5 Ways to Protect Your Data When Everyone’s Working from Home
Remote working has been a lifesaver during the pandemic - figuratively and literally. But when people are working outside of your secure IT network, they immediately become targets for cybercriminals. According to a recent Deloitte survey, phishing attacks have increased by a massive 26% in the past year.
That same survey highlights another potential threat: the rogue worker who steals data. One in four workers admits that they have considered making copies of proprietary information “just in case.”
It’s a major concern for employers. If anyone gets hold of your data, it could leave you open to extortion and fraud while exposing you to regulatory fines and reputational damage. Data breaches cost an average of $3.86 million. That’s enough to sink most small-to-medium businesses.
The Golden Rules of Data Security When Your Workforce is Remote
So, how can you enjoy the benefits of remote working while keeping your data safe? Here are five golden rules for data security.
1) Set out remote work best practices
On-site workers are protected by enterprise-grade security measures, including sturdy firewalls and a physical security policy.
When you work from home, you have to provide a lot of these security measures yourself. IT and HR should work together to roll out a set of best practices that cover things like:
- Physical security: Put simply, you have to keep people away from your work devices. Password protect your laptop and phone. Never leave them lying around in public.
- Two-factor authentication (2FA): Use 2FA where possible. Usually, this means getting a code via SMS or a secure app before you log in.
- Connectivity: Avoid using public wifi, such as the connection in a café or airport and instead consider investing in personal internet devices like MiFis. Make sure your home router has the latest firmware and strict security settings.
- Device maintenance: Perform regular checks on your devices to ensure that you’re running the latest software. Make sure you always have appropriate anti-virus software running in the background.
- Hardware and software: Avoid connecting cheap devices like webcams to your network – they can act as backdoors for hackers. Don’t install any new software on your work device unless you’re 100% certain that it’s safe.
Best practices should be concise and easy for anyone to follow. The goal is to empower people to help protect data security.
2) Educate everyone on the dangers of social engineering attacks
Social engineering is a diplomatic way of saying that people are sometimes gullible and can be tricked into giving system access. Phishing is a common social engineering strategy. Criminals send a fake email that sends you to a fake website and asks you to log in with your real credentials. Back in 2014, Sony Pictures lost $100 million to a phishing attack.
You can help mitigate social engineering by encouraging people to follow a few basic rules:
- Always check the Sender info on incoming mails
- Look at the URL of a website before you click any links
- When you’re on a secure website, make sure the padlock icon is visible in the browser address bar
- If you receive unsolicited phone calls asking for system access or sensitive files, always confirm the caller’s identity before proceeding
- Never, ever share your passwords with anyone, under any circumstances, ever
If criminals obtain a legitimate username and password, it’s like giving them a key to the office front door. That’s why hackers put so much effort into social engineering – and why we all must be vigilant.
3) Switch to Cloud services where possible
There are two types of enterprise software: on-premise, which sits in your office network, and Cloud services, which are hosted by a third-party company on their servers.
When you’re working with a remote team, Cloud services are by far the most secure way to go. Consider these two possible scenarios:
- Sensitive spreadsheet stored on the local network: Employees may have to use a remote access tool to view and edit this spreadsheet, which creates a security risk. Alternatively, employees might make their own copy of the spreadsheet and bring it home.
- Sensitive spreadsheet on the Cloud: If you use a solution like Google Drive, everyone can log in and view the sheet from anywhere. Google, or your chosen Cloud service provider, will encrypt the file while it’s in transit.
Talk to your remote workers and ask them about the systems and files that they need to access. If you think the current solution poses a security risk, you might consider a Cloud alternative.
4) Implement role-based access rulesEveryone should have access to the data they need and nothing else. For instance, only customer-facing employees should have access to customer data. Everyone else should be locked out. This way, you reduce the risk of unauthorized access.
But how do you manage that access, especially when your business is going through turbulent changes? The easiest way is to categorize everyone by role: customer service, sales, operations, HR, and so on. Each role can have one of three types of access for each database:
- Read-write: This role can view database contents, make changes, and add new data.
- Read only: This role can see data, but they can’t make any changes.
- No access: This role is barred from viewing or editing data.
Most cloud applications will allow you to implement these access rules. Alternatively, talk to your IT team about putting the policy in place.
5) Set up a rapid response breach reporting system
A study by IBM shows that you can save $1 million if you identify a breach within 200 days. Unfortunately, it takes an average of 280 days to identify most breaches.
A breach isn’t like a robbery. The cybercriminals don’t leave a trail of footprints and broken glass to indicate that a crime has been committed. Breaches are often first detected when someone notices something slightly off, like a weird event log entry or an unrecognized login.
You can help identify breaches quickly by setting up a rapid response reporting system. You’ll need the following:
- Reporting channel: Everyone should have an easy way to report suspicions. You can set up an intranet page or create a dedicated email account for this.
- Education: Everyone needs to know how to identify suspicious activity. Make sure that they feel comfortable reporting everything, even if it reflects badly on them, like falling for a phishing scam. The sooner they report, the sooner you can respond.
- Response protocol: You’ll need people monitoring breach reports at all times. They’ll need to know how to dig deeper and find out if there’s cause for concern.
- Action plan: What happens if there is a breach? You’ll need an action plan, which may include performing a security review and notifying anyone impacted by the breach.
Remote working definitely poses some real cybersecurity risks. However, it’s here to stay. With the right planning, processes, and education, you can stay safe while your people remain productive, no matter where they are.