working from home Archives - Security IT Summit | Forum Events Ltd
Posts Tagged :

working from home

How can businesses maintain IT security in a hybrid working model?

960 640 Guest Post

By Claire Price of QMS International, one of the UK’s leading ISO certification bodies

Businesses now have the green light to go back to work, but your organisation may not be returning to its old working practices. So, if a hybrid model is being adopted, what can you do to ensure that information stays secure?

The introduction of more widespread homeworking has certainly piled on the pressure for businesses’ IT security.

At the beginning of 2021, QMS International carried out a survey of businesses about their cyber security and 75.7% of the respondents reported that they now felt more open to attack. Another 10% reported that they had no confidence in fending one off.

And businesses have a right to be worried. According to analysis of reports made to the UK’s Information Commissioners Office (ICO) by CybSafe, the number of ransomware incidents in the first half of 2021 doubled compared to the number reported in the first half of 2020.

Malicious emails have also been redirected to attack those working from home. Data supplied by Darktrace to The Guardian revealed that the proportion of attacks targeting home workers rose from 12% of malicious email traffic before the first lockdown in March 2020 to more than 60% six weeks later. With homeworking becoming more of a permanent fixture in business models, this trend is likely to continue.

While hybrid working offers your team the best of both worlds when it comes to office and home working, it also leaves your business open to the unique risks associated with both, with the added bonus of those linked to transport and travel.

But this doesn’t mean you have to abandon this new way of working. With the right processes in place, you can ensure your information stays secure, no matter where your staff are based.

Carry out a risk assessment

First things first – you must carry out a risk assessment.

Knowing the precise risks your business faces is key to developing methods of removing or mitigating them, but assessments like this are often overlooked. In fact, QMS’ cyber report found that 30% of respondents admitted that no new information security risk assessments had been carried out, despite changes to working practices.

Discover the risks, analyse their likelihood, and then decide if and how they can be controlled. This will give you the grounding you need to build your wider hybrid IT strategy.

Train and test your team

With cyber-attacks on the rise and remote workers being more vulnerable, it’s crucial that your hybrid team know what to look for and, just as crucially, how to report anything suspicious. The best way to do this is through training, which can now be carried out very effectively via e-learning.

This training should cover common cyber-attacks – such as phishing emails – how to spot them, the fundamentals of social engineering, and how to report suspicious activity. Ideally, this training should be refreshed regularly as new cyber threats emerge. You may also like to include training on the safe use of video calls and how to ensure video cameras are switched off when not in use.

To ensure your team have absorbed what they’ve learnt, carry out penetration testing. This involves crafting fake phishing emails and sending them out to your employees. What they do will give you an idea of whether your training has been effective.

Address access

When your hybrid team aren’t in the workplace, they will need to access servers and files remotely. This will often be via a VPN (Virtual Private Network), so you need to ensure that this is as secure as possible.

Remote workers will also be relying on their home Wi-Fi, but this may not be as secure as the Wi-Fi in your office. Your team should therefore be encouraged to create strong passwords – not the default ones on the base of the router.

Workers need to be cautioned against the use of free Wi-Fi hotspots too. It’s possible that your workers may want to use it to work on the train, for example, or in a coffee shop. However, public Wi-Fi is notoriously unsecure, and your workers should be cautioned against using it.

Think about physical protection

If your workers are going to be travelling between locations, then they are going to have to carry equipment such as laptops, phones and removable media with them. If something is lost or stolen, your business information could be compromised. Indeed, IBM’s Cost of a Data Breach report revealed that around 10% of malicious breaches are due to a physical security compromise.

A solid back-up protocol is key to ensuring that any lost information can be recovered. A robust password and access process are also musts – you may want to think about two-factor authentication to make logging in more secure. Make sure you also have a protocol in place so that if your team do report something as lost or stolen, you can act quickly.

When working remotely, you need to ensure that your staff keep their physical devices safe too. Equipment should be kept out of sight when not in use and papers stored away. If your workers are printing content, you may also need a safe disposal or destruction policy in place.

To prevent prying eyes seeing something they shouldn’t, workers should lock their screens when away from their workspace, whether they’re in the office or at home. And if any of your team do want to work while in public, they should be cautioned about the kind of work they perform – who knows who’s sitting next to you?

Create a culture of security

If you really want to take information security to the next level, you may want to consider a more wide-reaching measure such as ISO 27001.

ISO 27001 is the international Standard for information security management, and it is designed to help organisations integrate information security into every aspect of business.

Its 114 controls tackle every angle of security, including physical, legal, digital and human, bringing them together to enable you to maintain compliance and showcase to employees, customers and stakeholders that you have the processes in place to protect information from theft and corruption.

Going forward, it could give you the framework you need to adapt your practices to suit your new hybrid working model and any changes in the future.

Unmanaged personal devices at home threatening corporate security

960 640 Stuart O'Brien

More than half of UK employees working remotely during lockdown use unmanaged personal devices to access corporate systems.

