Nearly half of businesses (45%) say that staff in their organisation regularly use their own devices at work. But with most employers still handing over a new laptop or mobile phone to new employees, employers must keep these devices secure from cyber attacks.

Whilst the most common threat to businesses remains phishing attacks - 59% of businesses said they had experienced a phishing attack in the last 12 months, according to the 2023 Cyber Security Breaches Survey. It’s important that any device you hand over has some key security barriers in place.

But what barriers, software & hardware should an employer ensure is in place before handing over a new device to an employee?

To help, we have created a Cyber Security: New Device Checklist for Employers; this checklist will help your business improve its resilience to cybercrime and ensure your employees stay secure working in the office or remotely.

Cyber Security: New Device Checklist for Employers

You must ensure the basics are covered with new/current employees who receive a new mobile phone, laptop or tablet. When sharing guidance on new devices, remember to consider where the device is being used and if your employees are aware of the dangers of cyber security.

Cyber Security Guidance specific to Laptops/Desktop Computers

• Asset management - Ensure you’ve recorded the following:
  • Device make, model, serial number
  • Who is it assigned to, when was it assigned to them, and if applicable, when should it be returned
  • Does the device need to be installed onto your works network?
• Ensure firewalls and anti-virus software are enabled
  • Where possible, built-in firewalls on devices should be configured to use the strictest settings possible - without interrupting the usage of the device
• Ensure relevant updates for the operating system and applications are installed. It’s recommended that automatic updates are enabled
• Make sure that physical and digital files are encrypted and that a daily or weekly file backup is in place
• Restrict the use and downloading of applications which aren’t specific to their job role - installing applications should only be carried out by an Administrator
• Ensure the user profiles are setup with the correct permission levels
• Review plugin device settings to ensure they are secure

Cyber Security Guidance specific to Mobile Devices (Phones & Tablets)

• Ensure that all accounts have Two-Factor Authentication (2FA) enabled and that staff are using strong passwords - ideally, 2FA will be implemented through an Authenticator Application such as Google Authenticator or equivalent
• Promote the use of a password manager to keep them secure and encrypted - password managers also offer the ability to generate strong, unique passwords for each of your accounts
• Ensure employees are making use of strong passcodes and Face ID
• Ensure application updates are set as ‘Auto-update’
• Review all applications - if you want to restrict what employees can download, this should be covered in your company’s Device/Security Policy
• Review the location settings - setup ‘Find my iPhone’

Top tips for devices used in the office

• Offline/Cloud backups - ensure that devices are backed up on a regular basis, either daily or weekly. This can be done to a cloud provider or manually using a storage device
• Security Policies - Ensure your staff review all of your company’s security policies. This may include a general Cyber Security Policy, Working from Home Policy, Acceptable Usage Policy, Updates Policy & Password Policy

Top tips for devices being used remotely or for staff working from home

• VPN - ensure a paid VPN is in use when working remotely. This will keep your IP Address secure and data safe and encrypted should you be required to connect to public WiFi
• Wi-Fi security - when the use of public WiFi cannot be avoided, follow these tips:
  • Always ensure that you use a unique email address AND password if you are required to sign up for public WiFi
  • Review the web address (URL) of any website you visit/use, ensuring that it is legitimate and where you expect to be
  • Review and ensure each website you visit uses HTTPS by checking for the padlock icon on the left-hand side of the web address (URL)
• Screen Protector / Webcam Cover / Cases
  • If you work remotely in public places, implement a screen protector with a privacy filter. This will protect you from shoulder-surfing and potentially leaking sensitive information
• Security Awareness Training
  • Security Awareness Training provides simple and practical knowledge for your staff to understand the risks of working online and provides the confidence to challenge something that doesn't look right.
  • Cyber attacks continue to evolve and use more sophisticated attack techniques designed to fool employees. Training your staff will reduce the risk that your business will face data loss, financial fraud, operating time lost or negative PR.

Cyber Security: New Device Checklist for Employees

You’ve been given a new mobile phone, laptop or tablet at work, but what should you do to ensure that device is cyber secure?

1. Review your employer's security policies - this may include Cyber Security Policy, Working from Home Policy, Acceptable Usage Policy, Updates Policy & Password Policy
2. Passwords
   1. Ensure you are using Face ID and Passcodes, which give your accounts an extra layer of security.
   2. If your organization uses a Password Manager, make this part of your routine with any new accounts or profiles you create. Many password managers will allow you to save passwords across devices to make life easier.
   3. Don’t forget to enable two-factor authentication on all your accounts
3. Do not use unapproved external devices
   1. USB / Hard Drives - Use of USB/external hard drives should be limited to employer-issued devices. These should have encryption enabled at all times and have been scanned for viruses/malware before use/deployment
   2. Mouse / Keyboards - These devices should be provided to you by your employer and should be confirmed to be safe to use with your device
4. Don’t forget your Software/Application Updates and Backups!
   1. Setting up 'automatic updates’ eliminates the need for you to check for and install updates manually. You don’t have to remember to manually update your software every time a new patch is released - these often will include security updates.
   2. Backups - Backups should be done via a cloud solution for ease of use. These should be conducted daily or weekly as per business needs and linked to your work email address/account
   3. Only use approved software or applications - only install software/applications from the official source for your device.
      1. Mobile devices should come preinstalled with required work applications and then have restrictions implemented to prevent any further installations
      2. Laptops/Desktops should have appropriate permissions placed on the account so that installation of software requires Administrator approval
5. Don’t use personal accounts
   1. Social Media applications on work devices should be restricted to only those used by the company. Furthermore, the only accounts used to access these applications should be approved work accounts.
   2. Don’t use your work email for personal accounts
      1. Utilising work email accounts for personal accounts exposes your employer to another route for attackers. Your personal lives will then be linked to your work account, offering valuable information for someone to target that individual or your business.
      2. If your personal accounts are hacked, your data could be sold on the dark web - where other criminals may take advantage of social engineering techniques to perform further attacks on you and your employer
      3. A data breach could result in the termination of your employment as a result of breaching your contract
6. Worried about Data Exposure?
   1. HaveIBeenPwned
      1. Searching your email address will enable you to review if any associated accounts have been included in a data breach. If so, it is recommended to change the password for that account immediately (setting a new strong, unique password) and also enable 2FA if not already enabled
      2. You can use the “Notify Me” option to receive alerts from HaveIBeenPwned when your email address is included in a new data breach - meaning you do not have to check each time manually
   2. Don’t save financial details - do not use the Notes app to store work credit card details or bank information
      1. If you do use the Notes app on a device to store Personal Identifiable Information (PII), move this and store it inside your password manager ASAP so it is encrypted and safe.
   3. Public wi-fi risks
      1. Always be wary of connecting to public WiFi that does not require you to sign in using a username/password
      2. If you do need to sign in to public WiFi, make sure to use a unique email address AND a unique password
7. Remote working with work devices
   1. VPN - when working remotely, it is best practice to use a VPN when connected to public WiFi as it will hide your IP Address and ensure that your data is encrypted and safe

Has your business recently bought new devices, but you’re unsure if they’re secure? Do you want to secure your network after buying new laptop devices?

Contact us today to discuss any cybersecurity questions relating to device security, and you can learn more about our Network & Website Vulnerability Assessment(s). We can ensure your company is not open to cyber-attacks and start building your cyber resilience today.