In the beginning

No one would have believed it, some of us might have thought it, but now many are living it. I’m talking about working from home.

As a company and if appropriate, we have always offered the opportunity of working from home and so early on we met the challenges of dealing with security concerns head on. We were lucky compared to many, we have long taken security seriously since we took on certification for ISO 27001 around 6 years ago.

Initially we thought it would become a huge burden, both from getting buy-in from staff but also we thought it would slow us all down and make us less efficient. How wrong we were. In fact, it was literally the complete opposite. We, as a company, embraced the moderate changes to how we worked, and by far, those changes made us predominately even more efficient. The end result safer and now even more competitive.

At the time, we were but a simple marketing agency, producing pretty, but clever emails. Looking around us, we could see that taking security seriously was not the ‘norm’ in our industry. You might feel the same about yours. We realised that this so-called world of certification was growing quite rapidly as it forces you to look at how you work with your partners, clients and suppliers. And then the penny drops, companies are often not very good at it. Security that is.

It’s a little bit viral in a way, excuse the irony. But you do end up looking for partners that are equally serious with how they keep their company safe.

Working from home

You may have already looked in to ‘best practices’, or simply think that everything is fine because your company took one of the more recent cyber essential certs. As opposed to a full blown and dedicated security ISO standard. But we can always do more to ensure our employees fully understand the basics and that at least the devices we use for our day to day work are set up with what’s need to operate safely.

I shall leave a link or two at the end of this article to help further your own research. Or even give us a call to find out how we might be able to help, based on your own unique circumstances.

There are always risks whether or not your company is used to employees regularly working from home, and in fact many of us often have work emails and messengers on our ‘smart’ phones. Remote working includes all devices, not only laptops and desktops.

A quick note about GDPR, which now everyone seems to have heard about. What is less widely known is that in 2018 this was embedded inside our own UK Data Protection Act, replacing the previous version from 1998. And since then the ICO (Information Commissioners Office) were given a lot more power and resource to enforce fines upon companies that broke the law. Every company needs to take this seriously, especially with your HR and employee records.

Cyber criminals are now trying to take advantage of the fact that so many people have had to hastily start working from home due to the lockdown and may be vulnerable from a security perspective.

The basics

People usually benefit with some structure, security is no different. Having things documented is one of the best ways of starting. But what to document?

There are many components, but focusing on the priorities to hit the ground running we need a ‘Remote working policy’.

From this we can include the basic  details required to keep people safe. It can be top level guidance, and structured in a way that can link to other important docs that you create, things like password management or file sharing.

 The main focus, because this is about data, is to think about it in a way that either your information, emails, messages, documents, files are either stationary, ‘At Rest’, or being sent somewhere ‘In Transit’. Each has its own risks with an ability to be lost or stolen.

The ICO has acknowledged that the best way to ensure that data is safeguarded is to encrypt it. That way, if its stolen it becomes very hard to simply extract the original information.

Luckily this is has become easier for us humans as long as we use a few tools and click some settings.

Data ‘At Rest’

Lets look at Data ‘At Rest’. All modern operating systems e.g. Apple or Microsoft, have built in encryption systems for the hard drive or disk. If switched on, it becomes very difficult to retrieve the data off the drive if you don’t have the password.

Apple use Filevault and Microsoft use Bitlocker. Get those turned on.

Mobile devices, like ‘smart phones’ use encryption by default. In many ways they’re safer out-of-the-box, but of course they are also easier to lose. Laptops and desktops are not generally encrypted by default. And your data is accessible whether or not a thief has the password, using easily obtainable programs.

Using cloud-based storage. This sounds like a double edge sword. But it’s one of the keys to safely working from home. The top cloud-based providers, whether Microsoft O365, Box, Dropbox etc. use encryption on their storage and are securely managed. So this satisfies data at rest in the cloud. This leads us to the next step, Data ‘In Transit’.

Data ‘In Transit’

Whether you are sending an email, sharing a file or pinging a message to a colleague on messenger, these all constitute a form of Data ‘In Transit’. And this is where very often mistakes or vulnerabilities can occur on a daily basis. It really is worth spending some time getting this right and making sure everyone knows the do’s and don’ts to keep your company information safe.

  • Do – use file sharing links. This removes sending confidential data over insecure email or messengers
  • Do – use expiry times, passwords, or even better, only share with people that have the permission to download the file
  • Don’t – send confidential data in emails as file attachments, the old school zip attachments with a password are not that difficult to hack
  • Don’t – send usernames and passwords in email. Especially together. And even worse, in a thread of an email. Confidential information, e.g. login details, can end up in the hands of some one else when the email eventually gets forwarded to another person the email was not originally intended for
  • Do – share folders only with that person, create a file that only that person can see and put the details there. Simples!

Added bonus for using cloud-based file sharing, no more clogged and over bloated email software. Every file sent as an attachment makes your software slower and slower.

Added bonus 2, your email client will be less of a security risk with all those confidential files you have been sending and receiving. If someone has access or intercepts your email, all they can then retrieve is a link that has either expired or has restricted access.

To be honest, this is why so many companies use O365, it sorts out many of these potential problems. Even MS Teams has become a winner, with secure message sending and file sharing. Just make sure that you are not making your group chat public and kept private. You could end up in trouble!

MS Teams now allows companies, clients and suppliers to easily collaborate securely together, something that has been very difficult to manage in the past.

Other considerations

Of course, the usual virus programs should be installed on all work devices and end-point protection enabled to stop your staff plugging in USB drives and downloading your data. A screensaver that locks your screen after a few minutes (if you forgot to whilst making that cup of tea) is a simple, effective way of securing your device. (It also stops mischievous employees declaring their undying love to the boss, from your unattended device!)

All these things require staff to understand why they exist and to take them seriously.

Government link on working from home:

https://www.ncsc.gov.uk/guidance/home-working

Altaire is rapidly expanding its services in the Information Security field. If you are looking to better comply with legislation, and do the right thing in the new post COVID:19 world then do get in touch.