In recent times, lockdowns and work-from-home orders have required businesses to rapidly scale-up remote working capabilities. 

Remote working can be the ultimate test of your cyber and information security culture. 

Any habits established in the office – good or bad – will be reinforced at home, so it’s essential to cultivate a positive baseline cyber security culture. Whether remote working arrangements are business continuity or business-as-usual, dedicated employees will seek to comply and do the right thing. But you need to set them up for success.

Don’t assume your people will intuitively know how to use new tools appropriately – many organisations have reported that the pandemic has been a significant accelerator of technological change. Here are some cyber risk management topics you can address through training as you prepare your workforce for remote working.

Maintaining basic cyber hygiene

Your network and people are vulnerable to malware threats regardless of where they are working, which is why it’s essential to maintain basic cyber hygiene practices such as updating operating systems and applications, enforcing appropriate access controls, and maintaining antivirus programs and network backups.

As operating system and application updates typically happen in the background while people are working in the office, you may require your employees to play a more active role in ensuring they are applied when working remotely. Make sure you communicate your expectations around this clearly and often, and automate these updates where possible to promote compliance.

Securing devices, connections & business tools

When embarking on enterprise mobility, most organisations generally prefer to provide staff with company-owned devices because it’s easier to manage their security policy compliance. However, if you allow your people to use their personal devices, you may need to provide guidance about how these devices are configured and updated before they can connect to your corporate network.

Once you’ve determined which devices can access your network and how, it’s important to train staff how to do this securely. It’s a great opportunity to educate your employees on the dangers of public Wi-Fi networks and teach them how to secure their Wi-Fi networks at home, and how VPNs work if they'll be using one.

Once you’ve nominated your preferred collaboration tools, explain their respective security features to your people – this will encourage compliance and suppress any urges to deviate. As an example, if your organisation is using web conferencing platforms to facilitate online meetings, show your employees how to optimise the security settings for their meetings, instead of relying on default settings. This might be by using features such as password protection, waiting rooms/lobbies, meeting locks and controlled screen sharing by hosts.

You may also recommend limited use of video-calling features on an as-needs basis, and turning off the webcam to prevent possible social engineering efforts.

Social engineering & scams

Your employees are potentially more susceptible to social engineering away from the office without someone in earshot to give a second opinion on whether a message is legitimate. Social engineering is an act of manipulation designed to exploit our human vulnerability and trick us into doing something we wouldn’t normally do, such as clicking on a link, providing sensitive information or processing a payment.

Cyber criminals can target your employees via email messages, SMS or even over the phone by, for example, tricking an employee to reveal their password by impersonating IT support. As scammers seek to capitalise on our emotional response, it’s important to continue to prioritise the human layer of your defences in your training activities. This includes reviewing and reinforcing processes around separation of duties, particularly for payments, to manage collusion and fraud risks and susceptibility to email payment fraud via business email compromise scams.

Locking down logins

It’s essential to promote secure password behaviours among remote workers, with an emphasis on longer passphrases that are unique for each service. You should also consider implementing multi-factor authentication, where available, as an additional layer of security. It’s a little extra effort for a significant security benefit.

If you’re not ready for broad implementation, consider making it compulsory for accounts with a higher risk profile, such as system administrators or finance teams, to start with.

Data handling responsibilities

Remote working arrangements shouldn’t be an excuse to neglect normal data handling processes and responsibilities. Your corporate IT is more vulnerable to loss and theft when removed from the office, so it’s worth providing your staff with some tips on how to minimise these risks, including processes to follow if a device goes missing. You may want to consider installing mobile device management software on corporate devices – these tools will allow you to track the location of a device, remotely block access and erase the data stored on the device, and even retrieve a backup of data stored.

Otherwise, it’s important to impress on staff that it’s business as usual as far as protecting your company and customer data is concerned. Reiterate the importance of locking screens while stepping away from desks, disposing of printed documents securely, considering who is in earshot during sensitive conversations and generally treating your company and customer data with care.

Find out more about keeping your business safe

CommBank Secure for Business

Things you should know

This article is intended to provide general information of an educational nature only. It does not have regard to the financial situation or needs of any reader and must not be relied upon as financial product advice. As this information has been prepared without considering your objectives, financial situation or needs. You should, before acting on this, consider the appropriateness to your circumstances.