How to manage cyber security when staff are working from home

Working from home has become the new normal for many businesses. But with staff out of the office, managing cyber security is even more challenging.

A big cultural shift has taken place in the workplace in recent years: home working. While this was escalated by the pandemic, working from home has been gaining popularity among staff and employers for some time.

This workplace revolution has plenty of perks. Employees get a better work/life balance and there’s no daily commute. Employers have reduced office costs and happier staff. Plus, it’s good for the planet. But there are challenges.

One of the biggest issues facing businesses is cyber security. In this guide, we’ll look into some of the biggest cyber security threats with home and co-working. We'll also provide simple tips to help protect your business.

Why is it important to protect devices?

When employees are in the office, business leaders are in control. Leaders can take steps to protect IT networks. They can ensure software is up to date. When the office is locked at night, leaders know everything is safe. But with home working, this all changes.

Devices are much more likely to be breached at home. Since home connections are less secure, cyber criminals find it easier to hack into them. And once crooks gain access to devices they can access your entire business network. This could lead to sensitive data being stolen among other things.

As Chris Mayne found, it can take a few weeks to set up secure remote working systems

“We wanted to see how well prepared we would be for remote working and, outside of our software team, the answer was not very well. The business then spent a couple of weeks reworking a few things like the phone system and put a lot of cyber security measures in place. After a first week of teething troubles, it’s been running fairly well.”

Chris Mayne, MD at Forsberg

Steps to take to protect devices

While home working presents plenty of risks, these can be mitigated. By taking simple precautions, your staff can protect their devices – and your company.

Secure the environment

Before we get to the technical stuff, it’s essential that employees secure their home or co-working environment. Here are some steps staff can take:

Hide screens from view: Shield screens from passers by and people on neighbouring desks. This includes seeing through windows and doors.

Enable automatic locking: Staff should lock devices when not in use. In case they forget, automatic locking should be enabled. Devices should lock within five minutes.

Store devices safely: Employees should put devices somewhere safe at the end of the day. Ideally in a locked drawer.

Clear procedure for reporting stolen devices: Make sure staff know what to do if their device is lost or stolen. This means who to report it to and how. Encourage a blame-free culture. The faster staff report an issue, the less likely a breach will occur.

Set strong passwords

Ensuring that staff use strong passwords is vital. Passwords should be at least 16 characters long. They should include letters, numbers and symbols.

Avoid anything that’s easy to remember. This includes things like repeated numbers and patterns. Staff must not include anything that relates to them. This includes things like date of birth and address. Passwords should look random.

Use two-factor authentication

Two-factor authentication means staff need two pieces of evidence to access your network.

A strong password is usually the first factor. Once the employee enters this they receive a one-time code. This usually happens through a third party app or text message. Access is only granted with the correct password and one-time code.

Two-factor authentication can reduce the risk of cyber attacks. Even if criminals access a password, it can be much harder to get the one time code.

That said, SMS is not a good choice for the second factor. Attackers have learned how to switch the phone number to another sim card. Google Authenticator and Duo are popular apps for two-factor authentication.

Encrypt devices

Encryption is a great way to help protect devices. Device encryption is the process of scrambling data into an illegible code. This makes it unusable to anyone without a password or a recovery key. Most devices have an option to enable encryption.

Use Virtual Private Networks (VPNs)

VPNs help staff to access IT resources safely. VPNs confirm devices before granting access to your business network. They also encrypt data. This means data is scrambled so that third parties can't understand it.

Make sure the internet is secure

One of the easiest ways for scammers to hack into a network is through unsecure WiFi. Staff should change their home WiFi password from the original one. WiFi passwords should be at least 25 characters long. They should include letters, numbers and symbols. Passwords should appear random.

Take cautions with removable media

USB drives are easy to lose, which can be a problem if they contain sensitive data. USB drives can also introduce malware into your IT systems. Tracking which external drive caused the problem can be difficult. Here are some steps to reduce the chance of infection:

  • Disable removable media
  • Only allow company USB drives from your company
  • Encrypt USB drives
  • Encourage staff to share files in different ways. This could include websites like WeTransfer, Google Drive or internal systems

Maintain devices

Well-maintained devices can offer the best protection. Here are some steps staff can take to help keep devices safe:

Ensure the operating system is up to date: Apply security patches as soon as possible. Automatic updates are the best way to achieve this.

Ensure software is up to date: Apply software updates as soon as possible, too. This includes applications such as web browsers. Software usually updates on its own. But staff should still check for updates.

Use antivirus software: This can help protect your device from viruses and other types of malware. Software like Norton is a popular choice.

Teach staff about online security

Cyber security training for staff is more important than ever. If your employees know what to look out for, they are less likely to fall victim to a scam. Google has compiled a useful guide on protecting devices from malware. Here are some top tips to stay safe:

  • Think twice before clicking links or downloading anything
  • Be careful about opening email attachments or images
  • Don't trust pop-up windows that ask you to download software
  • Limit your file sharing

Use Find My Device and Remote Wipe

Most devices have a feature which lets you identify its location by GPS. If a device is lost, this can help you find it. Remote Wipe is for worst case scenarios. If your laptop is stolen, this feature lets you wipe its contents remotely. Wiping a device can make it much harder for criminals to access data.

Separate work and personal devices

Employees should use work devices for work alone. Activities like social networking should be done on personal devices. Employees face the most risk of cyber attack on personal tasks. For example, online shopping or watching video content.

Bring Your Own Device (BYOD)

For some companies, it might not be possible to supply staff with devices. In this case, employees will be required to use personal devices for work. This practice is known as Bring Your Own Device (BYOD).

Security challenges include:

  • Making sure staff follow company rules
  • Making sure devices comply with company rules
  • Data protection
  • Making sure networks are safe
  • Staff privacy
  • Making sure staff and devices do not break the law

A BYOD scheme must work for your employees. If the system makes life difficult or leads to a poor work/life balance, staff might reject your approved approach. This could increase the security risk. Read the latest government advice on BYOD here.

John Owen gives employees clear guidelines on how to keep data secure

“We have guidelines that every employee is given in terms of how to handle and treat data. We also do a bit of housekeeping at the end of the year, where we review and delete a lot of files and look at what is shared with who.”

John Owen, co-founder of Masterclassing