Are your employees returning to the office? Make sure they don’t bring bad security habits with them
As government restrictions lift, employers are now be considering both when to bring employees back and how to reduce risk.
Although Covid security is at the top of the list of priorities, cybersecurity is another significant risk to navigate. Research from Tessian, the human layer security company, suggests more than a third (36%) of employees are likely to have picked up bad cybersecurity behaviours or found security ‘workarounds’ since working remotely.
How can businesses turn that round? Here are some tips to make sure your team leaves bad security habits behind.
Review personal devices
Over the last 16 months many of your team will have become used to working on their own laptops, PC’s and tablets, devices which likely don’t have as strong security protocols as in-office ones.
This may well have opened the door to phishing, malware and other attacks, where hackers can easily infiltrate a network and steal business data.
When your teams return, and want to work from their personal devices, your IT provider could have a mess of new software and applications to check – which people downloaded while at home – as well as scan for bugs and viruses.
We advise you should rethink now how your applications are accessed from home networks, and develop a Bring Your Own Device policy for employee access to company accounts on personal devices. This is especially important if you’re planning for hybrid working where employees will still work remotely part-time.
If some of your team are going back to their office PC’s full time, ensure they are logged out of all company systems on their home device(s), advise them to delete any company data they have downloaded on them and uninstall any VPN software they have been using to access company networks.
Refresh their cybersecurity knowledge
It goes without saying that people are a big cause of cybersecurity problems – all cybercriminals exploit human error, from password laziness to innocent-looking emails, to carry out their attacks.
When employees are settled back in to the office, it’s good practice to have a few training sessions that help them understand, recognise and respond appropriately to threats. Make it clear that these are policies they can use not only to keep business information safe, but to protect their own personal accounts as well.
Make sure it’s easy for employees to reach out to your IT provider and encourage them to do so with any concerns, even if they turn out to be nothing. It’s better to be over-vigilant than miss the warning signs of a real attack.
Ensure a monitoring system is in place
Before welcoming employees back to the workplace, it’s worth making sure you have appropriate controls and procedures in place to monitor networks and systems to notify you that a breach has or is about to occur.
If your IT provider users a monitoring tool, they should be checking that it is configured correctly to detect any threats or signs of employees attempting to access areas of the network and/or data that they otherwise shouldn’t.
You should also carry out risk assessments, such as where company data has been saved during the remote working period – was it in a public cloud system like Google Drive or Dropbox? This all needs to be recorded to minimise risk and ensure data is safe when you are working back in the office.
Have stronger password guidelines
Poor password choices are one of the top reasons for cyber attacks. Working from home, people may have been lazy and used the same passwords again and again or ones that are easy to guess.
Also, if an employee has been sharing their devices with their family members, have they given away their passwords? Is the password the same across work accounts and personal accounts? These questions need to be answered before they rejoin your company network.
Establish a policy that requires employees to choose passwords that are a minimum of 16 characters with a combination of upper and lower case letters and special characters – and educate them on the consequences of reusing them.
Forcing the use of multi-factor authentication (MFA) is also a good idea, requiring users to submit multiple details such as a password and authenticator code for example, in order to log into accounts. MFA can act as a deterrent to some forms of cybercrime.
Returning to the workplace after a year or more of working remotely will be a big adjustment both for employees and your IT provider. Make sure to review any personal devices before they’re used in the office, create strong password guidelines and stay proactive about monitoring for cyber threats to keep both your business and your employees safe.
If you’d like any advice about ensuring a secure return to the workplace for your employees, contact our team at firstname.lastname@example.org.