. In terms of a video call, this would mean that the entire conversation would be encrypted – much more secure for remote workers.
We've mentioned policies before, but having a set of guidelines in place is absolutely vital to coordinate and enforce reliable cybersecurity measures. This should cover how to use their technology and what they are and aren't allowed to do in order to eliminate guesswork. Aim to have an IT security policy and a remote access policy at least.
- Supply Work Devices
Make sure you supply all of your members of staff with a business-owned device. It often sounds much easier – and cheaper – to ask people to use devices they already own, but without ownership of the device, you can't control its security or how it's used.
If you own the device, you can enforce all of these remote working cybersecurity tips. If you don't own the device, your staff members could be using home computers with weak passwords, no patching or security updates, and using their personal email. Remember, it's your business that is at risk, so spend the extra money and supply everyone with their own device.
Any business with employees working from home in any capacity should be fully aware of how to implement cybersecurity for remote workers. For further guidance on remote working or if you would like to review your business's IT support, please get in touch with us today.