Why companies can’t become complacent as the second lockdown hits

IT Department
(Image credit: Shutterstock)

As a lot of the UK finds itself back in Tier 2 restrictions, with staff encouraged to work from home if they can, companies are facing the same quandary as they did back in March: how do we empower our staff to do their jobs just as effectively from home, while ensuring all of our business data is kept as secure as it would be if it didn’t have to leave the ‘four walls’ of the office? It might be a challenge they’ve tackled before, but it doesn’t mean there’s any room for complacency this time around. 

When the pandemic first hit, and lockdowns were first imposed, businesses across the UK spent huge amounts of time and money upgrading their infrastructures and policies to accommodate working from home. But the changes they made then won’t necessarily still keep them covered this time around.

We don’t know when current restrictions are likely to lift, so we could be in for a long winter of working from home ahead. And, with cyber-attacks not only growing week-by-week, but also specifically evolving to target workforces who are accessing valuable data from home, it’s never been more important to keep systems constantly updated. After all, when it comes to security, you’re only as strong as your weakest protocol or system. Can you guarantee those are strong enough to handle any attempted hacks that could come your way? 

With large parts of the north of England entering ‘Tier 3’, and calls for a ‘circuit breaker’ lockdown, now is the time for businesses to proof themselves against restrictions becoming more intense. It’s time to take stock of the security of your remote workforce. Whether you’re just now seeing staff shift back home after briefly being able to go back to the office, or you haven’t had staff back in the office since the first wave, I have five tips of things to do as a way to ‘refresh’ your pandemic-relevant security processes, even if they were only put in place in March. Ultimately, any plans you put in place need to address the current situation but be capable of evolving as the environment develops. And these should do just that.

Tip 1: Make sure your antivirus software is up to date

It sounds obvious, but it’s amazing how many organizations don’t routinely do this. Whether it’s ensuring the software for central systems is up to date, or employees have the latest software downloaded on their devices, it’s an incredibly basic step that each organization needs to bake into its regular routine. Every single device that’s used for a work purpose and is connected to the internet, including tablets and smartphones, falls into this remit.

It’s also important to understand your weaknesses while doing this. A lot of companies only run a vulnerability scan every six months (or even just once a year). But with more staff working from home, and each employee a potential vulnerability in themselves, it’s essential that this is done on a daily basis, as part of normal business operations, in order to understand what the attack surface looks like and where the weaknesses are.

Tip 2: Use a VPN

Of course, as staff work from home, many will be sharing internet access with family members or other housemates. While you can’t control the security of the devices the people your employees live with are using, you can still protect the information your employees have access to with a virtual private network (VPN). This means, even if a hacker finds a way into the internet connection via another device, your organization’s information is still kept secure. Furthermore, a VPN provides a layer of trust in establishing a secure connection from the outside world (your employee working from home) into the access point in your organization which ultimately holds the company’s crown jewels: its valuable data.

Tip 3:  Empower your staff

This tip is twofold as the best defense you have against cyberattacks is your staff. So, first, make sure each and every one of your staff members is educated on cyber security and the risks from not following best practice. From the IT team to the wider workforce, all of your employees should be at least cyber-savvy. That means knowing what to look out for when it comes to suspicious activity, connections, or phishing emails – so they know what it’s safe to click on, what’s best to avoid, and most importantly how to raise issues when they spot something that looks suspicious.

It should be easy to report anything suspicious to the company’s IT department. And they should feel confident in doing so without worrying they might get in trouble if they’ve done something wrong. Make your communications on this strong: reassure staff they will be thanked for flagging anything, rather than being worried they’ll be punished for any mishaps. Too often we see staff hiding incidents from IT, as they’re worried there will be repercussions if they’re deemed to have done something wrong. 

Tip 4. Check your workforce is using strong passwords

Again, it might sound like a no-brainer, but weak passwords are one of the biggest causes of security issues when staff are working from home. Recent research from Pindrop showed more than two-thirds of home workers use identical passwords across all or most of their online accounts.  So, set password guidelines for employees to use which will not only help protect their work devices, but with your guidance and education, hopefully it will urge them to rethink their personal passwords too.

Tip 5. Work on the basis of zero trust

Once this is in place, it’s time to start designing a ’zero trust’ network. With a zero trust network, you make the assumption that hackers could come from both inside and outside your network.

No one is automatically trusted – even members of staff – and neither are any devices. Zero trust networks are especially relevant with large members of the team working remotely as they apply the principle of ‘least privilege’ access. Any application or piece of data should only be accessible to those who really need it to do their job – and permission is reviewed on an ongoing basis.

High risk, sensitive information, or accounts with administrator access, should always go a step beyond just password access, and should have multi-factor authentication. But, with more staff working from home, it might be time to introduce multi-factor authentication for every single member of your team – requiring anyone logging onto the network to use multiple steps to do so. This added layer of security makes it so much harder for hackers to get in to your network estate, as logging in generally requires something you know and something you have.

To give you an example of handling this well, I’ll tell you about a client of ours who has shifted from some of its staff occasionally working from home a couple of days a week to 100 percent home working for all. The company, which is relatively small, had to buy 10 laptops at short notice for those who ordinarily used desk-based computers. These new laptops then had to be configured using the setup of the original laptop users as a basis.

In order to ensure consistency and clarity amongst the staff, user guides were created, with existing guidelines updated and refreshed in the context of everyone working from home. For instance, they would talk through how to log into the laptops, choose appropriate security settings and, give help on using the video conferencing tool.

In alignment with this, cyber security policies were updated to clearly explain which devices (i.e. business owned versus employee owned) could be used for which kinds of business activity. To ensure the devices remained secure in the home environment, encryption for data at rest was configured and switched on before the devices were even shipped.

Some staff were provided with new mobile phones for business. Mobile Device Management (MDM) tools were used to set up these devices with a standard configuration (again based upon a previously used configuration), which allowed the remote locking of devices, erasure of data and retrieval of backups. 

A reminder was sent out to all staff to keep their devices and software up to date by clicking on the accept button when asked if they wished to update their software with the latest patch, and additional VPN licenses were purchased for staff who were new to working from home. A virtual training session on phishing was rolled out to remind staff that emails are being sent out relying on peoples’ fear or goodwill to trick them into doing the wrong thing. And all staff were shown how to report any breaches.

The important thing to note from this case study, and when taking action from the aforementioned tips, is the more proactive you can be at tackling cyber-security, the better protected you’ll be against any attacks. Too often businesses decide it would be ‘unlucky’ if they were targeted, but that doesn’t come into it. In fact, as more employees shift back to working from home, your business will become exponentially more vulnerable to attack.  Psychologically, people are more relaxed in their homes and that could make for a more relaxed outlook on cyber security risks which would be more obvious in an office. You should never be complacent about security, and the best way to protect yourselves is to prepare. So why not do that by getting on the front foot today?

Peter started his career in investigation and has been a leader in the field of computer forensics for nearly three decades. He was a Deputy Director at the UK’s National Cyber Security Centre and specialises in providing pre and post cyber security incident advice to a broad range of individuals, companies, company boards and operators of essential services