Business security and remote working during COVID19 and beyond
This week marks the start of the next stage for gradual easing of COVID19 lockdown restrictions. However, remote working looks set to continue for many months. For some businesses, the pandemic has initiated a permanent cultural change, in which remote or flexible working will become the new norm.
My concern is that the shift to remote working happened so suddenly, business security and risk management protocols haven’t yet caught up – and they urgently need to!
Right now, I know of numerous businesses with gaping holes in their cyber risk defences. As home workers often lack the robust security set-up that is built round the office environment, and they (mostly!) lack the knowledge in how to apply business security procedures effectively at home.
This isn’t a criticism of anyone. If someone’s job isn’t about IT, then how would they know? Often, the policies and procedures haven’t caught up. For example – who has updated their GDPR documents to include Zoom?!
The perils of Facebook quizzes
Social media quizzes are a scourge! This is a particular gripe of mine. I posted about it recently on LinkedIn:
A few weeks into the lockdown, everyone had got over the initial panic over setting up to work from home, and had relaxed into their new working environment. I noticed my news feeds were full of these random quizzes that people were doing on social media. Many also permit the apps and plugins to download additional data from your personal profile.
SO many people literally handing over their valuable personal data to hackers and companies who might use it unethically! It gets even worse when you consider that one person might be working from home sharing this data, while another family member is being socially engineered from the same location.
Cyber criminals thrive on fear, uncertainty and doubt. While everyone’s attention is being diverted elsewhere, they race in to exploit new security loopholes before our technology policies and procedures catch up.
Cyber Security and Nimbox
I’m a member of the Steering Committee for the Yorkshire Cyber Security Cluster, which was founded in 2015 as part of the UK Cyber Security Forum. The police, cyber security experts, academic institutions, charities and local bodies come together to help organisations across the region to collaborate and improve cyber security.
At virtualDCS, we were so concerned by the security risks and breaches that we have seen throughout the pandemic, we are now giving away Nimbox for free so that people can get set up securely in an environment they had not planned for on insecure home networks.
Nimbox is a fully-encrypted cloud storage solution offering secure file sharing, real-time collaborative document editing, desktop and server backup, remote file access, and encrypted cloud storage.
If you’re currently using Dropbox, did you know that Dropbox reads and scans all your files and shares them with third parties? With Nimbox all your files are fully encrypted and you have the additional benefit of collaboration tools.
For more help and support, join us for the next Yorkshire Cyber Security Cluster monthly webinar, 2-4pm on 17th June 2020. Bookings via Eventbrite.
The 3 key areas of business security for businesses with home workers
Getting back to those awful social media quizzes… At home, people often use the same device for both work and personal tasks and activities. Most don’t consider the crossover between social and digital. In the rush to home working, it can be easy to forget all the common sense things we normally practice in the office.
We need to consider data in this new setting much more carefully, as home security now translates across to business security.
The first thing to consider is the technology. What tools, platforms, software, apps are involved? This is particularly important when you’re mixing business tasks and social tasks on the same device.
So for example, I have separate business and personal computers. I didn’t used to use Facebook for business so I used my personal computer. Now, we often work with small businesses who use Facebook as a key platform, so we’re on Facebook for work and our work devices.
I used to only make professional connections on LinkedIn, but nowadays there is some cross-over on Facebook. This is true for a lot of businesses, so business policies need to be kept up to date to reflect this.
Organisations should also be familiar with the individual data protection and security policies for each technology platform used by their staff, and consider how each platform interacts in terms of how they protect and share and data. If someone in your organisation isn’t up to speed on this, then your need to have a partner on board who is.
Policies and procedures
The problem is not just the technology that people are using. In the office, as well as having all your technology and security systems set up, you also have the policies and procedures to manage the risks of operating them. If your team is working remotely, then some of the processes won’t be valid so your policies need to be updated.
A good example is the backup strategy. Many offices have been completely closed during this recent pandemic. If historically you’ve backed up to a server on premise, how are you doing that now there is nobody at the office? Some organisations have still got tapes – they have to physically change the tape in the server room every day. If that’s you and that’s not happening, your business is at risk.
My advice is always to ensure that your data is backed up offsite. Off-siting data and workflows in the cloud will protect you against risks relating to office closures, fires, theft and other hardware issues.
A lot of what I’m doing at the moment is advising more generally around risk and helping businesses complete risk assessments in line with the recent changes to the way many businesses operate. As a cloud computing solutions partner, we often work alongside compliance specialists and can put people in touch with the right experts.
This brings us onto the third and by far the most important aspect of business security: people.
This is about bringing on board the right people with the right mindset, and equipping them with the right knowledge to ensure your business remains secure wherever someone is working.
The topic of business security during COVID19 is much bigger than just technology and policies. It has to be a much wider conversation about company culture and behaviours too.
Expected behaviours are (usually) well established in the office environment. But when people are working from home, the normal routine and boundaries are blurred. As an employer you no longer have control, for example, of social media use or the security protections built into every device being used.
As a business owner you have to educate and inform staff, and then personally remind them of what’s expected.
There are two sides to this.
Firstly you should not only update your policies and procedures, then find an effective way of communicating them to your staff. If you want people to use separate devices for business and personal activities, then this needs to be clear from the outset. Do staff have the right equipment? If they are using personal laptops, are these the right spec and being regularly updated with antivirus software? If you don’t want people clicking on that “what would I look like as a dog” tool, then you need to tell them that its purpose is to suck all their data out and feed it to Cambridge Analytica!
Secondly, I think that we need a mindset shift towards taking more personal ownership and responsibility of our own data and passwords. As business leaders, we need to educate our teams on business security and all the issues. But yes, this does come back to reviewing policies, processes, and technologies.
Read more on:
- Cybersecurity crisis management, business continuity, remote working and disaster recovery during the Coronavirus pandemic
- Could the cloud relieve the impact of the Coronavirus?
- Ethical data management
- Simple data protection tips for SMEs
What can you do today to improve your business security?
Have a look at Nimbox. It can do risk assessments so will help you start thinking about what areas of security your business may need to focus on.
The Nimbox technology offers email, antivirus, threat protection, the ability to snapshot, backup and restore to an earlier point in time and secure collaboration solutions too – if I shared a spreadsheet with you, you can edit it in a web browser. It will even render CAD (computer aided design) in a browser.
But as I say, for me, it’s a bigger picture than just technology. Staying on top of business security is all about change management and risk management:
- recognising and highlighting change
- assessing and mitigating the risks
- updating policies and procedures
- bringing people on board with you
- and ultimately changing your organisational culture and behaviours in line with all the above.
If you’d like to discuss any aspect of business security, risk assessments or change management, give virtualDCS a call on +44 (0)3453 888 327 or contact us online today.