As more and more staff are working remotely, the frequency and intensity of cybercrime is on the rise. This is fertile territory for cyber fraudsters who know that the value of an organisation lies within its data.
Where does business data exist?
- Work-controlled computers: such as desktops, managed laptops, servers and, to a lesser extent, (hopefully managed) mobile devices such as tablets and smart phones. Some organisations use remote desktop systems, so all the data and applications stay on remote servers, and unless emailed externally, data never leaves the system. It doesn’t matter if a user is in the office, abroad or at home – the systems don’t change, and the data stays where it should be. Business data should exist here.
- Employees accessing data directly from their own computer, or other uncontrolled systems: this data is vulnerable to viruses and malware. Cryptolocker-style malware can infect local and remote data locking the business out of all its data. Business data should not exist here.
Top 5 security tips for your business
1. Make sure your remote systems have great connectivity
Take a good look at your users’ home connectivity; even if a business has remote systems that work well while in the office, working from home can change that dynamic. If the remote connection, for example, a VPN, doesn’t have sufficient capacity, or the user has poor bandwidth, then users will be tempted to bypass remote systems and download the data they’re working on to their local system. Often the data is emailed to a private email system, so the business data is uncontrolled, and private emails tend to be at greater risk of compromise than business email accounts.
Tip for the employers: Ensure remote users have sufficient bandwidth and understand the risks of taking business data offline.
2. Have decent equipment for your team
If the business-supplied laptop is old and has been pulled out the cupboard as a last resort for a user, then the user will be tempted to use their own computer, which frustrates any efforts to manage risk with controlled hardware. We’ve all seen this before.
Tip for employers: The impact of a data breach far outweighs the cost associated with supplying your staff with updated equipment. Don’t cut corners!
3. Educate and encourage secure practices
Exposure and data breaches are generally the result of innocent behaviours where there is a lack of awareness and understanding of requirements and risk. Staff may assume that the free ware virus software they are using is comprehensive and their pets name is a suitable password for their home network.
Tip for employers: If staff are using personal systems then the business needs to ensure that those devices have strong security – not only local anti-malware software, but perhaps the users’ browsers should be directed through a business-owned proxy server so that that vector can be managed.
4. Create good policies
A business continuity policy will spell out what software and processes should be used. If your users innocently starts using alternative systems – for example, Slack when they should be using Microsoft Teams – then you’ve lost control of that data. Also make sure your password policies don’t cause problems for remote users, and have a robust system for replacing multi-factor authentication hardware (or move to an app for that).
Tip for employers: Now is a great time to either fine-tune or create an excellent business continuity policy that covers people, policies and processes.
5. Enable good policies
Having good policies is critical, but it’s equally important to communicate, educate, monitor and support.
Tip for employers: Make sure you are communicating to staff routinely and providing them with solutions that don’t tempt them to work off the grid. Observe and refine your policies and procedures on an ongoing basis to ensure that they continue to work. Collect feedback from your employees to find out what they’re experiencing – even the best policy in theory will fail if it’s unachievable in practice.
Important to note:
This communication is intended to provide commentary and general information only. It is not intended to be a comprehensive review of all aspects of the matter referred to. It should not be relied upon as legal advice as to specific issues or transactions. Liability limited by a scheme approved under Professional Standards Legislation.
You can access a PDF of this blog here.