7 Cybersecurity Pitfalls to Avoid in Your Remote Working Policy
Nowadays, more and more of us are enjoying the freedom of working from home. Before the Coronavirus crisis, only 5.1% of the UK workforce worked from home.
Many businesses had put home-working policies on the “nice to have” pile, to sort out when they had time.
Home-working policies come with a number of overhead-slashing, morale-boosting benefits. Yet many companies rely on the “quick and easy” route to remote working without fully considering all of the cybersecurity implications – of which there are many!
Here are 7 common cybersecurity problems that companies often overlook when crafting a home-working policy and the relatively easy ways to eradicate them.
1. Poor Physical Data Security
Good IT security starts with physically securing your devices when they’re out of your sight. Just as you would in the office, we recommend that you lock your PC when stepping away, even just for a moment. This is especially important if you live with other people.
If you have small children, their curious hands may unwittingly tinker with or delete something important. A spouse or housemate may glance over and see something they really shouldn’t.
If you’re required to take a work device out of your home, consider its physical security at all times. Keep devices securely close-by when out and about and make sure they’re locked away and out of sight if left in a vehicle.
2. Lack of Cybersecurity Training
Regular, thorough cybersecurity training is essential whether your team are office-based or not. 90% of data breaches during 2019 were attributed to human error, so it’s important to build a culture of positive cybersecurity awareness.
Though training differs between cybersecurity training providers, a good trainer should cover phishing awareness, browser security, creating strong passwords, and Wi-Fi safety to name but a few starting points.
Ideally, you should also give your team an understanding of the security measures you have in place and why: what measures you use to protect your team, why those measures are there, and what could go wrong if those measures were absent or ignored. Though in-person training workshops are common, the same training can be carried out online.
Nobody is immune to cyber risks, so good cybersecurity is the responsibility of the whole organisation from top to bottom. Nobody should be exempt from training.
3. No Phishing Training
Though it’s technically a training issue, we feel that phishing is important enough to mention on its own. It’s an absolutely huge problem right now; the DCMS discovered in their 2020 Cyber Breach Survey that criminals are moving away from malware and ransomware attacks in favour of phishing attacks. Of the companies surveyed who experienced a cybersecurity incident, 86% experienced a phishing attack.
So, what is phishing? Put very simply, phishing is when cybercriminals send out emails purporting to be from a legitimate source like a cloud service provider, a vendor, or even a colleague. These emails will likely encourage recipients to share sensitive data or access credentials; make bogus payments; or download malware.
All team members (wherever they’re based) should view every unexpected email with a hefty helping of scepticism. If an odd request has come through from a colleague, call or message them to verify the request’s legitimacy.
If the email is encouraging you to log in to an online service, don’t use the link provided, head to the link you usually use to log in securely and verify the email’s request. And never download unexpected attachments from random senders!
4. Workers Using Their Home PCs for Work
Leaving your remote teams to use their own “home” PCs can be fraught with cybersecurity worries. Your company will have no way of knowing – let alone policing – their PCs’ levels of cybersecurity; nor will you be able to control access to harmful or unproductive content. If a device that’s riddled with malware is allowed into your network’s secure bubble, it could cause chaos.
We therefore recommend that companies prepare and ship a work device (such as a laptop or a low cost “thin client”) to each of their home working colleagues. Failing that, we can provide enterprise-grade remote access solutions which can secure the user’s personal devices when working from home.
Before you send laptops out to your team, you should install your own cybersecurity measures, including managed antivirus software, VPN functionality, and content control tools.
5. Not Encrypting Remote Connections
Regardless of what your staff are doing off-network – working from home or out on the road – you need to ensure that the connection between their device and your network is securely encrypted so hackers can’t listen in.
A remote access virtual private network (VPN) creates a totally encrypted tunnel between your on-network resources and your off-network devices. Therefore, anyone trying to snoop in on communications between those two points will just see encrypted nonsense – even if your workers are using unsecured public Wi-Fi.
Many modern enterprise firewalls come with remote VPN functionality included as standard. However, you will usually need to purchase licenses for each of your intended VPN users – we advise you keep a few license slots spare in case of emergencies.
6. Not Controlling Access to Malicious or Unproductive Sites
Naturally, you’ll want to control the sites that your remote workers are able to access on work devices. Without adequate content controls, there’s no way of knowing whether your workers are wasting time on unproductive sites, or unwittingly introducing your network to malware.
DNS filtration is a lightweight way of providing basic off-network protection against unproductive websites, undesirable content, and known sources of malware. The DNS filtration services provided by our sister company, Just Cyber Security, include AI-powered threat detection, at-a-glance threat reporting, and thorough usage analytics.
7. Not Securing Logins with Multi-Factor Authentication
Username and password logins have been a go-to access method for years. They’re also (somewhat understandably) a common target for hackers.
Once a set of login credentials have been unearthed, there’s nothing to stop hackers from accessing systems and causing havoc. Similarly, basic password logins don’t have a way of verifying user identity, i.e., there’s no way of ensuring that’s really Steve logging in with Steve’s credentials.
Enter MFA, or multi-factor authentication. Rather than verifying user IDs through a potentially hackable single factor (a password), MFA solutions require one or more additional steps to verify a user’s identity before access is granted. So even if a password becomes compromised, a hacker still wouldn’t be able to access anything without the additional identifying factor(s).
WatchGuard AuthPoint, an MFA solution we supply, provides secure authentication through a mobile phone app. It verifies your identity by recording your phone’s unique “DNA” on registration, so each user’s authentication capability is tied to their mobile device. AuthPoint is managed through a browser-based dashboard which collects usage logs for troubleshooting and security monitoring.
In order to achieve watertight remote cybersecurity, you’ll really be best off using these solutions together in tandem.
Access to devices and VPNs can be policed and authenticated through MFA.
DNS filtration acts as a protective barrier should someone click on a known phishing link. If someone absentmindedly enters their password somewhere, they shouldn’t, MFA will make sure that cybercriminals won’t access sensitive credentials.
And good cybersecurity training embeds an awareness of how all of these elements work together and how to keep online perils at bay.
If you’re concerned about your current levels of remote worker security, call our boffins for a free cybersecurity health check! There’s no obligation to buy – in fact you may be able to maximise your current systems without paying a penny! Get in touch with the team today on 0808 1644414 or request a call back.