Security tips for small business
With the WHO announcing this week that they had raised the status of the global COVID-19 to pandemic level it has triggered a number of governments to announce increased control measures for citizens. In Ireland schools, colleges and childcare facilities are closed. Clubs and bars have followed and further announcements are now likely rather than possible. The direction for workers to work from home where possible may seem to solve some problems for some households and an adequate control measure for employers. It does however introduce a number of risks and security concerns for companies that should be noted. This pandemic will see a level of working from home never seen before in the state with a level of security risk to match. Of course I’m not suggesting that people go to work where there is such a level of risk. Just that employers are aware and plan for the related security risks.
The situation across the country for the next few weeks will involve employees taking company equipment home, connecting it to home networks, sending and receiving more emails than ever, working at makeshift office spaces in kitchens and bedrooms and printing company documents on home printers. All of these tasks while necessary, have risks. Those risks are what I want to talk about here.
To facilitate work at home it’s going to mean a lot of company laptops, tablets etc being taken home, away from secure workplaces and IT departments. They need to be transported in private vehicles and stored in private homes. All of this carries a risk. Risk of theft, damage, loss and cyber security challenges. Some tips:
- Make sure laptops are transported and stored in correct laptop bags and not left on display in vehicles or homes.
- Laptops should at the least be password protected and preferably be encrypted as should hard rives and USB keys.
- 3. make sure that all of your security software, anti-malware and software updates are all up to date and turned on.
Connecting work equipment to home networks has its own unique set of risks. How can an employer tell if the home network is secure or not? How can they know what or who else is on that network? I heard only a week ago a person in a cafe delighted with the fact that they were to be working from home while bemoaning the fact that they would have to piggyback on their neighbors wi-fi to get a decent service.
- Password change: When was the last time the password was changed on the home Wi-fi network? Have you considered asking the employee to change the password before connecting to the network? For a handy tutorial on how to do this take a look at this video https://www.youtube.com/watch?v=r8iv6IFtlD
- Use a VPN: Make sure staff have access to and are using a VPN on company equipment or when accessing company data even when on their home network. Companies such as Hotspot Shield, Express VPN and Nord all provide great entry level products.
You can read a previous article on Wi-fi risks here https://securityoperative.ie/basic-cyber-security-for-security-operative
The volume of emails in any company is going to increase dramatically over the next few weeks. The inability to look across the office and ask a question or pick up a phone and call the extension of accounts will lead to more and more mails being sent and received. This creates an opportunity for criminals. Somewhere within the avalanche of emails sent to and from employees over the coming weeks will be phishing emails with the intent and capability to cause huge harm to you business.
- Make sure your employees are trained and aware of what to watch for when it comes to phishing emails
- Have a process in place for escalation of an incident if it occurs while employees are working from home
This article by was written by a guest contributor on our Security Operative blog on the dangers of Phishing. https://securityoperative.ie/phishing-for-security-operatives/
Makeshift offices will be set up at kitchen tables, couches and spare bedrooms all over the country over the next few weeks. Places that we probably wouldn’t be be allowed to set up in our own workplaces. They may suffice for a while but in the medium term it is worth considering that an employers duty of care extends making sure the workplace is safe (even if that workplace is the employees home). In the office we would have ergonomics assessments, VDU assessments and all sorts of polices and procedures. What is there for the home?
- Give employees guidance on how to set up the work space at home from a health, safety and welfare perspective
- Make sure staff are aware of VDU timescales and control measures for screen time
- Is there PPE or equipment that needs to be brought from the office to support working (glare screens, foot rests and wrist supports etc for desk based workers)?
- Consider how would you know if an employee was ill or injured or unable to work while at home. Do you have a check in system or a communication plan?
While some employees will be working from the family home surrounded by kids and loved ones others will be working in apartments and houses where they rent a room with strangers. Company documents and information on laptops may be left in areas where they could be seen, copied,stolen or shared. Have you considered and advised staff on measures to protect the confidentiality of work documents?
- Have you provided guidance to staff on locking screens when left unattended
- Do staff have an area at home to safety store company documents?
- Do staff have access to a shredder for confidential documents?
Staff who have concerns about security at work have a definite line of reporting while in the office but what about at home? Do they know how, when and to whom a security report should go or what to do if they have concerns about a security breach or incident?
- Set up and communicate a direct line to whoever is responsible for security issues within the company. Ensure there is somebody staffing this line at all times when employees may be working.
- Ensure your security team have a method of investigating potential issues if they or the employee in question is not on the office network.
- Communicate with your employees in a ‘no blame’ way about security incidents
In these unpredictable times working from hoe is both a necessary and an appropriate precaution. I’m by no means saying that it shouldn’t happen . What I am saying is that we shouldn’t turn into an additional high risk activity for the business. Very simple measures such as what we have outlined above can support your business in reducing the risks and enabling your employees to get you through this challenging times.