That’s according to a study published today by CyberArk, which found that UK employees’ work-from-home habits – including password re-use and letting family members use corporate devices – are putting critical business systems and sensitive data at risk.

The survey, which aimed to gauge the current state of security in today’s expanded remote work environment, found that:

  • 60% of remote employees are using unmanaged, insecure “BYOD” devices to access corporate systems. 
  • 57% of employees have adopted communication and collaboration tools like Zoom and Microsoft Teams, which have been the focus of highly publicised security flaws

Working Parents Compound the Risk

The study found that the risks to corporate security become even higher when it comes to working parents. As this group had to quickly and simultaneously transform into full-time teachers, caregivers and playmates, it’s no surprise that convenience would outweigh good cybersecurity practices when it comes to working from home. 

  • 57% insecurely save passwords in browsers on their corporate devices
  • 89% reuse passwords across applications and devices
  • 21% admitted that they allow other members of their household to use their corporate devices for activities like schoolwork, gaming and shopping. 

Are Current Work-from-Home Security Policies Enough?

While 91% of IT Teams are confident in their ability to secure the new remote workforce, more than half (57%) have not increased their security protocols despite the significant change in the way employees connect to corporate systems and the addition of new productivity applications.

CyberArk says the rush to onboard new applications and services that enable remote work combined with insecure connections and dangerous security practices of employees has significantly widened the attack surface and security strategies need to be updated to match this new dynamic threat landscape. This is especially true when it comes to securing privileged credentials of remote workers, which, if compromised, could open the door to an organisation’s most critical systems and resources.

“Major socio-economic events have always led to a sharp uptake in cyber incidents. The WHO has warned of an exponential increase in attacks due to the global and unprecedented nature of the ongoing health crisis, and its transformative impact on the way we work. With the accelerated use of collaboration tools and home networks for professional purposes, best-practice security is struggling to keep pace with the need for convenience which, in turn, is leaving businesses vulnerable”, said Rich Turner, SVP EMEA, CyberArk.

“Responsibility for security needs to be split between employees and employers. As more UK organisations extend remote work for the longer term, employees must be vigilant. This means constantly updating and never re-using passwords, verifying that the operating system and application software they use are up to date, and ensuring all work and communication is conducted only on approved devices, applications and collaboration tools. Simultaneously, businesses must constantly review their security policies to ensure employees only have access to the critical data and systems they need to do their work, and no more. Decreasing exposure is critical in the context of an expanded attack surface.”

The first and last line of defence

960 640 Guest Post

As the frequency and sophistication of cyber attacks increase at an alarming rate, much attention has been paid to high-profile data breaches of enterprise companies. Just recently, EasyJet revealed that the personal information of 9 million customers was accessed in a cyber attack on the airline; and the examples don’t stop there. British Airways was fined £183 million in July last year after hackers stole data of half a million customers and in the same month, the Marriott hotel group was fined £99.2 million for a breach that exposed the data of 339 million customers. 

With media attention typically placed on data breaches of this scale, this could give the incorrect impression that the cyber security risk to SMBs is much smaller. It’s true that SMBs by their very nature don’t have thousands of employees or millions of global customers, but that doesn’t mean that they are not a target. Every business still has a combination of employees with personal data, payroll information, company credit cards, suppliers that use their systems – all valuable data that a hacker could potentially use to their advantage. Clearly, technology has a large role to play – but technology alone can’t prevent every type of attack.

Andrea Babbs, UK General Manager, VIPRE Security, explains how a combination of technology, regular training and tools that help the user to thwart potential hacks can provide a layered defence for organisations to mitigate the threats they face….

Technology alone is insufficient

Life and work as we know it is changing as a result of the Covid-19 crisis. Businesses were forced to implement a working from home policy (if they could) almost overnight, with many unprepared in terms of infrastructure and security. Cyber criminals have used this to their advantage, producing ever more sophisticated, convincing and dangerous methods to target businesses and individuals.

Technology, including solutions that provide a vital protection against email mistakes, can help users spot phishing attacks – such as the email that purports to come from inside the company, but actually has a cleverly disguised similar domain name. This technology can automatically flag that email when it identifies that it is not an allowed domain, enabling the user to cancel send and avoid falling for the phishing attack. In addition to email security and endpoint securitythat protects against emerging threats such as spyware, viruses, ransomware etc., this can be a valuable tool in an organisation’s armoury. 

But despite companies such as EasyJet investing significant amounts into essential cyber security software, the breach examples above clearly show that deploying technology in isolation is not enough to entirely mitigate the risk of cyber attacks. The key is to change the mindset from a full reliance on IT, to one where everyone is responsible. 

Employees are a key part of a business’ security strategy. Those that are educated about the types of threats they could be vulnerable to, how to spot them and the steps to take in the event of a suspected breach are a valuable and critical asset to a company. Employees are the soldiers on the front line in the battle against cyber criminals. They need to be trained to be vigilant, cautious and suspicious and assume their role as the last line of defence when all else fails. 

