A Remote Workforce Brings New Cybersecurity Risks – 5 Questions to Ask Yourself
September 10, 2020
Everyone says security is top of mind but, when no one is watching, it is easy for security to be traded for convenience. Yes, you have secured your network, confirmed that all servers and networking equipment is patched, required your employees to use strong passwords, and the network is monitored 24x7x365, but what have you done to address the human element? Hackers look to find the weakest link, and all too often that is the people in your organization. In most cases, it is easier for a hacker to get a person to give up their password than it is to find and exploit a vulnerability on a firewall. At the outset of the work-from-home initiatives due to the COVID-19 pandemic, phishing scams were up 667%, according to Security Magazine. Now, as remote work extends longer than anyone anticipated, are you certain your employees are not becoming more lax on security protocols? It is important to ensure your employees understand the risk they pose while working remotely.
In this “do more with less environment” employees will often take shortcuts just to get things done, and often at the expense of security. This is not intentional. It’s human nature. When we are under stress, juggling home and work responsibilities while at the same time often dealing with personal and financial challenges, thinking about corporate security protocols (some of which people don’t understand) is not going to be at the top of the list.
If you have not already done so, ask yourself these questions about your employees working from home:
1. Who is printing what?
Are your employees printing at home and is it potentially confidential information? Do they have access to a shredder? What is happening to these hard copies when they are no longer needed? Are they just put in the recycling? If your neighborhood is like mine, there is a chance those confidential documents are blowing down the street on garbage day.
2. Who else is listening?
Is there an Amazon Echo or Google Home within shouting distance of your employees’ workspaces? How would your clients feel if they knew your confidential conversations are taking place with those devices listening?
3. Are your employees using organization-approved equipment?
Are your employees using personal equipment to work from home? Are confidential documents being saved on the family computer with shared accounts and potentially no antivirus protection? Are the devices that your employees use to access confidential information as secure as the devices they would use in the office?
4. Where are your files going?
Are personal email accounts and file shares being used? If you find yourself in a situation where you are legally compelled to produce documents, do you know that everything is saved to your organization’s servers, or are files scattered across employees’ personal Gmail and Dropbox accounts?
5. Can your employees spot a fake email?
Be sure to continue cyber security awareness training. If you are not already doing at least annual training, there is no better time to start than today.
Teach your employees to spot phishing attacks. Some common things to look for:
- Bad email address: Look closely at the address the email is sent from. It is easy to overlook one letter being off. When looking at emails on a mobile device, the full address is often not displayed and difficult to recognize bad addresses.
- Inconsistent language: Does the message sound like the language the sender would use? Is the grammar or punctuation inconsistent with the standards of the purported sender?
- Unexpected downloads or links: Any unsolicited attachments or links should be met with skepticism.
- Remember, if something doesn’t feel right, don’t be afraid to check. When checking use a different method of contacting the sender, don’t reply to the suspect email. And never give away personal information via email.
Most of these points sound obvious and are easy to ignore, but these are easy vulnerabilities for bad actors to exploit. Many of these issues can be addressed with updated work-from-home policies and education. For instance, at Levenfeld Pearlstein (LP), our work-from-home policy was revisited. Work-from-home policies need to include things like proper precautions of printed files and restricting access from non-organization equipment. LP is also mandating security awareness training for all our people to ensure that everyone understands the hidden risks that working from home pose.
LP incorporates social engineering as part of our security audits to guarantee our people are practicing good digital hygiene. As mentioned above, if it has been a while since you did security awareness training for your organization, strongly consider scheduling something now. Be sure to address the unexpected risks that come with a remote workforce. If you haven’t already revisited your work from home policy take another look and make sure it addresses these hidden risks that may have been overlooked. It does not take much time or effort to update your policies and schedule training, and doing so could save you hours of frustration in the future.