The evolution of the workplace has accelerated over the past year for reasons too painfully obvious to mention. In light of the office exodus, employers have been set the enormous task of adapting and accommodating a remote workforce and managing morale in the face of furloughs.
Among the many practical challenges is shoring up your cybersecurity defences. The several risks posed by furloughed and remote workers may not occur to many employers, so here’s a shortlist of challenges and actionable solutions for your organisation.
Suspicious emails lying dormant in inboxes
When your furloughed employees return to your workplace, it’s all systems go. Top of the agenda for many people is to clear that inbox, stat. But in the rush, your employees may fail to notice suspicious emails.
Worse still, many employees aren’t even aware of their personal responsibility to filter phishing emails. A 2021 phishing report by Proofpoint found that just over half of organisations provide company-wide cyber-security training, and consequently, only 63% of respondents within organisations were able to answer what phishing was correctly.
What to do: Prioritise security awareness training for your team and make sure you impress on your furloughed employees the continued importance of being vigilant against phishing emails. Consider disabling accounts until such time.
Resetting passwords on personal devices
How good are you at remembering your passwords? The better you are at creating strong, unique passwords, the less likely you are to remember them. Luckily, our clever devices have a way of remembering all of our passwords for us. Great, right? Well, only until you need to change devices.
Those who have switched to working from home are likely to also be using their personal devices to conduct business. What happens when they have forgotten their passwords? Password reset links, of course. But be warned that not all password reset links are made equal.
Some password reset solutions email your existing password to you or assign you a new unique password in plain text. In these instances, users are less likely to go to the effort of resetting their password. Another potential issue is password reset links that don’t expire. In both of the above scenarios, anyone with access to their email will also have access to the offending web application.
What to do: Employ multi-factor authentication (MFA) on password resets for sensitive business web apps. Users verify their identity with security questions, mobile verification codes, other digital identity providers such as LinkedIn or even fingerprint authentication.
You can also set a password expiration policy, requiring employees to regularly update their passwords. Enforce compliance requirements to prevent weak passwords.
Malware on personal devices
On the subject of personal devices, can you ensure that your employees have installed adequate antivirus software? You have strict policies in place to safeguard your employee’s work devices from malware, but you may not have paid the same consideration to malware threats outside of the office.
Are you willing to bet your company’s online security on the idea that your employees don’t illegally download content online? And even if you are that trusting, can you attest to the security-savviness of the family members that share their devices? According to a 2018 report by internetmatters.org, nearly one in ten children have been affected by malware. A pirated download of Peppa Pig could bring your company to its knees.
What to do: Domain isolation. In other words, restrict access to non-approved devices. Put further barriers in front of your most security-sensitive data. Make sure sensitive data is only visible to users who strictly need access to it.
Lack of access to onboarding and security awareness training
So far we’ve focussed on existing employees, but let’s not forget new hires and the importance of proper onboarding.
Listen, we all know that most employees are more interested in hearing about holiday allowances and Friday happy hour, but the security culture of your company is one of the most (if not the most) important part of the onboarding process.
What to do: Make sure that proper security training is not a footnote, but a core part of your new hires’ integration into your organization. Ensure that all new employees sign up for accounts on your security tools and are trained to use them effectively.
The bottom line
Don’t overlook the security threat posed by employees who are not in the office. Furloughed and remote workers may not consider how their working style could impede your company’s cybersecurity efforts.
Out of the traditional office environment, extra steps should be taken to educate new and existing employees on cybersecurity. If you aren’t already, it’s vitally important to start employing password policy best practices. Make sure all your employees respect the need to regularly update passwords and help by using tools to create strong, complex, and uncompromised passwords.
Contributed by Jason Hart, Cybersecurity Expert
