Over the last several weeks, workforces across the world have transitioned from office to home. While security teams may have struggled initially to get their teams set up to work securely outside of their normal environments, by now most organizations have introduced new software, policies, and procedures to accommodate their new distributed teams.
We spoke with former CISO of KPMG Carolann Shields along with Tess Frieswick of Kivu Consulting and Hayley Bly of Nielsen about what the shift means for cybersecurity in a webinar on March 26.
Carolann summed it up nicely when she said “Remote-working introduces complexities that you just don’t have when you can have everyone sitting in an office behind a firewall. It’s a difficult task trying to keep everyone secure and behavioral change and educating folks will be really important. If those things weren’t already a part of your cybersecurity program, they’re going to need to become a part of your cybersecurity program.”
While IT departments no doubt bear the burden of protecting sensitive data, data loss prevention (DLP) is the responsibility of the entire organization. And, while this sudden move to remote-working brings a host of new challenges – from effectively collaborating to co-working with partners, roommates, and children – data security should still be top of mind for both security leaders and individual employees, too.
“It’s a difficult task trying to keep everyone secure and behavioral change and educating folks will be really important.”
Carolann Shields
Former CISO, KPMG
So, what can you do to help prevent data loss within your organization? We have some tips.
1. Don’t work from your personal devices
While it may seem harmless, using your personal devices – whether it’s a laptop, desktop computer, mobile device, or tablet – for work-related activities creates big security risks. To start, your personal devices won’t be configured with the same security software as your work device.
Whether it’s the protection offered by a simple firewall or antivirus software, you’re more protected when working on company-sanctioned devices.
Beyond that, though, the process to get work-related documents onto personal devices is risky on its own. We’ve written about this extensively in our blog The Dark Side of Sending Work Emails “Home”. In short, personal email accounts are more likely to be compromised than work email accounts.
It may be because your personal email account is configured with a weak password or, the worst case, your personal email account may have already been infiltrated by an attacker who could easily intercept whatever sensitive data you’ve emailed to yourself.
Note: IT teams should ensure employees have a secure way to connect their authorized work devices to their personal printers in the event they need to print any documents. This will help them avoid them having to send sensitive documents to their personal accounts in order to print.
2. Be cautious whenever sending sensitive information via email
Tessian has seen a 20% increase in email use with the shift to remote working. That means more sensitive data is in motion than ever.
More email traffic, unfortunately, means employees have more opportunities to make mistakes. One of the biggest mistakes an employee can make is sending an email to the wrong person and, as most of us know, it’s easy to do.
So, to avoid making this costly mistake, always double-check the recipient(s) of your emails. Ensure you haven’t made any spelling mistakes, and, if you’re using autocomplete, make sure the correct email address has been added.
Beyond that, you should always be vigilant when using Cc vs. Bcc and Reply vs Reply All and take time to check that you’ve attached the right documents.
3. Stay up-to-date on the latest phishing and spear phishing trends
Cybercriminals use increasingly advanced technology and tactics to carry out effective phishing and spear phishing campaigns. They also tend to take advantage of emergencies, times of general uncertainty, and key calendar moments.
While you should always be on the lookout for the red flags that signal phishing attacks, you should also stay up-to-date on the latest trends. We’ve written about several on our blog, including phishing attacks around COVID-19, Tax Day, and the 2020 Census.
For more information on how to catch a phish, click here.
4. Use password protection, especially for conferencing and collaboration tools
Zoom has made headlines over the last several weeks for the security vulnerabilities found in the platform. While the online conference tool is working on their backend, individuals must do their part, too.
To start, ensure you’re using strong passwords. For an application like Zoom, this also means always password-protecting your meetings, never sharing meeting links with people you don’t know or trust, and never sharing screenshots of your meeting which include the Zoom Meeting ID.
Managing so many passwords can be difficult, though. That’s why we recommend using a Password Manager. Click here for more information about the Password Manager we use at Tessian along with other tools that help us work securely while working remotely.
Note: If you’re an employee, you shouldn’t download new software or tools without consulting your IT team.
5. Avoid public Wi-Fi and hotspots
Currently most of the world is working from home, but “working remotely” can extend to a number of places. You could be staying with a friend, traveling for work, catching up on emails during your commute, or getting your head down at a café.
Of course, to do work, you’ll likely rely on internet access.
Public Wi-Fi or hotspotting from your mobile device may seem like an easy (and harmless) workaround when you don’t have other access, but it’s not wise. The open nature of public Wi-Fi means your laptop or other device could be accessible to opportunistic hackers. Likewise, if a phone is being used as a hotspot and has already been compromised by an attacker, it’s possible it could be used to pivot to the corporate network.
6. Follow existing processes and policies
When working from home or otherwise outside of the office, you have much more autonomy. But that doesn’t mean you should disregard the processes and policies your organization has in place.
Whether it’s rules around locking your devices (see below) or procedures for sharing documents, they’re just as important – if not more important – while you’re working remotely.
This applies to training too. If your organization offers security training, do your best to keep those tips and best practices top of mind. If you’re unclear on the do’s and don’t of cybersecurity, consult your IT, security, or HR team.
7. Always lock your devices
Working outside of the office, even in a home environment, carries additional risks. That means you should always lock your devices with good passwords or, in the case of mobile phones, 6-digit PINs or complex swipe codes.
8. Report near-misses or mistakes
Whether you’ve sent a misdirected email, fallen for a phishing scam, or had your device stolen, it’s absolutely vital that you report the incident to your IT or security team as soon as possible. The more lead time and information they have, the better the outcome of remediation.
By sharing this information, your colleagues will be better informed and your business can modify procedures or applications to help prevent the issue occurring again. It’s a two-way street, though. Organizations must build positive security cultures in order to empower employees to be open and honest.
For more tips on how to stay safe while working remotely, read this Ultimate Guide. We’ll also be publishing more helpful tips weekly on both our blog and LinkedIn.