With summer in full swing, it’s a good time for your employees to review remote work cyber security rules and guidelines. During these months many employees are trying to get more work done at home (or at the cottage). Although this recent development does help with employee work-life balance, there are some security implications to this increasing trend.
Many businesses who are just beginning their WFH journey, don’t understand the consequences that could occur from their employees working remotely. A new location brings on a new world of attackers, weaknesses, and in turn, rules that need to be implemented. In this blog post, we’ll outline seven essential cyber security rules that every business should follow to protect their data, devices, and networks when employees are working remotely.
A new location means a new network with different privacy and confidentiality requirements. It’s important to set your standards for what a person’s personal network should be and design a process that will allow you to confirm these things before sending anyone home with their work laptop.
For just $325 USD, you can run a 6 week, automated program for gamified phishing awareness training and challenges. (Limited time offer. Normally valued at $999 USD)
Use Promo Code: 6WEEKS
There are two options for a remote worker to have a secure network:
If your remote-working employee isn’t a cyber security champion (like you), chances are they don’t know that their personal wifi might be configured “insecurely”, and their wifi router password is probably easy to guess.
If possible, have them update their wifi router password to a unique and strong password to prevent any loss of confidentiality from unauthorized neighbors.
On top of passwords, your process should also ensure your remote worker’s router is up to date and that the router’s encryption level is adequate.
A more secure “work-from-home” networking solution is to provide your remote worker with access to a VPN. A VPN encrypts internet traffic, protecting sensitive data and preventing unauthorized access to communication channels. While there are many consumer VPN products that are inexpensive, it’s best to use a commercial grade VPN, so that your organization can more easily control the policies to prevent abuse by a vendor.
It is crucial that remote workers understand what they can and cannot do while working from home. Set Remote Working Rules within your organization and have an efficient way to communicate them to any employee who wants to work remotely. This could be through a guidebook, a virtual meeting, or a reminder email.
Establish if your remote employees are allowed to work in coffee shops, restaurants, or other places with public wifi and what the security procedures should be in those scenarios. It’s also important to acknowledge the different levels of security for different types of work and what the rules look like for each.
Also address what employees can access and handle when working from home and the procedures they should follow to securely store, transfer or delete files. Remote workers should also shut down their computers when they leave them, set regular updates for both their computers and passwords, and ensure that they never share their login information with anyone.
When employees are using mobile devices and laptops with corporate information on them, they should also have “full-disk” encryption enabled by the IT team, in case the device is lost or stolen.
You can’t control what your employees do in their free time. That means you can’t control how strong their personal passwords are, what types of apps (Ex. TikTok) they download, what privacy settings they allow, or who they let use their personal devices. That’s why it is crucial that your employee does not cross-contaminate work and personal devices with files or programs from the other.
Chances are their personal security rules leave their devices much more susceptible to attacks and you don’t want your data affected by that. All employees should be provided work computers, if possible, and if needed, a work phone. It may seem like a big financial sacrifice in the short run but will be worth it in the longer term.
More complex mobile device management products allow for “compartmentalization” of work and personal areas, so employers have more control over security of data on “Bring Your Own Device” configurations, to protect corporate data while allowing employees to use their personal phones for business.
Remote workers face different risks than in-office workers. They don’t see other employees face-to-face often enough to identify tone. Therefore, they will have more trouble identifying social engineering or phishing attacks posed to be from one of their team members. This gap could lead to lots of human error resulting in the loss of privacy and money for your business.
Create a unique training program for only remote workers that targets the gaps you identify for your remote team members. Continue to change your program based on the results you see from training and what your employee’s voices are areas of concern.
Be one of the first businesses to try Click Armor’s newest feature, customized group training. Make a group for your remote workers that will target their biggest gaps and needs. Book a call to learn more.
Implement a backup strategy for remote work devices to ensure critical data is regularly and securely backed up. This will help mitigate the impact of data loss due to ransomware, hardware failure, or other security incidents.
All employees (in-office or not) should be implementing these routines, but what makes this unique is that you will not be able to check that they are continuing to back up their data. Consider sending out regular reminder emails to ensure remote workers also remember that backing up data can save their organization a lot of pain in the case of a breach.
As mentioned before, remote workers will likely have a harder time identifying the tone of their teammates due to their lack of face-to-face interactions. Authenticating co-workers and trusted associates is incredibly important when trying to detect phishing attacks, social engineering tactics, and deep fakes. As mentioned in our Cyber Security Awareness Forum live panel on deep fakes, a great way to combat this is to establish a code word or code question for different situations.
For example, at the end of your meeting you could inform your team that before beginning the next meeting, everyone will say their favourite chocolate bar. Then, at the next meeting without being prompted, each person should be able to say their own code word. This could also be implemented for email or instant messages. If you establish a code word (that should change every time) then remote workers will have an easy way to identify if a message is really coming from their teammate or not.
No matter how many firewalls, rules, and training we put in place, attacks still happen. In the chances of a remote worker being breached, you need to be prepared. Consider how you will implement the 5-Step Breach Plan in a remote environment. How will they contact you if they think they have been breached? What if the malicious software freezes their computer? What will you do to help them isolate and reset their computer? Having the answers to all these questions before the breach happens will help you recover as fast as possible and save your business lots of capital.
Remote work offers many benefits, but it comes with new and complex cyber security risks. By following these seven cyber security rules, your business can significantly reduce the risk of a breach and keep your data and devices safe. Remember to regularly review your security protocols and update them as necessary to keep up with new and emerging cyber threats. By prioritizing cyber security, you can enjoy the benefits of remote work while keeping your business safe from harm.
Scott Wright is CEO of Click Armor, the gamified simulation platform that helps businesses avoid breaches by engaging employees to improve their proficiency in making decisions for cyber security risk and corporate compliance. He has over 20 years of cyber security coaching experience and was creator of the Honey Stick Project for Smartphones as a demonstration in measuring human vulnerabilities.