This Data Privacy week, we thought it important to highlight the security risks of the work-from-home phenomenon. The pandemic forced many knowledge workers into working from home. Many have stayed there or adopted a hybrid working model. But what many remote workers and their employers don’t realise is that the risks of working from home go beyond dogs barking in the background of a Zoom call or uncontrollably eating all the biscuits; the rise in people working from home has also increased the risk of a data breach for many organisations. Taking a work computer home can result in data loss or data since home networks lack many of the usual built-in security measures.
Organised by the National Cybersecurity Alliance, Data Privacy Week takes place from January 22 – 28, 2023. This annual campaign aims to educate individuals and businesses about the importance of online privacy. It’s a good time to focus on the risks affecting all of us, including those who work from home. In this article, we look at ways for businesses to protect their employees and their data while allowing for location flexibility.
10 security tips to help your organisation and your staff stay secure
- Educate your employees about cybersecurity
Cybersecurity training is not a one-and-done activity. Cybercriminals are constantly looking for ways to exploit vulnerabilities and circumvent security controls to gain access to sensitive information. It’s important to conduct regular cybersecurity awareness training to teach your employees to:
- Recognise and avoid email-based scams
- Recognise various types of cyber attacks, from spear phishing to whaling and typosquatting
- Use two-factor authentication for all logins
- Only install up-to-date, well-established Software-as-a-Service applications
- Avoid plugins developed by unidentified or unknown sources
- Adopt a zero trust model
Zero trust is a strategy that relies on verification for every user, app and device. It also involves strong user identification, network segmentation, policy compliance, and more. Before the days of zero trust, many company networks would assume that everything ‘inside’ (generally inside a firewall) was trustworthy by default. But in today’s highly connected world, the perimeter-centric view is no longer sufficient. A zero trust model creates micro-perimeters with restricted access and permissions, along with ongoing encrypted traffic inspection and analysis. For today’s disseminated workforce, zero trust is the only way to approach network security.
- Monitor third-party service providers
You may have trained your employees and implemented zero trust architecture, but your weakest links may actually come from outside your organisation. Your vendors and outsourced service providers may also have employees working from home and opening up your data to cybersecurity risks. Be sure to conduct thorough vendor risk management and be clear with your suppliers about your cybersecurity policies and expectations.
- Enforce strong passwords
Enforce stringent password requirements on all company devices. Make it easy for your employees to create, remember, and use strong passwords by using a password manager such as LastPass or 1Password.
- Encrypt everything that stores business data
Encrypting data means changing it into a code that can only be translated and read by someone with the corresponding password or decryption key so that only authorised parties can access it. Encrypting emails, files, and anything that stores valuable business information. If employees are using their own devices, they will need to encrypt any laptops, tablets and phones, wearables, etc. and back up important data to the cloud. This means that if someone’s personal or business device is lost or stolen, the data will still be stored and accessed safely.
- Implement adequate email security
Malicious email is a popular way for cybercriminals to spread different types of attacks. Email security includes various cybersecurity measures to ensure that email accounts are secure:
- Protect sensitive information in email communications
- Prevent phishing attacks, spear phishing and email spoofing
- Protect against unauthorised email account access
- Protect against loss or compromise of email addresses
Email security involves adequate SPF, DKIM, and DMARC policies.
- Ensure web applications use HSTS
It’s important to have HTTP Strict Transport Security (HSTS) in place to help protect users and websites from cookie hijacking attacks and protocol downgrades. HSTS is a simple and widely-supported web security policy mechanism that enables websites to declare themselves accessible only via secure connections. It protects visitors by ensuring that their web browsers always connect to a website via HTTPS.
- Monitor your company’s cybersecurity performance with security metrics
Especially with staff working from home, it’s important to set up metrics and measures that monitor how well your staff are adhering to your data security policies while working remotely. Across the organisation, these metrics will help you demonstrate how well (or not) you are achieving your cybersecurity risk reduction goals, meeting your security standards, and adhering to information security management requirements.
- Partner with the experts
If implementing all these measures sounds a bit overwhelming, it could be worth using a professional cybersecurity solutions provider to manage and structure your organisation’s cybersecurity systems. Expert help gives you the best defence against bad actors who are out to steal your sensitive data.