With millions of people across the world now working remotely, businesses and employees are finding themselves adapting to a new norm of a distributed workforce. This obviously has a huge impact on the ways people work and behave online, and these behaviours could be putting company data at risk. Here are seven best practices to help you and your teams keep data and employees safe at this time.
1) Check that you’re sending your email to the right person
Sending an email to the wrong person may seem like a harmless mistake, but misdirected emails were the leading cause of online data breaches reported to the Information Commissioner’s Office (ICO) last year. During this time, people are more reliant on email as a channel to communicate with colleagues, customers and suppliers than ever before. It just takes one typo or one email sent in haste for potentially sensitive company data or information to land in the wrong inbox. Take an extra minute to double check who you’re sending your emails to, especially if the messages contain sensitive information.
2) Never send company data to personal email accounts
Employees may well send work to their personal email accounts so that they can work on documents on their own, more familiar devices. We get it; it’s convenient and people may feel like they get jobs done faster on their own laptops, for example. However, while well-intentioned, data is still being exfiltrated out of the business and is potentially at risk.
Personal emails accounts can be compromised, especially if configured with weak passwords. It’s also important to note that the simple act of sending data to personal email accounts could mean that businesses are at risk of breaching regulations like GDPR because, as the Data Controller, the company no longer has oversight as to where data is held.
3) Report near misses
Mistakes happen. Many of us will now be working in homes shared by others, be it housemates or family members, so there are bound to be new distractions that increase the likelihood of us making mistakes in our work. We are also using smaller screens and unfamiliar devices, which could also make us more error-prone. Such mistakes could result in emails accidentally being sent to the wrong person or missing the cues that signal a phishing attack and clicking on a malicious link.
Always report near misses to your IT security teams. It’s likely that others have also made these mistakes and, by sharing this information, your business can take action to modify procedures or policies to help prevent the issue occurring again.
4) Avoid sharing company data over public WiFi
Data is at greater risk when you are not connected via the workplace networks so all services and files you are accessing become at high risk of attack. When connecting to a service over the internet, check the address bar to ensure the protocol used is HTTPS, not HTTP. If you’re using a service from your employer that isn’t HTTPS, avoid connecting and inform your IT team of the oversight. Also, ensure you are keeping VPN software on work devices up-to-date.
5) Think twice about using your phone as a hotspot
Connecting your work laptop to a hotspot on your personal mobile phone may seem like a good workaround if you’re having trouble connecting to your home WiFi. However, if your phone has already been compromised by an attacker, it’s possible that hackers could now access your corporate network.
For example, say you opened a malicious attachment from a phishing email on your mobile phone. If that malicious attachment contained spyware, hackers can infiltrate your phone. If you then connect your work laptop to your personal hotspot, hackers could have a foothold into your company network too. Always check with your IT and security teams before you consider using a hotspot as a workaround in the case of limited access to Wi-Fi.
6) Only use company-approved collaboration tools
Always consider the security considerations of the conferencing, chat and other collaboration applications teams will be relying on. IT teams need to clearly and simply communicate to employees what sort of information can be shared on these tools. IT teams must also make it clear that staff cannot download new software or use new online tools without company approval. It can sometimes be frustrating when working remotely and you just want to “get something done”, but you should always run new tools past your IT security teams before downloading them.
7) Be less trusting of emails
Hackers are taking advantage of this global health crisis and increasing the number of Covid-19 related phishing attacks. Be more vigilant than usual when it comes to spotting phishing attacks – both on your work and personal emails. When reviewing any suspicious or urgent emails, ask yourself:
● Would I normally be asked to share this information or pay this invoice?
● Do the email addresses and display names match the organisation or institution contacting me?
● Are they asking me to click on a link? Does the URL look legitimate when I hover over the link?
If you’ve ever unsure, do not click the link, download an attachment or comply with the request. Inspect the display name and examine the full email address of every sender, especially when on your mobile phone, and verify the identity of the sender by contacting them directly.
Protecting people and the company data they handle needs to be a top consideration for businesses during this crisis. By communicating good cybersecurity practices and helping employees understand how best to protect the data they share, businesses can keep their staff safe when working from home.
Ed Bishop is the Chief Technology Office and co-founder of Tessian