Hybrid work seems simple enough. Most people have an internet connection and an office area that can support working from home. However, there are some complex issues that you might not have thought about. Hybrid work arrangements can greatly increase staff satisfaction. But they can also increase your business’s security footprint – and into an environment that you don’t have any real control over.
Remote environments can have security flaws. They might not be designed for high security work. When it comes to home offices, many have only basic security, with more omitted to allow for ease of living and leisure. These flaws might not matter too much for private use; for work use, though, they can be devastating.
This doesn’t mean you should avoid offering hybrid work. The challenge isn’t to ensure everyone stays in the safety of your office. Rather, it’s to make sure that wherever your staff are, they can work securely. Everyone can work together to make this happen. With a combination of training, policy, and great support, you can empower your staff to work anywhere. Without risking your business. I’ve put together a list of the top things you can do to improve your hybrid work environment.
Software
Most of us are pretty aware of the issues malware can cause. We know not to download apps from random free suppliers. However, device software can cause more issues than malware. Apps with too many permissions or security flaws can open a device to attacks and create data leaks. That’s why it’s important to vet potential apps, then stick to the approved list for work devices.
Create a list of all software that’s approved for work use. Add apps that are currently in use, and ones that fill a clear need. Check that each application meets your security criteria. Include:
- Standard communication like email, instant messaging, and meeting apps.
- Cloud coworking tools and workspaces.
- Secure apps to use in sharing files with coworkers.
Bring your own device (BYOD)
Using personal devices for work can create blurred boundaries. We’re often more relaxed with security on personal devices. They feel like something to enjoy, not something to worry about. Having to unlock devices every time we pick them up can feel like a hassle. Not being able to install games or fun content can be frustrating. Relaxed security for personal devices, though, can cause real problems for your business.
If you allow staff to use their personal devices for work, set some ground rules. Create a list of the work resources that staff can and can’t access from personal devices. For example, you might allow Teams access so that staff can keep in touch, but not allow email because clients send personal information. Most importantly, train your staff in how to protect data on their personal devices.
Cyber Security Awareness Training
We don’t know what we don’t know. It’s a cliche, but in cyber security, lack of training is a key driver of workplace incidents. When we know what to look for, we’re more likely to spot the problems before they hit. And that can save your business a lot of heartache.
Ensure your staff have access to interesting and engaging training around:
- Phishing: If hackers gain access to accounts, even private ones, they might be able to use this to infiltrate your systems.
- Insider risk: Staff can accidentally cause a lot of damage to a system, either by using it incorrectly or giving someone else access.
- Confidentiality: Private data leaks can be expensive – both monetarily and in lost customer trust.
- Ransomware: Losing access to systems or data can paralyse a business.
- VPNs: What they’re for, why we use them, and how to use the company VPN.
- Wi-Fi security: Common home Wi-Fi flaws, how to update router firmware at home, and how to make home Wi-Fi more secure.
Password management
Reused passwords can cause significant security issues for your business. Password managers pull all logins into a central encrypted location. Staff can use a different password for every site and app, and know that the password manager will do the remembering for them.
To improve password security for your staff, provide a secure password manager for everyone. Pick one that allows staff to securely share login details using the password manager app. This login sharing function allows staff to bypass standard insecure sharing methods like email. It also provides the ability to see at a glance who has access to which accounts and deactivate unnecessary shares.
Additionally, add PIN protection for email clients on mobile devices, to limit the chances of unauthorised people accessing work emails. Require that all devices used to access business data automatically lock when they haven’t been used for a length of time and unlock with a password or PIN.
Other security practices
There are several other habits that you can encourage staff to practise. These help to keep devices safe and your data away from people who don’t need to see it.
Ask your staff to:
- Store work devices in secure locations when not in use. This habit doesn’t just protect against strangers accessing your data. It also helps to keep the devices and data away from anyone who doesn’t work for you. Neither family, friends, children, nor pets need access to work devices.
- Regularly update apps on all devices. Enable automatic updates where available, to lighten the load. This is your first line of defence against backdoor exploits. The faster exploits are patched, the harder it is for hackers to gain access.
- Use only approved cloud services. This limits the chances of staff accidentally adding company or client data to insecure platforms.
Hybrid work clearance checklist
Create a checklist for staff who want to be cleared for hybrid work. You can use our PhishNet Cyber Security Essentials Checklist for a Hybrid Workplace as a quick guide to help you.
Include:
- Your approved software list
- BYOD requirements if they’ll be using a personal device.
- Training requirements.
About PhishNet
PhishNet trains people to recognise everyday scams and cyber threats through our Cyber Security Awareness Training platform. With clear measurable results, orgnaisations can meet compliance requirements and proactively reduce the risk of cyber incidents. Talk to us about how awareness training can help protect your people and business.