Secure your Remote Workers
Prior to Covid many organisations viewed remote working as an occasional requirement or a way to keep their business travellers productive. Many will have included remote working as one of their contingencies supporting a DR plan, but how many invested adequately to support an entire workforce for months at a time while ensuring they protect client’s data? The pandemic and 18 months of lockdowns, social distancing and other restrictions have completely changed the landscape. So has the expectation throughout many workforces that remote working and the opportunity for a flexible work life balance is here to stay. You may have good protection within your infrastructure, but your exposure has been amplified by the number of remote workers, who like it or not, may be your weakest links.
If you are still in the process of formulating security policies around remote working, the following considerations may be useful –
Secure your home office
If you are lucky enough to have a separate room or office, think about physical security in just the same way you would in the office. Laptops can be stolen from your patio, living room or home office. Take your laptop inside when you go and make lunch and lock the door to your home office when you finish work. A laptop security safe is quite a small investment that can pay dividends if you are unfortunate enough to be burgled. Ensure private conversations remain private by turning off Alexa and Google Assistant.
Maintain a clear desk policy
Ensure all sensitive documents and paper information are filed securely. Better still avoid printing anything that can remain in digital format.
Be aware of your privacy
Be mindful of what is in the background of your webcam. Confirm you know who is attending your conference calls and be aware of who is around you especially in public places like cafes.
Secure your home router
Cybercriminals love default passwords on home routers. Take the time to change your router’s password from the default to something unique. You will have reduced your vulnerability with very little effort. Also ensure you firmware updates are installed as soon as possible to resolve any known vulnerabilities.
Secure Wi-Fi access points
Ensure your wireless routers use WPA2 and use strong passwords.
Separate work and personal devices
If you have been equipped with a work laptop, do not be tempted to treat it like your home laptop. Do not browse, shop, pay bills, download personal apps, or do any of the other online stuff that should stay on your home laptop. Keep your work laptop separate and squeaky clean; and absolutely never save corporate or customer data to your home laptop. without IT agreement. If you have a work mobile device, treat this in the same way
Encrypt your devices
If your IT department have not already confirmed that your device is encrypted, make sure you check this with them; a lost or stolen device is far less of a drama if the data on it is encrypted and inaccessible without PIN, password, or biometrics.
Use a supported operating system
New vulnerabilities and exploits appear frequently, and they can often impact old versions of operating systems that are no longer supported. Check with your IT department, ensure you have a current operating system, preferably the latest version and are receiving security patches via automatic updates. If your device is a corporate one this should already be taken care of
Keep your software up to date
Just like out-of-date operating systems, older applications can also be exploited. Keep your installed applications up-to-date and that includes your web browsers.
If it is possible, consider using a secure SaaS application instead of installed software as it cannot become out of date and security is managed by the provider rather than you.
Enable automatic locking
If you are working from a coffee shop, a co-working space or even your home office, lock your device. Better still ensure automatic locking is on, automatic locking is there to protect our unattended devices when we forget to do it ourselves. Shut down devices when the working day is over and don’t leave laptops in plain sight unattended.
Finding a balance between what is convenient and what is secure will be subjective; if a group policy isn’t already enforced by your IT department, always err on the side of security
Use a strong PIN/password on your device
Ensure you use a strong password, follow these guidelines.
Do not under any circumstances use the word “Password” or any derivative of it Do Not Use Recognisable Words — avoid words from television, films, or novels, like – Game0fThr0nes123”
Do not assume that words in languages other than English are difficult to crack— password cracking programs often refer to multiple language dictionaries
Do Not Use Industry Terminology —terms relevant to your industry are not a secret!
Do Not Use Personal Information —avoid using personal information that may be easily guessed if a hacker knows your identity – Your name, the names of pets, the names of family members, any birth dates, your phone number etc
Make the Password At Least twelve or more characters long— the longer the password, the better.
Mix Upper- and Lower-Case Letters, Numbers and Non-Alphanumeric Characters
Pick a Password You Can Remember — consider use a pass phrase rather than a password e.g. – Th6Qu1ckBr0wnF0x!
