During the pandemic, many businesses and their staff adopted a 'work from home' or hybrid working policy, and while (whisper it) Covid-19 is no longer too much of a concern, the WFH practices have remained for many. But caution is still needed. We explain why...
Many organisations are still allowing their workforce to work remotely, either from home, the coffee shop, libraries or wherever they see fit. The hybrid method of working also continues to suit both employers and employees, with many adopting a three in/two off or vice versa kind of home/work pattern.
However, wherever employees chose to work when they are not in the office presents cyber security challenges that must be managed.
The guidance from the National Cyber Security Centre recommends steps to take if your organisation is continuing (or scaling up the amount of) home working.
We take a look at some of the practices that both employers and staff should be considering.
If you need to set up new accounts or accesses so your staff can work from home, you should set strong passwords like the three random words technique for user accounts. Please refer to the NCSC guidance for system owners responsible for determining password policy. We also strongly recommend you implement two-factor authentication (2FA) if available.
Working from home can be daunting for people who haven't done it before, especially if it's a sudden decision. There are also practical considerations; staff who are used to sharing an office space will now be remote. Think about whether you need new services, or to just extend existing ones, so that teams can continue to collaborate. For, example you may want to consider services that provide chat rooms, video teleconferencing (VTC) and document sharing.
The NCSC guidance on implementing Software as a Service (SaaS) applications can help you choose and roll out a range of popular services. If you are already providing such services, you'll need to plan for a potentially large increase in users, and any new services you provide will also need to be supported.
Here are some general recommendations to support secure home working.
Virtual Private Networks (VPNs) allow remote users to securely access your organisation's IT resources, such as email and file services. VPNs create an encrypted network connection that authenticates the user and/or device and encrypts data in transit between the user and your services.
If you are already using a VPN, make sure it is fully patched. Additional licenses, capacity or bandwidth may be required if your organisation normally has a limited number of remote users.
If you've not used one before, please refer to the NCSC's VPN Guidance, which covers everything from choosing a VPN to the advice you give to your staff.
Devices used for working outside an office environment are more vulnerable to theft and damage. Whether using their own device or the organisation's, encourage staff to lock their screens if left unattended, especially if there are children or housemates present. When the device is not being used, staff should keep it somewhere safe.
Make sure that staff know what to do if their device is lost or stolen, such as who to report it to. Encourage users (in a positive, blame-free manner) to report any losses as soon as possible. The early reporting of such losses may help minimise the risk to the data, and staff who fear reprisals are less likely to report promptly.
Ensure staff understand the importance of keeping software (and the devices themselves) up to date, and that they know how to do this.
USB drives can contain lots of sensitive information, are easily misplaced, and when inserted into your IT systems can introduce malware. When USB drives and cards are openly shared, it becomes hard to track what they contain, where they've been, and who has used them. You can reduce the likelihood of infection by:
You can also ask staff to transfer files using alternative means (such as by using corporate storage or collaboration tools), rather than via USB. For more information, refer to the NCSC's Removable media guidance.
If you are permitting people to use their own devices to work remotely, please refer to the NCSC's Bring Your Own Device (BYOD) guidance.
Make sure your staff are familiar with 'phishing' emails/texts and other cyber risks before allowing them to work from home. We offer Security Awareness Training as an affordable service which teaches staff exactly what cyber nasties to look out for. Contact us to find out how to get started.
We have prepared a scam alert update which rounds up the most prolific scams that are doing the rounds currently.
Not in the office but want to get out of the house to use someone else's electricity? Want to take advantage of an establishment's heating? Or perhaps you just need an hour or two away from the kids! Public wi-fi is available. But be cautious of which network you're connecting to. Your employers will not be happy if your device and network are compromised due to a dodgy wi-fi network.
Reporting
Report all Fraud and Cybercrime to Action Fraud by calling 0300 123 2040 or online. Forward suspicious emails to report@phishing.gov.uk. Report SMS scams by forwarding the original message to 7726 (spells SPAM on the keypad).
Click to Open Code Editor