Working from home is not something new; actually, people can work from home for a while, especially those where their main line of work is on a computer.
They can choose to work from home as long as there is a way to communicate with other co-workers. Plus it is thriving for business because there is no need to rent an office to have your employees in. However, not everyone knows how to secure their computer, especially those who don’t work in the IT field. While there are many things to consider while working remotely, the most important and best thing to consider is the safety of your employees and yours where they log in to your organisation.
IGT’s technology columnist Vigne Kozazek provides a few words of advice on how to ensure security safety. At the same time, your staff works from home, and it is needed to know how to maintain the highest cybersecurity standards when they have to work remotely. Vigne Kozazek has more than 25 years of experience in operations and business activities in the IT field. Vigne is known into the casino industry, and he made his career at Camelot, Boylesports and William Hill. Vigne’s line of work is to deliver and manage affirmative change programmes, including support and solution acquisitions.
How to Increase Security
One sure thing is that not everyone is trained on cybersecurity dangers. Unfortunately, many policies and procedures of cybersecurity are placed on those who work into this kind of department. When it comes to cybersecurity, well-developed systems are at the office where they are checked by those who usually are there.
Besides, those who work remotely usually work on their personal computer – one that generally has an expired antivirus or the protection is inadequate, or there is no security software installed. Not to mention that the ISP-provided routers also have minimal security capabilities. In other words, this means that employees use highly insecure computers, who have direct access to the heart of an organisation. This shows that the business’s digital assets are vulnerable, and the risks of a security breach are increased.
The ideal scenario, if there can be one, is for the staff to use company-supplied equipment that runs only company-authorised systems over which the company has control. However, that means no Facebook, no personal email or unfiltered web browsing through corporate systems via a VPN (a virtual private network).
This is the ideal scenario. However, it is understandable when the field of work differs from the corporate one, in the case of programmers, designers, copywriters etc. So what is the best starting point for being secured from cyberattacks?
Contact your usual suppliers and have them conduct a thorough penetration test on all exposed areas on your network. Even if you have carried out an analysis yourself, more holes could have been opened up while setting up the remote access of your staff. According to IMB, last year, the average length of time it took for an organisation to discover that they had been compromised was 206 days.
Conduct full suite penetration tests on all exposed areas of your network
According to Symantec, 48% of malicious emails attachments were from Microsoft Office files. Legitimate communications are easily disguised to appear as though they have originated from a lawful source. Employees need to be able to recognise the difference between a malicious attachment and a genuine one, mainly because the attackers become more sophisticated.
Update and ensure that employees undergo a security awareness training
Security training is necessary if your employees will connect from home to your organisation. Training them is critical, and it can be done online as well. There are many reputable companies out there that can facilitate a training session online. It is crucial as a business to conduct surveys before and after training to measure its impact and to ensure you are achieving the desired standards. This can be quickly done by a security IT team using something like Survey Monkey.
Having staff work from home isn’t a new concept and most companies will have policies and procedures in place for those staff for whom homeworking was already the norm before the pandemic struck.
However, not all staff are fully trained on cybersecurity dangers, and far too often these policies are reliant on well-developed systems being in place and adequately managed by staff who are normally in the office.
What companies are left with, then, is a large proportion of staff now trying to carry out their usual day-to-day duties from outside of the organisation. In other words, many companies have put the safety and security of their digital infrastructure in the hands of a personal computer – potentially one with expired antivirus protection and poor, if any, security software installed. Not to mention a £50 ISP-provided router which has very little security capabilities.
So these staff, who have little or no security training and who could be using highly insecure computers, now have direct access to the heart of your organisation. This renders your digital assets vulnerable and increases the risk of a security breach.
Mitigating the fallout
Okay, so we’re agreed that there is a higher risk. But how do we address these issues?
The ideal scenario, if there can be one in this situation, is for staff to use company-supplied equipment that runs only company-authorised systems over which the company has control. Yes, that means no Facebook, no personal email or unfiltered web browsing through corporate systems via a virtual private network (VPN).
While this is the ideal scenario, we do understand that the lockdown has blindsided many businesses and most would not have been prepared for this – despite having disaster recovery and business continuity plans in place.
Having a few remote workers is not the same as having most, if not all, of your workforce working remotely. The capital and manpower required to acquire laptops and set up the infrastructure would have been heavily restricted by the lockdown.
So what should you do? A good starting point is to go through this three-point checklist:
Contact your usual suppliers and have them conduct a thorough penetration test on all the exposed areas of your network. Even if you have carried out a test recently, more holes could have been opened up while setting up remote access for your staff. Last year, according to IBM, the average length of time it took for an organisation to discover that they had been compromised was 206 days.
2. Conduct a full suite of penetration tests on all the exposed areas of your network
According to a report by Symantec, 48% of malicious email attachments were Microsoft Office files. Legitimate communications are easily disguised to appear as though they have originated from a legitimate source, but staff must be able to recognise the difference between a malicious attachment and a genuine one, particularly as attacks become more sophisticated.
It is not beyond would-be attackers to use LinkedIn or even your own company website to construct an organisation chart of your company complete with reporting lines. They could then send spoofed emails to subordinates with malicious attachments and/or content used for phishing purposes. This could well be more effective, especially now when it is no longer possible to just pop over to someone’s desk and verify if it was them that sent that questionable email or message.
3. Update and ensure staff undergo security awareness training
Security awareness training for all staff is critical at the best of times – but especially so now. This can be done online and there are many reputable companies out there that can facilitate this. I would highly recommend that you conduct surveys of your staff before and after the training to measure its impact and to ensure you are achieving the desired standards. This can be easily carried out by your IT security team using something like Survey Monkey.
VIGNE KOZACEK has more than 25 years’ experience of managing information technology operations and business activities, predominantly in the gaming industry. With a career base including Camelot, Boylesports and William Hill, Vigne has successfully delivered and managed positive change programmes, including merger support and solution acquisitions.