Keep remote workers secure

1, July, 2020

The Coronavirus pandemic has resulted in unprecedented workplace changes. While the UK is on lockdown, employers have had to make necessary adjustments to allow staff to work from home. Perhaps there will be a lasting shift towards home working – the AA predicts a permanent reduction in the demand for travel because people have learned during the crisis to use home-working technology.

But, home working carries a wide range of cyber-risks. Specifically, having your employees work from home can increase their vulnerability to cyber-attacks—which could be costly.

In fact, recent research from cyber-experts revealed that hackers across the globe have been taking advantage of remote workers in the midst of the COVID-19 pandemic by utilising a variety of phishing

Phishing

These scams, which typically appear as fraudulent emails from trusted organisations such as Public Health England or the World Health Organisation, trick victims into clicking on malicious links—thus allowing hackers to infiltrate their devices and access sensitive data. These attacks have already resulted in losses totalling nearly £1 million, and they aren’t stopping anytime soon. Now more than ever, it’s vital to ensure your remote working arrangements are secure. Review the guidance below for best practices on how to keep remote employees (and your business) protected from cyber-attacks over the next few months.

Prepare Your Technology

First, it’s important to assess your workplace technology to ensure it possesses proper cyber-security features to combat remote working risks. At a glance, your organisation’s software should have these key characteristics:

  • A virtual private network (VPN)—Having a VPN allows your employees to utilise a private, protected network connection. VPNs provide numerous cyber-security features, such as hiding users’ IP addresses, encrypting data transfers and masking users’ locations. If you don’t already have a VPN, you are missing a crucial step in implementing a secure remote working environment. If you do already possess a VPN, make sure it is fully patched. Keep in mind that additional licences, capacity or bandwidth may be required if your organisation normally has a limited number of remote employees.More VPN guidance.
  • Restricted access controls—Be sure that all remote work technology possesses the same account access restrictions as that of your on-site software. Only allow competent, qualified and trusted staff to have access to sensitive company data.
  • Encryption capabilities—Apart from having a VPN, make sure that your remote work technology has additional encryption capabilities to keep sensitive data protected in the event that an employee’s device becomes lost, stolen or compromised.
  • Antivirus and malware protection—Lastly, require all remote work technology to be bolstered with the latest antivirus, malware and firewall protection software.

Some businesses will be using Remote desktop protocol (RDP) instead of VPN for remote working. This has been reported to pose some cyber risks – see here for more information.

Prepare Your Employees

After you have prepared your technology, it’s time to provide employees with robust resources and training to ensure a cyber-secure remote working programme. This is especially important for employees who haven’t worked from home in the past or lack advanced digital skills. Consider providing staff training on the following topics:

Conducting key operations—Be sure to educate your staff on how to conduct common remote working practices, such as video teleconferencing and document sharing. Create written instructions for employees who need additional support.

Taking care of technology—Encourage employees to log out of their devices when they are finished working for the day and store all workplace technology in a secure, protected location.

Creating strong passwords—Require all employees to create strong passwords for their company accounts and devices. These passwords should be an appropriate length (at least 10 characters), difficult to guess and contain a variety of special characters (eg capital letters and punctuation marks). Employees should update their passwords on a routine basis.

Using removable media—Using removable media (eg USB drives) can carry a variety of cyber-security risks, seeing as they often contain sensitive information and are easy to misplace. With this in mind, cyber-experts recommend prohibiting your employees from using removable media for work purposes. However, if you must use removable media, be sure to educate staff on safe use and storage practices. Additional removable media guidance.

Utilising personal devices—If you allow employees to utilise personal devices for work purposes, make sure you implement and enforce a bring your own device policy. Only allow competent, qualified and trusted employees to use their own devices.

Conducting regular updates—Be sure employees know how to conduct regular software updates on all workplace technology. If you allow staff to use personal devices for work purposes, ensure they know how to conduct software updates on this technology as well.

Detecting signs of phishing—Educate your employees on the following common signs of phishing scams:

  • The email requests the recipient to share sensitive personal information or account credentials.
  • The email claims to be from a trusted contact but isn’t from the correct email address.
  • The email contains glaring errors, such as typos, poor grammar, false information or false imagery (eg an incorrect company logo).
  • The email does not address the recipient by name or has been sent to a long list of other recipients.
  • The email is from an unknown sender or a contact that your organisation rarely communicates with.
  • The email contains links that direct you to the wrong website or asks you to log in to an account.
  • The email claims to be urgent, comes across as demanding or is threatening.

Reporting cyber-concerns

Make sure that all employees know how to report any cyber-concerns that they might experience while working from home. Staff should report these problems to their direct supervisors and your IT department, if needed.

If an employee needs to report a serious concern, such as a cyber-attack, they should also know how to contact Action Fraud.

Have a Cyber-incident Response Plan

In addition to preparing your technology and your staff, make sure your organisation has a cyber-incident response plan in place to help limit the potential consequences in the event of a cyber-attack. Educate all employees on this plan and test it regularly for effectiveness. Make updates to your plan as necessary.

Cyber insurance

Cyber-attack trends continue to evolve in these uncertain times, and it can lead to lost revenue, damaged reputation and regulatory fines. Be sure to regularly review and update your policy to avoid the ruinous ramifications of a cyber-attack.

If you don’t have cover and you use computers or the internet at work, hold customer/supplier/employee data, carry out online transactions, or even just uses social media, you should be thinking about it.

It’s there to protect your business against things like fraud, data theft and social engineering, where criminals attempt to fool you into parting with money, information or both. It also covers data breaches where sensitive information is accidentally shared.

If you have any questions on cyber insurance or the article in general, please don’t hesitate to contact us today

Further information

If you are concerned about your cyber security, read the National Cyber Security Centre’s (NCSC) Small Business Guide: Cyber Security and look at ways to Work with the NCSC and consider getting your business Cyber Essentials Certified.

Other resources:-Beazley Preventing email compromise and Ransomware; CFC Underwriting: Cybercriminals exploiting Coronavirus; Financial Conduct Authority Avoid Coronavirus Scams

The information and materials above are for general information purposes only, are not intended to constitute legal or other professional advice and should not be relied on or treated as a substitute for specific advice relevant to particular circumstances.