The threat landscape continues to evolve so rapidly that those businesses not conducting regular cyber security training for their employees are not secure. Relying on security software isn’t enough. But training shouldn’t just be a tickbox exercise either, a once a year session on cyber threats won’t be enough to keep the workforce sufficiently informed and vigilant. 

Security Awareness Training

Organisations cannot be expected to stay one step ahead of cyber criminals and adapt to new threats on their own. They need to recruit their employees to work mindfully and responsibly on the front lines of cyber defence. 

According to Verizon’s 2019 Breach Investigations report, 94 percent of malware is delivered by email, making it the most common attack vector. One element of ensuring that the workforce is alert to the threat of phishing emails is to conduct a regular internal phishing email campaign that can also provide analysis on which employees failed to spot the phishing attempt, and therefore, may require additional training. Would your employees know how to spot a scam attempt? What about the following real-world examples taken from actual events? 

  1. A scammer purporting to be a company executive sends an email to an employee requesting a wire transfer to be sent immediately to a supplier. With a senior colleague making the request, and added pressure at the moment to be seen as ‘working’ when working from home, the employee complies and wires funds to a fake account. 
  2. An email is sent to your outsourced HR provider claiming to be from the company CEO requesting personal employee data. Without spotting the fraudulent nature of the email, the HR provider complies and shares personal information with the scammer which could be used to create false documentation. 

Fortifying the defence strategy

The essence of a solid cyber security strategy is a layered defence that includes endpoint security, email security and a business-grade firewall for the security of your network. But even with the most sophisticated software in place, hackers make it their mission to stay one step ahead of IT defences. Employees can, therefore, be a proactive weapon in an organisation’s defence, or a hole in the fence for cyber criminals to pass straight through to the corporate network. That is why regular training, in addition to complementary security tools, can provide a fortified strategy for organisations to mitigate the threat of a cyber attack. The workforce should be trained to question everything, be cautious and double check anything that they think is suspicious. The difference between a trained and an uneducated workforce could mean the difference between an organisation surviving a cyber attack, or suffering the devastating consequences.

WEBINAR REWIND: How to Tackle Working From Home Security Threats

960 640 Stuart O'Brien

Last week ZIVVER hosted a webinar during which participants learned the secrets to securing an organization’s communications while safeguarding against costly data leaks with a remote workforce – if you missed this essential session you can re-watch it again now.

The lively 30 minute discussion includes expert insight and opinion from:

  • Quentyn Taylor is Head of Security for one of the largest enterprises in London. He is regarded as a key security commentator and is regularly quoted and published in industry publications and mainstream media.
  • Becky Pinkard is a renowned practitioner and commentator on the information security sector who has been working in information technology and security since 1996.
  • Rick Goud is the co-founder and CEO of Zivver, one of the top secure communication platform companies in Europe.

Tops covered off include:

  • Behind the stats: the top causes of data breaches in the UK
  • Data leak blunders and how to prevent them 
  • Evolving security threats with a remote workforce 
  • Modern solutions to secure outbound communications 

Watch again by clicking here

Securing outbound email is vital to help safeguard sensitive information and prevent data leaks. The good news is that this can be done easily and affordably with ZIVVER’s secure communication platform.

Getting started is easy

Setting up a ZIVVER account for up to 50 users can be conveniently done from any device in just a few clicks, 24 hours a day, 7 days a week. Simply choose the desired plan, select the number of users, and pay with a credit card to immediately begin sending communications securely.

Use the code WFH30UK to get 30% off for the first 3 months of your subscription – Click here to get started.

WEBINAR: How to Tackle Working From Home Security Threats

960 640 Stuart O'Brien

Learn the secrets to securing your organization’s communications while safeguarding against costly data leaks with a remote workforce. 

This April 30 webinar from ZIVVER features three industry experts who will bring you up to speed on the new threat landscape. 

Stay alert to WFH security threats 

Be in the know and hear about the following:

  • Behind the stats: the top causes of data breaches in the UK
  • Data leak blunders and how to prevent them 
  • Evolving security threats with a remote workforce 
  • Modern solutions to secure outbound communications 

Learn from these IT security experts

We’re delighted to have two incredible guest panelists alongside ZIVVER’s co-founder and CEO, Rick Goud. They’re ready to share valuable insights on how to effectively secure outbound communications.

  • Quentyn Taylor is Head of Security for one of the largest enterprises in London. He is regarded as a key security commentator and is regularly quoted and published in industry publications and mainstream media.
  • Becky Pinkard is a renowned practitioner and commentator on the information security sector who has been working in information technology and security since 1996.
  • Rick Goud is the co-founder and CEO of one of the top secure communication platform companies in Europe.

Following the panel discussion there will be an interactive Q&A session where you can ask questions.

Click here to register for the webinar