The challenges in establishing data security best practices

The challenges in establishing data security best practices in a WFH environment

The COVID-19 pandemic changed the landscape of the corporate world drastically by making WFH, mainstream.. What does that mean for your business data? How does it change your business’s cyber risk profile? Download our whitepaper, The WFH environment & associated data risks, a new perspective, to find out.

Restrictions on installing firewalls, antivirus, system/software updates, and security patches

When your employees are in the office physically and using your computers, you can install firewalls and access control mechanisms. For example, you can block non-work-related sites or sites with 3rd party cookies, or set up password policies for them to follow when using the device, etc. But, if they are working from home, and using their own devices, there’s no way you can install firewalls or have access restrictions like that in place at the system level. Similarly, you can ensure your work computers are up-to-date in terms of security patches, system updates, and software upgrades, but you can’t force an employee to install security patches or antivirus on their PC at home!

Keeping your data safe after an employee quits

When your employees are working from home using their own devices, how can you be sure you recovered all your data and erased them permanently from your former employee’s devices? How do you ensure they don’t have a copy of the sensitive information stored somewhere that could be misused intentionally or unintentionally cause a data breach.

Safeguarding access to your data in case of unexpected events such a device theft or breakdown

If your employee is using their personal device for work and it gets stolen, how do you handle the data loss and any data compromise that could possibly follow. Similarly, if something goes wrong with their device, how do you ensure your data is not lost and your work is not stalled? Also, if the device goes into repair, how can you be sure of the security of your data then?

Challenges brought on by device sharing

If your employees are using their own devices for work purposes, you can’t stop them from sharing their devices with friends and family. But, device sharing can put your data at risk of being stolen.

Remember WFH is not necessarily just WFH

When we use the term, WFH, the first image that comes to mind is of a person sitting in their living room or home office desk and working on a laptop. But, remember that’s not necessarily true. When you follow the WFH model, it enables your employees to work from anywhere! The recent ‘workation’ (work+vacation) trend that’s catching on quickly is a testimonial to this fact. For all you know, your employee may be working from the Starbucks two states away, or they may be at the airport sending that last report in before they take off for a vacation, or they may dial into that important meeting from the resort they are staying at--all instances where they may be using public Wi-Fi networks, compounding the risk to your data from cybercriminals

Let’s face it! The WFH environment coupled with the BYOD (Bring-your-own-device) makes organizations much more vulnerable to cybersecurity threats than the traditional office setup. However, that doesn’t mean there’s no solution. As a company, you can still put various mechanisms in place to ensure the safety and security of your data. You should also train your employees on how to safeguard themselves and your data from cybercriminals. A managed service provider (MSP) specializing in cybersecurity, data back, and recovery can help you with both of these. They would know what tools you can use to keep your data secure even in the WFH scenario and they will also be able to train your employees on the common mistakes that people make unwittingly which often leads to major data breaches.

WFH is here to stay. Are you ready?

The COVID-19 pandemic brought about tremendous, unimaginable changes across the world. Lockdown, shelter-in-place orders, ban on gatherings for safety purposes and national and international travel restrictions meant the world, and businesses couldn’t function as they were doing in the pre-pandemic times. Tradeshows went online, meetings happened from the couch in the living room, company parties meant saying cheers and sharing a glass of wine over a Zoom call with your video turned on. The transition to this work-from-home (WFH) culture on such a large scale and at this level was unforeseen, but it has happened nevertheless. While initially there were talks of this transition being short-lived and people resuming ‘normal’ lives in a couple of weeks, now it is clear that this trend is here to stay. Organizations and employees alike are seeing the numerous benefits of working from home.

From the company perspective,three big benefits stand out: they include saving significantly on real estate expenses--with staff working from home they don’t have to spend as much on renting office space, an increase in productivity and a drop in absenteeism and employee turnover.

From the workforce perspective, a lot of people are happier working from home as it helps cut the travel time to work and also supports better work/life balance. There’s a lot of flexibility, which is appreciated by employees with children or elderly parents who require caregiving.

In light of these benefits for both parties, it is highly unlikely that we will ever go back to the traditional office setup. What is more likely to take shape is a mixed environment where employees are mostly operating remotely and perhaps stepping into the office once in a while for catch-up sessions. As homes expand to accommodate office space, traditional office spaces will shrink to include probably just a conference room for in-person meetings. While this makes perfect sense, there’s something here that you can’t ignore- Data security. WFH may keep your staff safe during the pandemic, but it may put your data at risk and jeopardize your data security *if* you don’t take the right precautions. Why? Because WFH often involves employees using their own devices for work purposes and that blurs a lot of boundaries. It also raises several questions from the data security perspective which makes it imperative that you have mechanisms in place to mitigate possible data loss, leaks, or misuse before you allow employees to use their own devices for work purposes.

