Cybersecurity - Five tips for secure remote working
Businesses large and small are struggling to cope with the ongoing impact of the COVID-19 pandemic, as many regular officegoers adapt to remote working for the foreseeable future. This rapid, unprecedented shift has highlighted multiple ways companies are struggling to maintain not just business continuity, but also their data security and privacy obligations.
While regulators will perhaps be sympathetic to enterprises grappling with these challenges, now is an excellent time for organisations to evaluate their technical and organisational measures, and address gaps in their cyber security approach.
We walk you through our five top tips for maintaining safe and secure remote working.
A Robust Password Policy
Like toothbrushes, passwords work best when you choose a good one, it’s not shared with anyone else, and it’s regularly changed. Automation tools that impose forced expiry dates provide additional security, such as with furloughed employees. For a more robust system, enable two factor authentication – that is, requiring an SMS message or email with an additional password when a user wants to access a system.
Maintaining Good Data Hygiene
Good password practice applies to home systems as well as office hardware. Default router passwords for home networks are easy for hackers to discover and should be changed. While ideally most employees will have laptops or other devices configured by their IT staff which can be physically secured when not in use, Bring Your Own Device schemes are more common and present their own challenges. Use of VPNs, security tokens, and two-factor authentication can help maintain good data hygiene by keeping confidential information within secure environments. Personal accounts, especially those on social media networks, should be accessed from outside these environments and ideally, only from personal devices.
Video Conference Procedures
Videoconferences may help alleviate the stress of employees missing kitchen conversation, but they may also lead to risk. Assembling a short checklist in preparation for a call can help, and might include tips such as making sure no confidential material is visible on work surfaces or backgrounds. Moderators of such calls should encourage everyone to identify themselves, whether by voice or video, to ensure all participants are genuine. Meeting rooms should be locked once the call starts to prevent disruption. Web cams should be disabled, disconnected or covered when not in use.
Cybercrime Vigilance
Cyber criminals of all stripes are utilising old practices with new framing narratives to take advantage of a home workforce. Phishing and malware campaigns with COVID-19 themes or impersonating health authorities have led to a rise in ransomware attacks. To support employees who may be under increased pressure and suffering from lack of focus, send short and regular reminders of a company’s IT support resources when they receive suspicious links or attachments, and how to seek more help quickly if needed.
Likewise, IT professionals should remain vigilant for established exploits such as ‘Patch Tuesday’ attacks or physical interception of IT equipment en route to an employee. Crisis response playbooks and critical security checklists need to be updated – even minimally – to adjust for remote working of IT staff and any inability to physically access vital systems such as on premises server logs in older, more vulnerable environments.
Communication and Documentation
Ensure all members of your team know how and when to report a potential data breach. This can be anything from a contemporaneous and informal call to internal ticketing systems. If investigating staff require documentation, make that clear at the intake stage to save time.
Use concise, informative communications and direct them to the appropriate teams. For example, volume contract processing staff may need added reminders to verify the source of unsolicited email attachments with a telephone call before opening. Lengthy emails about cybersecurity are likely to go unread by many. Aim for impactful communication of key points, with plenty of signposting where more information can be readily located, such as existing policies and any COVID-19 related changes and updates.
Review crisis response plans or business disruption reporting lines to make sure they are current and contain all necessary contact information. Check whether critical response windows – internally or with third party vendors – need to be adjusted to avoid delay or confusion in the event of a breach.
Finally, make sure there’s a plan in place for how a breach could be securely investigated without compromising confidentiality or legal privilege. Remember that regulators will focus on what procedures and policies are in place, and how well they were adhered to, should an investigation arise.