The cybersecurity risks of working at home are, essentially, the exact same cybersecurity risks of working in an office.
All that changes is the scale of the risk. In some cases, they are magnified and in other cases, they are reduced. The good news is that all of these risks can be managed. The even better news is that managing cybersecurity risks in a remote environment is generally more about planning than budget.
To explain further, Luke Watts, Manager of RoundWorks IT, shares his insights of the cybersecurity risks of working from home.
Set ground rules
Employees can only do what you want them to do if they know what you want them to do. It’s, therefore, your responsibility to make this clear to them. Ideally, the only way remote working should differ from on-site working is that your employees will need to set up their own work area and possibly their own internet connection. Everything else should be managed by you.
Never rely on your employees understanding what makes for a safe working environment. Always remember that different people have different ideas about what is and isn’t obvious. The basic ground rule for working at home is that employees need to find a location where they can work without any danger of their screen being seen or their voice being overheard.
Provide all equipment, software and a VPN
You may ask your employee to provide their own internet connection. You should not, however, rely on its security. Deploying a VPN is generally the easiest way to mitigate the risks of insecure connections. You might also want to consider having your employees connect over a wired connection rather than using WiFi. This could, however, potentially create issues for some employees e.g. renters.
You may also ask your employees to provide their own mobile phone or tablet to use for authentication. In and of itself, using SMSs and authenticator apps isn’t as secure as using RSA tokens. It can, however, be layered with (strong) passwords and potentially biometrics to create effective security.
Otherwise, if an employee needs equipment, then you should be providing it and managing it. In most instances, this is going to mean a laptop and you should choose it mindfully. Windows has been the default choice for most businesses essentially since business IT became a fact of life. It is a secure system but its underlying architecture leaves it more vulnerable than either MacOS or ChromeOS.
Neither Macs nor Chromebooks are guaranteed to be hackerproof but they are recognized as being extremely difficult to hack. Macs are notoriously expensive but Chromebooks are much more affordable. In the old days, the main argument against using either was the lack of native software. These days, however, the use of cloud-based software has largely resolved that issue.
Minimize passwords but maximize their strength
If you try to force employees to remember a lot of passwords then they are going to be either weak or written down (or both). Recognize the limits of the human mind and use password-managers.
Get employees to remember two, really strong passwords, one for their device login and one for their password-manager. Trust the password-manager with everything else and back it up with multi-factor authentication whenever possible. This approach mitigates both the risk of weak passwords and the risk of having the password-manager compromised.
Make sure you provide secure storage
These days, barring very unusual circumstances, storage means cloud storage. There should really be no need for the average employee to use either an optical (CD/DVD) drive at all. This means that the safest option is to deploy laptops that don’t actually have them.
There may be reasons for employees to need to use USB ports, but storage shouldn’t be one of them. This means that, ideally, you should just block external USB storage devices (and external memory cards if you use laptops with memory-card readers).
Using cloud storage also facilitates secure collaboration. It reduces or even eliminates the need for employees to send files to each other. People can just update a file held on the cloud. Similarly, external users can be sent a link to access and/or download a file. This improves security and reduces the load on your email servers.
Remember the problem of printers and paper
Printers generate paper but paper can be generated without printers. Printers tend to be an easier issue to deal with because you can simply block employees from installing them on their work laptops. If employees have a legitimate need for work-related printers, then you need to set the rules for their safe use. This will probably involve also providing an appropriate shredder and/or shredding services.
Paper can be more of an issue because it can be transparent to employers but not to malicious actors. Even in today’s “paperless” environment, some people do appreciate paper as a means to take notes and/or as an aid to their thinking process. In principle, you can replicate these functions with technology. In practice, this largely depends both on your budget and on the employee.
Realistically, the most pragmatic approach is likely to be to work with employees on this one. If you try to fight against it, you’re almost certainly going to come up against employee resistance. Instead, simply make it clear to employees that any paper they use either has to be transferred to secure digital storage or properly destroyed. In that context, remember that webcams can function as basic scanners.
Keep training employees
The phrase “set and forget” was coined for a reason. Sometimes, it’s a definite advantage, even in security. At other times, however, it’s a liability. In the context of security-awareness, it is definitely a liability.
If you drop large chunks of training on employees, without any reinforcement, the best you can hope for is short-term retention. The worst is overload, confusion and resistance. Instead, keep drip-feeding employees security training that is directly relevant to their job and/or their life outside work.
There are all kinds of ways you can deliver this remotely from webinars to self-directed training sessions. You can also run “security drills” in other words, penetration tests. You can, should and indeed must make it easy for employees to report any security concerns to you or to alert you when they feel they need training on any aspect of security.