Volume 3 | March 2022
Human-Centered. Solutions Driven.
CULTURE CORNER: Cyber Security for WFH
By Kevin Black
Does your company have employees working remotely? Are you certain that your employees working from home are adequately protected from cyber threats?
The landscape of the workplace has changed significantly over the past couple of years. The number of employees working from home has increased dramatically as a result of the COVID-19 pandemic and optimized remote work technologies. As more individuals work from home, the cyber threat posed by these remote workers is increasing as well.
When working from home, it is essential employees practice good cyber security hygiene to ensure their workplaces do not become targets of cyber-attacks. It is vital to ensure remote employees understand the risks brought on by this remote work and take the appropriate steps to protect their data. Chief among these steps is cyber security training and awareness for all remote employees. This includes education on the most common attack vectors, home network security, access control, data retention, and keeping up to date on patching and system updates.
Two of the easiest ways for an attacker to gain access to a device are through phishing and social engineering. These two techniques are often used to gain initial access to a company’s network. Educating employees on what to look for and how to respond to these techniques is essential in ensuring cyber security in the work-from-home environment.
Phishing is defined by the US National Institute of Standards and Technology (NIST) as “A technique for attempting to acquire sensitive data, such as bank account numbers, through a fraudulent solicitation in email or on a web site, in which the perpetrator masquerades as a legitimate business or reputable person.” Similarly, social engineering is defined by NIST as “The act of deceiving an individual into revealing sensitive information, obtaining unauthorized access, or committing fraud by associating with the individual to gain confidence and trust.”
Phishing and social engineering attempts often come in the form of an email using an email address that appears legitimate. This could be a fake email from a vendor that is known to the employee or it could be a prize from a fake contest. It is essential employees refrain from clicking on any email links they were not expecting. When in doubt, it is best to confirm with the sender through another means of communication (phone call, text message, web chat, etc.) before clicking on any unexpected links.
Social engineering can even be something as innocuous as a new acquaintance asking questions about an employee’s workplace. Training employees to be careful with the information they give out to others is the best way to protect against social engineering. If there is any doubt over whether an individual should be given information, always err on the side of caution and verify with the employer or customer before sharing any information.
Remote work also brings about increased cyber risk through the very nature of relying on an employee’s home network configuration for cyber security. Many home networks still use the default router password to gain access to Wi-Fi and some service providers do not provide adequately protected routers. Employees need to ensure their home internet passwords are non-default and complex enough to prevent outsiders from gaining access. In some cases, purchasing a firewall router to provide additional protection may be necessary.
When working from home, it is highly important to utilize a strong and secure password for both home internet and the computer used for work. Passwords that are too short, easily guessed (like password or 1234), or passwords not changed at a set interval can be more easily bypassed. Passwords should be, at a minimum, 8 characters in length. Passwords should not include any regular words or phrases and should include a mixture of upper- and lower-case letters, numbers, and symbols. The more complexity in the password, the more difficult it will be to break. When using symbols in passwords, avoid using the characters “<” or “>” as these characters can create problems in certain web browsers.
It is vital to keep the computer used for work up to date with the latest virus definition updates (if using real-time anti-virus scanning software). In addition, employees should always update the system with the most up-to-date patches and system updates. Staying on top of these updates will keep the device protected from emerging threats.
When disposing of storage devices like USBs, external hard drives, or even hard drives themselves, employees need to keep decommissioning best practices in mind. If the storage device won’t be used again, then physically destroying the device will ensure all data is completely lost. If the removable storage will be re-used, then purging the data by not only deleting the data, but also overwriting the space in unallocated memory will ensure the data cannot fall into the wrong hands.
Working from home opens a wide array of Cyber threats to businesses, but also creates a more dynamic and fruitful work environment. As Work from Home continues to be common across industries, it is essential to ensure employees know how to maintain good cyber security practices.
Have you ensured your employees are ready to protect your company data while working from home?