With the sudden and unprecedented shift to working from home as the new normal, businesses of all sizes must adjust to fresh challenges. One such challenge is ensuring the security of sensitive business data when employees work remotely.
According to the latest Cyber Security Breaches Survey, almost half of UK businesses (46%) report having experienced cybersecurity breaches or attacks in the last 12 months. But only 29% of organisations have a cybersecurity policy in place to cover remote or mobile working. Paying attention to cybersecurity is especially important given that cybercriminals have already begun to take advantage of the global COVID-19 crisis and the rise of remote work.
We have previously looked at the importance of cybersecurity for SMEs. Now we will take a closer look at how SMEs can stay smart when it comes to enforcing cybersecurity for remote work. Below are some of our top tips:
Control access when setting up accounts
If you carried out your operations from a centralised office space before the shift to WFH practices, you likely had a secure IT network in place. Controlling access to servers that hold sensitive data is more difficult now that the team is dispersed. To get your team working from home, you may need to implement a different set of accesses, a process that can extend to setting up new accounts.
There are a few best practices here that can help lower the risk of unauthorised access to your sensitive data. They include:
Setting strong passwords: Passwords should be composed of non-specific words and interspersed with numbers or other characters. For an extra layer of protection, you may want to consider using a password manager, which can store encrypted passwords for all of your employees.
Using MFA (multi-factor authentication): To prove, or authenticate, that remote users are who they say they are when attempting to access data, multi-factor authentication can be used. MFA ensures access is granted only after the user successfully presents two or more pieces of evidence (or factors). Evidence can include answers to security questions, pin codes, or ID cards.
For more information on implementing MFA, click here.
Control access by using VPNs
Unless you’ve fully implemented a zero-trust approach with your IT network, the use of Virtual Private Networks (VPNs) are a vital cybersecurity tool for minimising the risks from homeworking.
VPNs create a secure virtual tunnel through the internet to another network or device. This virtual tunnel makes it hard for anyone else to view a user’s browsing activities. VPNs are useful for remote work because they will enable your team to securely access your business's IT resources from home and allow you to keep your data secret without altering it.
For detailed guidance on choosing, deploying and implementing your VPN, we recommend this guide from the NCSC.
Stay vigilant against physical threats to devices
So far, we’ve talked about cybersecurity purely in terms of the digital realm. But while we’re all inclined to feel safe at home, it’s important to take steps to protect devices from threats in the immediate external environment. Such threats include device theft and visual hacking (the act of gaining sensitive information by looking at someone else’s device screen).
To reduce the risks here, educate your team on keeping their devices physically secure. Key common-sense concepts here include telling employees to:
Be aware with BYOD
The more applications and programs are installed on a device, the more potential vulnerabilities are introduced to it. For this reason, we recommend trying to separate corporate and home devices when homeworking is implemented.
However, if you are taking a ‘Bring Your Own Device’ (BYOD) approach and do allow staff to use their own desktops, laptops, smartphones or tablets to access business data, there are some best practices you can implement to maximise security:
For more guidance on BYOD, find the NCSC guidelines here.
Take care with USBs
Another common vector of cybersecurity risk is the use of removable media, especially USB drives. USBs can contain significant amounts of sensitive information. They are easy to misplace and can introduce malware into IT systems when inserted into a user’s device.
A few steps you can take to reduce the cybersecurity risk of USB drives include using antivirus tools and supplying employees with drives yourself. You can even remove the need for USBs entirely by asking staff to transfer files using corporate storage systems or trusted collaboration tools instead.
Look out for scams and phishing
Sadly, cyber attackers are willing to exploit even a global crisis like the COVID-19 pandemic as a way to gain unauthorised access to sensitive business data. Ensure your staff remain vigilant against scam attempts by telling them to:
If a phishing attack does happens to an employee, report it through the Action Fraud website – the UK’s national fraud and cybercrime reporting centre. You can also report suspected scams to the internet service provider (ISP) that was used. If you’re a smaller business owner who does not have access to an IT team, the best thing you can do if you’re unsure about a threat is to change your passwords immediately. It’s always better to be safe than sorry.
You should also forward an email to the National Cyber Security Centre if you get a suspected phishing email to firstname.lastname@example.org. For free, the NCSC will investigate, if warranted, and attempt to close-down the links that the email uses to harvest your data.
Here at Valda Energy, we’re committed to helping our customers stay safe and secure while working from home. For more advice regarding homeworking, please read our previous blogs on Working From Home for SMEs and Mental Wellbeing Tips for Remote Workers.