Use an antivirus
Protect your computer from viruses, spyware, ransomware, trojans and other malware, by using antivirus software. If you are using a personal device check with your IT department for advice.
Invest in a password manager
If your company doesn’t provide you with a password manager, invest in one. This will help you create strong unique passwords for all your accounts and online services. Using different passwords for each account or service will minimise your exposure if any one password is compromised.
Most password managers will also allow you to store credit card details, and other types of sensitive information.
Use multi-factor authentication with an authenticator app
If Two-factor or Multi Factor Authentication is available for a service or system, use it. Your IT department may already be using MFA to enforce secure access to your network. MFA can dramatically reduce the risk of successful phishing emails and malware infections because even if the attacker obtains your password, they are unable to login without the second code generated by your authenticator app. Duo and Google Authenticator are popular authenticators. Avoid using SMS as second factor authenticator, it may be convenient, but it isn’t secure.
Enable find my device and remote wipe
Securely wiping a device makes it much harder to access your data, no matter how much time or determination an attacker has. Contact your IT department to find out which corporate application is being used or to enable the native app on your device.
Wipe data from your device before you sell, lend, or give it away
Before you sell, lend, gift, or throw away a device make sure to return it to factory settings. This will prevent your data from being accessed when you no longer have control over your device. Remember to back up or transfer any important information on the device first.
Use a virtual private network (VPN)
If your organisation provides a VPN, make sure you use it exclusively when working remotely. A virtual private network (VPN) creates a private network tunnel across the public internet, providing a secure and encrypted connection to your corporate network. VPNs also reduce cyber-attacks by making it difficult to snoop on your traffic or monitor your activity. VPNs also mask your real location.
Use a virtual desktop
If your IT department offer a virtual desktop, use it. Most if not all preventative measures you can activate on a local device should already be in place in a virtual desktop environment, and it is the responsibility of your IT department to ensure everything is up-to-date and correctly configured. A virtual desktop like Advisor Anywhere is by far is the best option for secure remote working.
Be aware of phishing attacks
Cybercrime targeting remote workers has exploded during the pandemic, look out for emails that:
· Start with a generic greeting like “Dear Colleague”
· Have poor grammar or spelling mistakes
· Solicit personal or financial details
· Offer scarce items or to good to be true services
· Demand action with a threat or time imperative
· Ask for charitable donation via unusual channels
Be aware Cyber Criminals are using similar techniques on social media platforms and even text messages.
So, you clicked on a suspicious link – do not panic –
· Open your anti-virus software and run a full scan. Carefully follow any instructions given.
· Contact your IT department to talk you through what you need to do next.
· Change your password immediately if you were tricked into providing your password – as a rule of thumb never give your password to anyone under any circumstances– period.
Automatic Cyber Liability Insurance
UK-domiciled organisations with a turnover under £20m, are entitled to Cyber Liability Insurance, after achieving self-assessed certification to either the basic level of Cyber Essentials or the IASME Standard. You are required to install & maintain automatically provided updates from your software provider for critical business software. If you have passed Cyber Essentials this process should already be in place but you should make sure it is maintained to ensure that the insurance remains in force.
The £25,000 indemnity cover, underwritten by AXA XL, includes
24hr helpline to report a cyber incident, which will provide crisis management and incident response to the total liability limit of £25,000.
- Liability: claims made against you arising out of media activities and privacy and security wrongful acts.
- Event Management: costs, including emergency costs, following a data breach, including the costs of notifying data subjects. These might typically include payment for Legal, IT, Forensic & PR specialists.
- Extortion Demands: ransoms and other cyber extortion.
- Regulatory Investigations: defence costs & regulatory fines (where insurable by law).
- Business Interruption: Loss of profit and / or operational expenses caused by a network compromise.
- Loss of Electronic Data: costs of remedying the issue that allowed the loss or damage to your data and costs to replace, restore or update your data.
CyberSmart is part of the Moore Technology Cyber Security Suite