In light of these challenges, it makes sense to sign up for a service level agreement with a managed services provider, an MSP who specializes in data security, recovery, backup and cybersecurity, They will help you put security mechanisms, prepare IT policies to define the boundaries and regulations when your staff is operating from home and also train your staff in IT best practices and to identify malware infiltration attempts.

How the Coronavirus crisis is the gateway to the other kind of virus

To say the COVID-19 pandemic gave the whole world a tough time would be an understatement. Economies collapsed, joblessness rose, people lost their loved ones and livelihoods to the disease. Adding to this situation was the need for social distancing and self-isolation which took a toll on mental health of millions across the world. 10 months into the pandemic or perhaps even before, people started growing tired of it and just when it seemed like humankind will give up collectively, there was a light at the end of the tunnel--Vaccines.

While the news of the first vaccine being approved and then administered in December 2020, was a huge victory for humankind and rightly welcomed with claps and cheers, cybercriminals were cheering too. For cybercriminals, this was a great opportunity to exploit the eager, mentally fatigued and vulnerable populace. Emails were sent with phishing links disguised as genuine which urged the recipients to fill a form to access their vaccination schedule and vaccine information. Some emails were made to look like it came from the FDA, United States CDC or the NHS (UK). Some had attachments that required recipients to download them and run exe (executable) files that planted malware into their systems. “E-commerce” sites were created overnight on the dark web and enticed people into ‘placing orders for vaccines’ at $250 each, in the ‘Black market’.

The point is, this is not the first organized cybercrime modus operandi and certainly won’t be the last. So, how do you protect yourself? Here are a couple of tips.

• Do not download or open attachments or click on links from unknown, unverified sources or a source that you don’t trust.
• Sometimes, the email or message may seem to be from someone you trust, but their account may have been compromised and used to send out the malicious link or attachment to you. Or, there may be a slight variation in the email ID (spelling), so while you get the impression it is a genuine email, the reality is different.
• If something doesn’t add up, or if it doesn’t feel like the message was in fact written by the person you know, either ignore or call and verify if they did indeed send it to you.
• Install firewalls that have the capability to identify and block dangerous sites, so you will be alerted of possible security threats and inadvertent clicks won’t take you to dubious clone sites
• Make sure your antivirus software is up-to-date

From a business perspective, discuss a strong cybersecurity plan of action with an MSP. This includes investing in the right anti-malware tools, ensuring all your software programs are updated, and updating security patches released by your software vendors as soon as they are available. Educate your staff on common cybercrime tactics so they don’t accidentally expose your IT network to cybercriminals.

Your employee’ social media account was hacked. How does it affect you?

Did you know that social media accounts are one of the favorite targets for cybercriminals? You may think cybercriminals would prefer to hack online banking accounts or shopping accounts, but that doesn’t seem to be the case. Here’s why. Social media accounts hold A LOT of personal information including name, email ID, date of birth, place of birth, place of work (your business!) high school attended, names of family, friends and pets, anniversaries, and more...which means, they are basically gold mines of Personally Identifiable Data (PII). Plus, if you play games and have your credit card details saved, there’s more information and better the chances for the cybercriminal to commit fraud. All of this data can then be used to hack into other accounts of the user, including financials. So, hacking into someone’s social media account can help cybercriminals gain entry into other, more ‘useful’ and secure accounts.

But, how does it matter to you, as a business? If your employee’s personal social media account is hacked, it shouldn’t affect you, as a company, right? Wrong...here’s how it can affect you.

• If the employee whose social media account is hacked is the administrator of your company’s official social media handles, you are in big trouble as hackers will gain access to your company account and consequently to customer information, because you may be having clients who follow your business account on social media. The whole situation can result in a lot of damage to your business and brand reputation and also result in penalties and possible lawsuits.
• Even if your employee doesn’t handle your company’s social handles, the hackers may have enough of their PII to try and pry open a small entryway into your IT network.

You can avoid such mishaps by

• Training your staff on social media and cybersecurity best practices including advanced privacy and permission settings for social media accounts
• Ensuring your employees are able to identify and steer clear of phishing and social media frauds
• Helping your employees understand the importance of practicing good password hygiene across all their online accounts--social, work or personal.
• Ensuring they realize that their Facebook or LinkedIn account is not ‘just another online socializing platform’, but an actual gold mine of information and only those who they really trust should be able to access them.
• Sharing regular Day Zero Alerts and relevant news articles with your staff that keeps them updated on the latest modus operandi and happenings related to cybercrime

Your managed IT services provider will be able to help you in organizing and conducting these kinds of training and awareness sessions at regular intervals for your staff.