Whether it’s juggling caring for children with catching up on emails or getting the hang of conducting meetings via video, many of us are getting more accustomed to working from home.
While the flexibility and opportunity to work from home has allowed some businesses to continue operating, it’s not without its risks. Accessing company details and programmes and having to share information remotely opens up a world of security risks and vulnerabilities. That’s not to mention the significant rise of scams and phishing attempts; there has been over 200 reports of coronavirus related phishing emails to Action Fraud.
Thankfully, there are some simple steps you can do, and get your staff to action, to improve your SME cyber security even when multiple members of your team are working from different locations. From storing passwords correctly to training, we’re going to share seven steps to safer remote working.
1. Use password managers
Sharing and storing passwords can be more of a challenge when your staff are working from home, especially if you share access to business accounts or tools.
Add in the possibility that you’ll need them to create accounts on new tools to aid home working, and you increase the chances your employees may be using insecure passwords or the same ones across all accounts in fear of forgetting. In fact, statistics show that 123456 was found 23 million times in breaches, which goes to show how much simple combinations like these are being used.
Invest in, and get all your staff using, a password manager. A password manager is an online tool or vault that stores all your passwords and login details securely and can help you create strong passwords for new accounts. There are plenty out there to choose from, such as Google’s password manager or Lastpass. Many of these tools also allow you to share passwords with members of your team in a secure way, rather than through unencrypted emails.
2. Set up two-factor authentication (2FA)
Two-factor authentication can provide added security to your accounts. By getting staff to use two forms of authentication to log in to online accounts, such as a password and pin code from a mobile app, you’re effectively adding another layer of security to your processes.
Many online tools and systems, such as MailChimp and HubSpot, already have 2FA options available which you can just activate. The way staff receive 2FA codes and information varies, you may be able to use mobile numbers (if you provide work devices) or utilise apps like Google Authenticator.
If 2FA isn’t readily available on some of the services you use, make sure you investigate the security options they are providing as there could be alternative solutions to adding some extra security to your accounts. There are also plenty of 2FA programmes out there that can offer tools to cover applications and devices.
3. Keep alert for phishing scams
We are all being targeting by phishing scams and emails every day, and unfortunately cyber criminals will take advantage of national events and pandemics to trick us into clicking suspicious links and opening dangerous attachments.
Coronavirus is no different, with 18 million scam emails about COVID-19 being sent to Gmail users every day. From selling fake goods to malicious links about tracking the spread of diseases, it’s vital you stay alert to phishing attempts by:
- Encouraging your employees to stick to trusted websites
- Resisting the urge to click on any news stories or sites using ‘click-baity’ headlines
- Making it clear how you are contacting your staff and how customers might be contacting your business, so out of place or suspicious emails can be identified quickly
- Reminding yourself and your employees on the tell-tale signs of a phishing email
- Reporting suspicious emails to the NCSC
4. Conduct regular training
One of the most effective ways to improve your cyber security is through training. Making sure your staff understand what risks they and your business are vulnerable to when working from home and providing top tips and support to combating these can go a long way.
When it comes to training, follow these top tips:
- Provide training sessions and support on any new tools or processes implemented, for example password managers or two factor-authentication
- Invest in a cyber security training programme, like this free online tool from NCSC, and allow your employees time for regular training and learning
- Make it fun! Try and add some competitive spirit into the training or involve rewards to keep employees motivated and engaged
- Make sure staff are aware of their responsibilities (e.g. connecting to VPN and reporting phishing emails)
- Encourage staff to always adopt an ‘if in doubt’ approach and report any incidents to the appropriate person straight away
- Share tips to help your staff and their families when they’re not working by sharing news and helpful resources to keep them safe when they’re online in their own time
5. Implement VPN
VPN, which stands for virtual private network, allows you to create a private network from a public internet connection. This means you can secure your online actions when using public WI-FI or have members of staff using different means of internet access.
Any data or information you share or access via the Internet will be encrypted while your online browsing will remain anonymous. There are plenty of different options to consider, from NordVPN to ExpressVPN.
6. Ensure backups and updates are being made
When operating a business remotely, you’re reliant on your staff to play their part in updating computers and software and backing up data.
Updates often include patches and fixes for security vulnerabilities in software and operating systems. Completing regular updates can help fix any flaws and improve your security against potential cyber-attacks, while delaying simply allows hackers more time to exploit any vulnerabilities.
That’s why it’s important to ensure all your employees have updates set to automatic where they can and check in to remind them when updates are due to be made.
Backing up your data helps protect your assets if you were to suffer a breach or attack such as ransomware, or even just a failure in equipment. The same applies here, make sure processes are automatic where possible. It could also be worth investing in a secure cloud backup service.
7. Protect your assets
This last one combines both our last point on backups and updates and also training. If you previously worked in an office environment where all your computers and equipment were housed in one place, it can be a big change to not know or have visibility on how your business assets are being used.
If you’re providing equipment for staff to use at home, don’t be afraid to set out some guidelines:
- Ask employees to keep their laptops locked when not in use, this also reduces the risk of other family members accidently clicking on suspicious links or emails
- Ask employees to keep their laptop at home and avoid taking it out unless absolutely necessary
- Set some rules or guidelines about what staff can use equipment for, such as accessing certain websites or shopping online
Keeping your business and staff secure when working from home or remotely is now more important than ever. But by implementing some of these fundamental tips you can help protect your assets and employees both now and as we navigate what the future of working may look like.
The NCSC has some really helpful advice on staying safe both at home and at work with training materials and support for small businesses. Visit the website to find out more. We also discussed cyber security for small businesses alongside data protection in a recent webinar, you can access the full recording here.
Cath has 19 years’ experience in the cyber security profession having worked for both UK Government and the private sector. A thought leader in her field, she frequently speaks at security and internet conferences and has provided articles and comments for multiple publications. Her career was profiled in the Financial Times and she has appeared on the BBC multiple times. Cath currently works as Chief Information Security Officer for Nominet UK, the internet company best known for running the ‘dot.uk’ registry and therefore critical to internet operations in the UK.Read full profile