While IT managers have the ultimate responsibility of protecting sensitive data, data loss prevention is the responsibility of the entire workforce of the company. The sudden requirement to bring in remote-working brings almost immediate conflict with existing IT practices and principles as well as a host of new problems to solve. Effective collaboration is the immediate requirement but that quickly escalates to include co-working with business partners, supply chain management and customer services - for most companys their window onto the world. Data security should always be top of any list of priorities for the exec management team, a focus for IT managers and a concern for individual employees.
- 1. Personal Equipment and Infrastructure
- 2. Electronic Communications
- 3. Threat Analysis
- 4. Password Hygene
- 5. Not All WiFi is Equal
- 6. Personal Discipline
- 7. Physical Security
- 8. Compliance and Reporting
Personal Equipment and Infrastructure
Staff that are homeworking and are using their own persona; equipment [laptop, tablet, phone] for work-related activities creates huge security risks. Personal devices are not configured with the same security software and secure settings as equipment provided by the company.
Personal equipment is often protected by a simple firewall or antivirus software which is not enterprise level and is not sufficient for conducting business on behalf of the company. The process to get work-related documents to be accessible securely on a personal device is complex.
The truth of it is that personal email accounts are more likely to be attacked and successfully compromised than work email accounts. Personal email account configururation is not for the faint-hearted and password strength is everything. In a worst case a personal email account may have already been infiltrated by an attacker who could easily intercept whatever sensitive data has been emailed to you.
Employees need to have a secure way to connect their authorised work devices to their personal printers in the event they need to print any documents. This will help them avoid having to send sensitive documents to their personal accounts in order to print.
With the radical shift to remote working more sensitive data is in motion than ever. This means staff have more opportunities to make mistakes - sending an email to the wrong person for example - most of us have done this at some point in the past.
So, to avoid making this costly mistake, always double-check the recipient(s) of your emails. Ensure you haven’t made any spelling mistakes, and, if you’re using autocomplete, make sure the correct email address has been added.
Beyond that, you should always be vigilant when using Cc vs. Bcc and Reply vs Reply All and take time to check that you’ve attached the right documents.
Hackers and cyber criminals look to take advantage of emergencies, times of general discourse, and key calendar moments. Increasingly advanced technologies and tactics exist to carry out cyber attacks such as phishing and spear phishing campaigns - for which most new home workers will have little or no knowledge or understanding of.
IT Managers need to relay guidance to home workers, in plain English, and in ways that home workers can implement. As new attacks become apparent, that information needs to be available, daily if necessary, to give home workers the maximum warning to take mitigating steps.
Ensure that home workers are using strong passwords. Applications like Zoom (or any virtual meeting platform) should also be password-protected to secure meetings. Meeting links should not be shared unsecurely and don't allow the sharing of screenshots of your meeting that include the Zoom Meeting ID.
Password management technologies and platforms should be in use across the company. Staff need to be advised on how to create secure passwords and how often they should be changed. Common mistakes (such as the dogs name or childrens birthdays) need to be eradicated quickly.
Not All WiFi is Equal
Home working means relying on an internet connection, but not all internet connections are equal in terms of security, and caution must be applied. hyome working members of staff could be staying with a family member or others and that could mean unsecure/shared internet connections.
Home workers mayt not recognise the security issues around using public Wi-Fi or wireless hotspotting from a mobile phone - it may seem like an easy alternative. The open and unsecure nature of public Wi-Fi means a laptop or other device could be vulnerable to hackers. If a phone is being used as a hotspot and is unsecure, or it has already been compromised by hackers, it’s possible it could be used to gain entry to the company network via VPN access.
One of the most common issues with home working (for some) is that there is much more freedom and autonomy. Personal discipline - sticking to the rules, policies, process and procedure that would be apparent within the office - become an issue.
Established rules around locking devices, procedures for distributing documents, the distribution of customer data (GDPR restrictions still apply) and personal contact information are crucial and need to be maintained. Training on security matters is crucial and there needs to be a flow of best practices, tips and guidance delivered to the staff. Many staff will just need a list of do's and don'ts - not comples technical explanations.
Personal equipment (laptops, phones, tablets) are sometimes not as physially secure as devices provided by the company. Passwords and access codes are often the defaults. Strong passwords are required for personal equipment, and access to digital platforms should also be managed via multi-factor authentication - requiring confirmation via mobile phones. Consequently mobile phones should have6-digit PINs.
Compliance and Reporting
Mistakes will happen. Misdirected email, phishing scams and stolen devices are all likely, especially if the number of home working staff is large. What is vital is that staff report the incident immediately and in a way where IT staff can understand the implications of the mistake so they can assess the impact and act accordingly.
Sharing this information within the staff will allow the same mistake to be avoided, the staff will be more aware of the issues and the company can understand what changes to process or software applications to help prevent the issue reoccuring. Its important to note that companies that are secure have grown a culture of security within the staff and have spent time and money on training, awareness and certification.
There are ever increasing threats to business in cyberspace. DDOS, Ransomware and Phishing to name but a few. There are some proactive steps you can take as a business to help mitigate against these threats. This article outlines 7 of the more common tactics businesses can use.
How do you grab peoples attention and bring them in your door? There are a variety of techniques and approaches, this article looks at "The Velvet Rope" approach.