Adelle Gruber, Senior Underwriter, Cyber at Brit Insurance, looks at how the sudden uptick in remote working is exposing companies to greater cybersecurity threats.
Over the last month, the UK’s businesses, large and small, have been at the sharp end of adapting to the new normal of the coronavirus (COVID-19) situation. As part of this, to help manage the virus’ spread, many organisations are mandating, that their staff work from home.
Whilst COVID-19 may have precipitated a sudden uptick in remote working, it is merely a catalyst of an already growing trend. A 2019 study by International Workplace Group, found that 50% of employees work away from their office at least 2.5 days per week.
As the situation evolves, an unprecedented number of us are now connecting to our workplaces via virtual networks, amplifying the potential cyber risk points – the “attack area” – to the companies we work for. This presents new cyber security challenges that must be addressed and best practices must be quickly established and implemented by businesses.
Critically, not every employee’s work from home situation may be the same – from shared family computers, full of downloaded films and games to keep the kids occupied, to busy millennial flat shares where everyone’s laptop and iPhone look similar. This creates a range of different cyber risks and security measures which need to be implemented: there is not a one size fits all answer.
Business (and best practice) as usual
Whilst “business as usual” is a long way off for many companies, employees should be reminded that whilst they are working remotely, the same essential cyber security precautions should apply as if they were sitting in the office.
Some basic practical tips companies can deliver to workers, via e-training, webinars or internal communications channels include:
- Alert employees to the usual day-to-day cyber hygiene measures, including updating passwords on devices and also on home WiFi networks and ensuring antivirus software is updated and functioning;
- Set an automatic lock on your home computer if left unattended for periods of time;
- Remind and educate users of how to spot suspicious ‘phishing’ emails and other opportunistic scams which have seen an uptick in recent weeks as bad actors look to exploit our vulnerable mindsets;
- Recirculate your policy on removable devices – for example, USB drives can be easily misplaced, and can introduce malware into IT systems. You can also ask staff to transfer files using alternative means (such as by using corporate storage tools), rather than via USB.
Controlling access to corporate systems
Virtual Private Networks (VPNs) allow remote users to securely access your organisation’s IT systems, such as corporate email and locally saved files. VPNs create an encrypted network connection that authenticates the user and/or device and encrypts data as it is transferred between the user and your networks.
If your company is already using a VPN, make sure it is fully patched with the latest security updates downloaded. You may need to budget for additional licenses or bandwidth to ensure the continued smooth operation of your VPN if your organisation normally only has a handful of remote users.
If you need to set up new accounts or accesses so your staff can work from home, you should set strong passwords and we would strongly recommend you implement two-factor authentication if available.
Devices and data loss
Devices used for working outside of the office are more vulnerable to theft and loss. Whether using their own device or the organisation’s, ensure staff understand the risks of leaving them unattended, especially in public places. When the device is not being used, encourage staff to keep it somewhere safe.
Most devices are now designed with encryption built in, but encryption may still need to be turned on and configured. Furthermore, make sure that staff know what to do if their device is lost or stolen, such as who to report it to. Encourage users (in a positive, blame-free manner) to report any losses as soon as possible. The early reporting of such losses may help minimise the risk to the data, and staff who fear reprisals are less likely to report promptly.
As is evident, data can be lost in a number of ways, including human error, physical damage to hardware, or a cyberattack. It is important that as well as being vigilant and having detection processes in place, the company should back up the systems to either the cloud, or a hard drive which can be disconnected (or both).
Using personal rather than work devices
Your employees may want to use their own laptops, smartphones and tablets to work remotely. In many cases, this should be encouraged – they will be familiar with the device and at a time when businesses need to keep costs low, it minimises overheads for the business relating to procurement and provisioning.
It’s to be expected that you will have less control and visibility of a user’s personal devices than you would corporate IT. As a result, this may create greater security risks than a traditional setup. As such, organisations should still apply the relevant security controls and monitoring to these devices. Central to this, is ensuring that staff understand the importance of keeping software (and the devices themselves) up to date, and that they know how to do this.
Check your insurance wordings
Business owners and management team should check their cover under cyber insurance policies. With the right cyber policy, your electronic data and computer systems are protected from business interruption, ransomware, viruses, and other forms of computer attacks, whether your employee is in the office or working from home. This type of policy is absolutely essential to protect your company and the information of your customers and clients.
Whilst there are many factors businesses are currently unable to control in the current climate, make sure you minimise those which you can influence. Overall, in a time of greater cyber risk to businesses, we recommend that it is the responsibility of both companies and individuals to be more alert to the potential dangers. Dialogue is crucial and management teams must be committed to educating and training staff both to work effectively and safely, as well as how to report any cyber security concerns without fear of judgment.