Many if not most organisations have already crossed the “working from home”, or at least the “working while on the road” bridge.
If you’re on the IT team, you’re probably used to preparing laptops for staff to use remotely, and setting up mobile phones with access to company data.
But global concerns over the current coronavirus (Covid-19) outbreak, and the need to keep at-risk staff away from the office, means that lots of companies may soon and suddenly end up with lots more staff working from home…
…and it’s vital not to let the precautions intended to protect the physical health of your staff turn into a threat to their cybersecurity health at the same time.
Importantly, if you have a colleague who needs to work from home specifically to stay away from the office then you can no longer use the tried-and-tested approach of getting them to come in once to collect their new laptop and phone, and to receive the on-site training that you hope will make them a safer teleworker.
You may end up needing to set remote users up from scratch, entirely remotely, and that might be something you’ve not done a lot of in the past.
So here are our five tips for working from home safely.
- Make sure it’s easy for your users to get started
Look for security products that offer what’s called an SSP, short for Self-Service Portal.
What you are looking for is a service to which a remote user can connect, perhaps with a brand-new laptop they ordered themselves, and set it up safely and easily without needing to hand it over to the IT department first.
Many SSPs also allow the user to choose between different levels of access, so they can safely connect up either a personal device (albeit with less access to fewer company systems than they’d get with a dedicated device), or a device that will be used only for company work.
The three key things you want to be able to set up easily and correctly are: encryption, protection and patching.
Encryption means making sure that full-device encryption is turned on and activated, which protects any data on the device if it gets stolen; protection means that you start off with known security software, such as anti-virus, configured in the way you want; and patching means making sure that the user gets as many security updates as possible automatically, so they don’t get forgotten.
Remember that if you do suffer a data breach, such as a lost laptop, you may well need to disclose the fact to the data protection regulator in your country.
If you want to be able to claim that you took the right precautions, and thus that the breach can be disregarded, you’ll need to produce evidence – the regulator won’t just take your word for it!
- Make sure your users can do what they need
If users genuinely can’t do their job without access to server X or to system Y, then there’s no point in sending them off to work from home without access to X and Y.
Make sure you have got your chosen remote access solution working reliably first – force it on yourself! – before expecting your users to adopt it.
If there are any differences between what they might be used to and what they are going to get, explain the difference clearly – for example, if the emails they receive on their phone will be stripped of attachments, don’t leave them to find that out on their own.
They’ll not only be annoyed, but will probably also try to make up their own tricks for bypassing the problem, such as asking colleagues to upload the files to private accounts instead.
If you’re the user, try to be understanding if there are things you used to be able do in the office that you have to manage without at home.
- Make sure you can see what your users are doing
Don’t just leave your users to their own devices (literally or figuratively).
If you’ve set up automatic updating for them, make sure you also have a way to check that it’s working, and be prepared to spend time online helping them fix things if they go wrong.
If their security software produces warnings that you know they will have seen, make sure you review those warnings too, and let your users know what they mean and what you expect them to do about any issues that may arise.
Don’t patronise your users, because no one likes that; but don’t leave them to fend for themselves, either – show them a bit of cybersecurity love and you are very likely to find that they repay it.
- Make sure they have somewhere to report security issues
If you haven’t already, set up an easily remembered email address, such as security911 @ your company DOT example, where users can report security issues quickly and easily.
Remember that a lot of cyberattacks succeed because the crooks try over and over again until one user makes an innocent mistake – so if the first person to see a new threat has somewhere to report it where they know they won’t be judged or criticised (or, worse still, ignored), they’ll end up helping everyone else.
Teach your users – in fact, this goes for office-based staff as well as teleworkers – only to reach out to you for cybersecurity assistance by using the email address or phone number you gave them. (Consider snail-mailing them a card or a sticker with the details printed on it.)
If they never make contact using links or phone numbers supplied by email, they they are very much less likely to get scammed or phished.
(From Naked Security, the Sophos blog).
Great read. I have also read about the risks of security while you are working home. Hope it helps you guys.
https://www.purevpn.com/blog/working-from-home-be-wary-of-these-cybersecurity-risks/
Welcome and keep reading…