They will probably have had little formal training and won’t be getting any extra pay, but hundreds of thousands of staff have recently taken on a critical new IT role for their employers.
On top of their existing job, they are now effectively Chief Information Security Officers for their home office, a position which comes with a significant amount of responsibility at a time when threat levels are higher than normal.
Although most employees are likely to receive some form of cyber security training during ‘business-as-usual’ times, the change to working life in recent weeks means it is now particularly important for IT departments to be proactive.
As well as raising and maintaining general cyber-security awareness, they also need to address some of the additional risks of working from home. For example, many staff may not have a dedicated area to work from and could be living in shared accommodation with the potential for ‘shoulder surfing’ and conversations about work issues being overheard by others.
Simple steps such as using headphones instead of being on speaker and always making sure computers are locked when not in use can reduce the risk of potential leakage of sensitive information.
Staff should also be encouraged not to be afraid to say and accept “I can’t speak now” when they feel it necessary and for calls with colleagues to be rescheduled to a more suitable time.
‘Workaround’ risks can become opportunities
With employees having to adapt to different ways of working, there is also heightened risk that they will use workarounds that could potentially compromise security.
For example, rather than sharing or storing files using the system provided by their employer, they may be tempted to use one they already use for their personal documents as they are more familiar with it.
Although seeking out such workarounds poses risks, it should also be seen as an opportunity for IT departments to help find innovative and more efficient ways of doing things.
Encouraging staff to be open about how they are working and the tools they are using can help provide insight into whether existing technology provided is fit for purpose. It can also ensure alternatives can be properly assessed and potentially introduced for wider use with appropriate safeguards in place.
Consideration also needs to be given to issues around what happens when devices issued to staff develop problems or fail. With IT teams working remotely, they may not have easy access to replacement hardware such as laptops and even if they do, getting it delivered to an employee may not be straightforward.
Staff may have to use personal devices which will often lack security tools such as antivirus software, firewalls, and automatic backup which increases the risk of work-related content being leaked or hacked. It is important to ensure any guidelines in place on using personal devices are highlighted to staff and updated if needed.
There are also simple measures that home workers can take to increase security of their home WiFi such as turning off the guest networking feature, so organisations should consider putting together some ‘top tips’ if they haven’t already done so.
Ensuring personnel hygiene
Although most organisations will have sophisticated cyber security protections in place, it is worth remembering that the vast majority of breaches are caused by poor ‘personnel hygiene’ and simple lapses.
IT teams should be regularly reminding staff of basic measures such as not opening attachments or clicking links that look suspect. With significant rises being seen in phishing, malware and ransomware attacks since the Covid-19 crisis began, highlighting some of the latest examples and the new approaches being taken by cyber-criminals – perhaps in a regular update email – will help maintain awareness levels.
It is also worth highlighting information available from reliable sources such as the National Cyber Security Centre which offers a ‘Top Tips for Staff’ e-learning course and the National Cyber Security Centre of Ireland which has recently published updated guidance on working from home.
If you wish to read more on the topic of working from home, please read our blog on Home Continuity Plan by Shiguftah Malik or listen to our Podcast ‘Business as Usual in Unusual Times’.