The COVID-19 pandemic has forced the issue of teleworking to the top of the IT agenda. Before 2020, organizational proficiency and security provision related to teleworking ranged from high to minimal, and some are now having to manage it for the first time.
Whether you are still seeking cybersecurity knowledge and support or think you have everything covered, there is always more to learn and put into practice. Constant monitoring and regular reassessment is vital.
At RHEA, we know there are many elements to address – and, just as importantly, that the cybersecurity landscape is never stable. Both cyber threats and your organizational setup will change and evolve constantly.
Our nine tips to boost your organization’s cybersecurity when supporting remote workers:
1. Update your cybersecurity strategies and policies
Regularly assess your cybersecurity policy, and related strategies and policies, especially in times of permanent teleworking. Many organisations still have huge gaps in their policies.
- Is cybersecurity fully embedded in your IT strategy? You need to have the right tools in place and adopt correct standards to handle events and minimise risks.
- When the last time you carried out a threat and risk assessment? And a broader strategic audit? These can be carried out by external specialist companies to provide an unbiased view of your cybersecurity posture, plus other security aspects if required.
- Do you have both an organizational and departmental security plans?
2. Assess crisis management and governance policies
Staying safe is not just about cybersecurity. Companies need to ensure their crisis management, governance policies and staff roles and responsibilities are clear and up to date. Threats are constantly evolving and if a breach happens, everyone needs to be aware of their role and what they must do, or where to find that information. It is vital that you can act fast.
3. Implement appropriate security solutions and technology
Your cybersecurity strategy should cover all elements of your network, from end to end:
- Each device should have adequate security provision, including anti-virus software, to minimize the risk of it being compromised and thereby putting the whole organization’s network at risk.
- Implement multi-factor authentication for all access to organizational devices and networks, to neutralize the risk of weak or stolen passwords.
- Use round-the-clock threat monitoring. Unless you are highly experienced, consider buying in expert services, enabling you to thwart attacks fast and minimize damage.
- Look at using third party managed detection and response (MDR) services to extend your cover to all endpoints on your network, protecting both employees and your corporate network. As well as threat monitoring and mitigation, MDR services may offer other features such as full incident response and ransomware rollback, while still allowing users to continue working as normal. However, check whether any MDR service you consider fully covers remote workers.
If you have limited resources or knowledge, third party experts can help.
4. Train your staff regularly
How recently did your staff receive cybersecurity training? Many organizations still have huge gaps in their cybersecurity skillsets, but the issue is broader than this.
Every member of staff needs to understand how to minimize cyber risk, especially when working from home, so they should receive cybersecurity training when they join the organization and then regularly thereafter.
5. Promote secure behaviour through information and support
Does your IT posture fully take into account that users are in a different ecosystem at home; essentially working in a private/office hybrid? In between targeted training, consider providing security information that is digestible and attractive for all. Also be aware that they may not understand the risks that certain tools and software present to the organization and why they should not use them – you need to explain why.
Here are some examples of useful reminders to share:
- Do not use your work email address for non-work online activities. And beware of using your personal one a lot – the more available it is, the more chance of getting phishing emails.
- If you work at home with children around, they probably know your password! Change it regularly. Family members should not use work computers, but if you share any other computer, give everyone their own login and do not give anyone else admin status. And use antivirus software.
- Public Wi-Fi is inherently unsafe, so escaping the house to work in a café presents a risk. Instead, staff should only use a VPN connection.
6. Consider banning BYOD
Do not allow people to use their own devices for business use. The ‘bring your own device’ (BYOD) approach increases your organizational security risk and may have legal implications too, for example related to GDPR legislation.
If you decide to approve a BYOD approach, you need suitable cybersecurity cover – such as Managed Detection and Response – plus appropriate policies and training in place. But in an ideal world we do not recommend BYOD.
7. Keep software and apps up to date
Have procedures in place to ensure the software on every device is always updated to the latest version and that virus protection is used, with automatic updates.
8. Look beyond laptops – the case for IoT security
Many machines and objects can now be connected and configured to send data over mobile and broadband networks to cloud applications and backends. All devices being used at home, including mobiles, smart TVs and routers, present a security threat to your organization if just one is being used for work. Provide users with guidance on how to check and modify the security of each one, and request confirmation that they have done so. An effective managed security solution will monitor not only your organization’s network but also the devices that are connected to it.
9. Create a supportive culture – Do not blame the victim
Finally, make your IT team aware of the potential psychological effect of the pandemic on even the most cyber-aware users and those used to working out of the office. People who were strong can become fragile and react in unexpected ways, with some seeking reassurance online and being tempted to take risky actions, such as clicking on links they would previously have avoided.
Staff need to know they can trust not only the systems they use but also their IT departments. Importantly, they must be assured that if they do click on ‘the wrong thing’ and something goes wrong, they can seek help without fear of any victim-blaming. Many scams and other cyberattacks are very well crafted, and this has escalated during the pandemic, making it easy to fall for them.
We can help
These recommendations for improving and maintaining your cybersecurity are not exhaustive – it would take a book to cover everything. But they are a start. And as ever, if you want to know more about any of these or have other questions about how to maximize your cybersecurity position during this especially challenging period, we are always happy to talk.