Working remotely has become a fixture during COVID-19 and is likely to become more common in business once the lockdown has passed.
Cyber security is now all the more important for you and your employees. Research from DSA Connect shows that since working from home, 8 per cent of people have increased access to confidential data compared with the 6 per cent who say they have less.
It seems that companies are aware of the risks. Cyber security services provider, Nexor, says that UK Google searches for ‘cyber defense’ [sic] went up by 126 per cent between January and March 2020. That’s up 116 per cent from March 2019. Searches for ‘cyber security services’ rose by 44 per cent and ‘how to install a VPN’ increased by 40 per cent.
However, Kaspersky says that only a third (34 per cent) of small businesses are keeping employees updated on security requirements for personal devices. This can be mirrored in staff conduct. Research from Tessian shows that 52 per cent of workers feel they can get away with riskier behaviour when they work remotely.
It’s not the same case for everyone. Normally cyber security is in the hands of a team on-site, but now more of the onus is on the employees to manage these risks.
Let’s take a look at ways to protect your business data while your staff are working remotely.
1. Use a password manager
It’s an ideal time to review how passwords are created and used within your company. Your staff might be using simple combinations – or the same password across their accounts – so that they don’t risk forgetting them. Warn them that this can put your business at risk of cyberattacks too as hackers will find it easier to guess their login details.
Password managers can help you here. They securely store passwords and generate strong new passwords. If multiple team members need to log into the same account, they can share passwords with your team in a safe way, rather than through email or instant messenger where it can be susceptible to fraudsters. We’ve included some names that you might recognise below and you can find a list of five top password managers for small businesses here.
2. Ask staff to encrypt their home WiFi
With your employees at home, ensure that their WiFi network is encrypted. A good start is to change the router’s default password as it’s susceptible to attack from a hacker. The default passwords tend to be weaker. ‘Admin’, for example. Note that this is not the password you use to access the network; it’s the one you use to protect your settings and configuration.
This is more of a problem on older routers, but it’s a good idea to mention it to your employees anyway.
Helpful resources: The Information Commissioner’s Office (ICO)
3. Introduce two-factor authentication (2FA)
You’ll know 2FA from other platforms you use like banking apps. The user needs two forms of identification to gain access – such as password and PIN code – making it harder for fraudsters to guess the user’s login details. If you don’t want to rely on set numbers and codes, you can also use apps like Microsoft/Google Authenticator – this will send an approval notification to your phone which you can either approve or deny.
Some won’t be able to enable 2FA. In this case, you should look at other security options available to you. One-time passwords and biometric authentication are two such options. One-time passwords (also known as dynamic passwords) are only valid for one use or transaction and can be enacted on any device. The user is sent an automatically generated alphanumeric password to their phone or email to login for a one-time session. This would be more suitable for casual staff or freelancers.
Biometric authentication is a sign-in which relies on the unique physical characteristics of a person, such as their fingerprint, face or voice. Some laptops and devices will already have a fingerprint or voice security function built in, but we’ve included a couple of third-party providers too.
4. Be scam savvy
Scams have shot up since coronavirus cases started to surge. Action Fraud say there has been over 200 reports of coronavirus-related phishing scams.
Most of us like to think that we can easily spot a scam. However, a test carried out by Computer Disposals Limited (you can take the test through the link) revealed that only 5 per cent of British people can spot a series of scams. More than a fifth of respondents got the majority of the questions wrong, with most likely to fall for an email purporting to be from Facebook. Interestingly, the survey also found that some respondents were suspicious of all of the communications. This is why it is vital that your staff know what a legitimate communication looks like as well as a false communication.
Keep yourself and your staff clued up on current scams that are doing the rounds by frequently referring to Action Fraud. Advise employees not to click on dodgy-looking links or attachments, looking out for unofficial domains on email addresses along with spelling and grammatical errors.
Helpful resources: Action Fraud
5. Train your staff
Having the right training in place is central to working remotely. First off, set out training on any new programmes you’re using now that your staff are off-site. Assign your employees on appropriate training courses and ensure that they all take it. However, be careful not to overload employees with too much new information and tasks all at once.
Reinforce staff responsibilities, including when to report cyber security issues. When doing this, aim for a blame-free culture as guilt may deter them from reporting. The earlier they report, the more data can be saved.
Helpful resources: National Cyber Security Centre (NCSC)
6. Employ a Virtual Private Network (VPN)
A VPN allows you to create a private network where you can access files and emails remotely. Be assured by secure connections on public WiFi and when workers are based remotely. Data that is shared or accessed in this time will be encrypted and online browsing will remain anonymous.
It can hide a user’s internet protocol (IP), encrypt data which is in transit and conceal a user’s location.
The NCSC has guidelines for employers on choosing a VPN. Remember, you can supply a VPN to your employees if you wish. Here’s a list of five VPN providers for small businesses too.
7. Outline specific steps to protect data at home
We talk about this all the time: encourage your staff to do all updates and back-ups. Patches will fix security vulnerabilities and strengthen your company’s defence against hackers. These updates happen frequently so it’s best for your staff to set reminders for updates.
Even though they’re at home, ask employees to lock their laptops while they’re not in use and to keep them in a safe place outside of working hours. It also helps to set rules about what employees can and can’t do with work equipment such as online shopping.
If you’re permitting workers to work on their own devices while they’re at home, consider what that means. It could even be accessing work emails from a private smartphone. Whatever device they’re using, ensure that it’s GDPR compliant. As your clients are using their own devices that puts data at a higher risk of being hacked.
Think about what tasks they’ll be encouraged to do from their own devices and what platforms will help them to do so. How much control do you have over these devices and what policies can you enforce? To reinforce your message, resend your BYOD policy to all of your staff, highlighting specific areas that are relevant to working remotely.
Helpful resources: National Cyber Security Centre (NCSC)
Managing cyber security measures while staff work at home
There’s a lot to process here. Perhaps you had some of these measures in place already. For those you don’t, hopefully the resources that we’ve provided can get you there. The NCSC has a lot of extra information on cyber security and you can refer to Action Fraud if you want to keep yourself updated with scams that are circulating.
Mastered cyber security for your remote workers? You can also visit the UK Domain for more cyber security tips.
Based on original article by Cath Goulding, CISO at Nominet.