What are the risks?
Mobile working and working from home means that company information will be used and accessed outside of the office, typically over the internet but sometimes physically removed from the building (files or written records for example). Mobile devices such as laptops will be used in areas such as cafes and libraries meaning there is a risk the screen can be overlooked or even stolen by members of the public.
There is also a risk that a company may not be able to establish a secure mobile working and employees using remote access makes the company venerable to some risks;
Loss or theft-
devices that are portable such as laptops, tablets and mobile phones are particularly at risk of being stolen, which means any information stored or accessible through these devices would be at risk. Viewing any company information outside of the office means anyone can walk by and see confidential information, which is definitely a security risk.
Loss of credentials- if user details such as a username or password that are lost or stolen, any attacker could use the information to gain access to the information stored on company devices or drives.
if any device is left unattended outside of an office setting, there is a risk of malicious software or hardware being installed. This would allow the hacker to monitor all activity on the device and learn login details and passwords.
How can you minimise risks?
It’s important to assess all the risks associated with working from home and mobile working. This will be an important factor in creating a mobile security policy that effectively minimises the risk of a cyber security breach. These should cover; processes for authorising users to work off site, device provisioning and support, what type of information is allowed to be accessed remotely and the minimum-security procedures that should be adhered to. There should also be an increased level of monitoring on any remote connections and the systems being accessed.
All staff that are working remotely should be educated and trained on the use of mobile devices in the locations that they will be working in. The company should support staff in looking after their mobile device and working securely by helping them follow the procedures that have been laid out. Support should be given on;
- secure storage and management of user credentials
- incident reporting
- Environmental awareness (the risks from being overlooked, etc.)
- Protect your data ‘at rest’
Good cybersecurity practice is to minimise the amount of information stored on any mobile device. This means only storing information that is completely essential for the employee to fulfil their role outside of the office environment. If at all possible try to encrypt any data stored on a mobile device.
Protect your data on the move
Any time an employee is working from home the connection back to the business network should be using the internet. All data that is exchanged should be appropriately encrypted.
Create or review your corporate incident plan
Working from home definitely increases risks and even if you follow the most secure cyber security plan, there will still be security incidents. An incident management plan needs to be flexible in order to deal with a range of security incidents that could possibly occur. The most effective way of managing a breach, is the ability to remotely disable any device that has been lost or stolen, or at least sever any connection to the corporate network.
Investing in the best technology
Even before the global pandemic, working from home was becoming more and more common place, so PC manufacturers, such as HP, have been introducing helpful features in their products. For example, the new Zbook Firefly laptop comes with a built in integrated privacy screen called HP SureView. This display reduces up to 95% of visible light when viewed at an angle, which protects your company data against visual hacking.
Another security feature that HP provide is HP Sure Start, which is self-healing BIOS protection. In the event of a malware attack on the BIOS, HP Sure Start automatically detects the change, notifies the user and IT, and restores the most recent good version of the BIOS. With HP Sure Start your devices will be ‘self-healing’ and constantly monitoring for threats. This provides you and your employees working from home peace of mind that they are working securely.
Within the Zbook range there is also a technology called HP Tamper Lock, which detects and alerts users if their PC chassis has been physically opened or tampered with, meaning that if you have left your mobile device unsupervised, you can be confident it has remained secure.
to find out more on the HP Firefly range click here
Preparing your staff to work from home
The prospect of working from home can be scary for some people, especially those who have never done it before. To ensure effective working you also need think about the practical considerations; you may require new services, or need to extend the current ones, to enable teams to continue working together. This is the time to consider investing in Microsoft Teams, Zoom, Skype or another service that provides group chat, video calling and screen sharing.
Some general recommendations to support home working are;
You may need to educate staff on using new software or changing the way they use current software. Written guides may be a good way of explaining new features and to make sure the new software works as needed.
To stop busy teams from being bombarded with questions, producing ‘how to’ guides may be a good way to manage any queries.
As previously stated, working from home means a device is more likely to be lost or stolen, which is why it’s important to make sure your devices can encrypt data. Most modern devices do include tools that make it possible to remotely wipe and or retrieve data from a lost or stolen mobile device.
Virtual Private Networks (VPNs) are a secure way for users to access the companies IT resources, email and file services etc. An encrypted network connection is created by a VPN and it authenticates the user and device as well as encrypting data that it is in transit between the user and the services they are accessing. It’s important that your VPN is fully patched; you may require additional licenses, increasing capacity and bandwidth may be necessary.
Supporting staff with their devices
Whether you staff are using their own or company owed devices, they are all at risk for being lost or stolen. Staff will need to be encouraged to lock their screens when the device is left unattended, especially if there are other people living in the house with them, children or roommates etc. When not in use the device should be kept somewhere safe, such as a locked draw or safe.
It’s important that your staff know who to report to if their device is lost or stolen, this should be done in a blame free and friendly way. This will stop staff trying to hide any damage or loss of their device, early reporting of any issues will help minimise the risk to data. Staff need to know the importance of keeping their devices and software up to date and safe, to minimise the risk to company security.
USB drives are often used to contain lots of sensitive data; however they are easily lost and can be used to introduce malware when inserted into your device. If USBs are used by multiple people, it can become hard to keep track of what is on them, where they have been and who has used them. Best practice when it comes to USB use involves;
- Safely disabling any removable media using MDM settings
- Using appropriate antivirus tools
- Not allowing workers to use personal removable media
- Encrypting any data on removable media
There may be safer ways for your workers to transfer files, such as using corporate storage or collaboration tools, instead of using USBs.
Identifying email scams related to coronavirus
As often happens when a new treat emerges whether it be medical, financial or technological, there a people who will take advantage and try to use it to gain access to your information. These most times come in the form or ‘phishing’ emails; these are used to try to trick people inti clicking on a bad link. Once clicked, you are taken to an unsafe website which could download malware onto your device, or even steal your passwords. At the moment these emails are coronavirus based, telling users that they have the cure, other times they offer a financial reward or always be encouraging you to donate to a fake charity. These emails often use real world concerns to trick people into following the link provided. You must alert all staff to these emails and make sure they are deleted and not clicked on.
Now that having meetings face to face are becoming less common, video conferencing is the new normal, it’s important that your company is using secure video conferencing service. Many services have additional paid options which might offer more security and privacy features; you may want to consider paying for these.
There are some services that offer end-to-end encryption, this means all data is encrypted in transit and can only be read by participants of the call. This encryption will include any instant messaging and screen sharing that are offered with the service.
You want to be able to control who joins and who organises the meetings, this helps protect any confidential discussions in the meeting and stopped any person not invited interrupting. It’s a common security practice that employees will join the meeting that are arranged in advance, and access it by clicking a link or entering a unique code.