A CTO’s Guide to Fighting Remote Worker Cybersecurity Complacency

by Stephen Vicaro 0 Comments

Over the past few months, we’ve all become comfortable with remote work— probably a bit too comfortable.  While some of our private equity and hedge fund clients are taking initial steps to begin the transition back to on-premises operations, many are still at least a few months out.  Regardless of where your firm is in this process, the potential for cybersecurity events or incidents originating from your remote workforce remains high.  Here’s a list of cybersecurity reminders you can share with your remote workforce to refresh their understanding of your firm’s cybersecurity expectations and their role in keeping the firm secure. 

Home Networks 

Most home networks are set up for functionality rather than security. We rarely even think about our home network until we’re setting up a new device, or someone loses their Wi-Fi connection. There are no network administrators or sophisticated tools monitoring the traffic in work-from-home environments. The introduction of smart devices onto home networks such as smart TVs, gaming consoles, wireless security cameras, and kitchen appliances has increased our attack vector exponentially since the days when only computers needed internet connectivity. Most of these devices do not receive frequent security updates from the manufacturers, which makes them increasingly more vulnerable to exploits as they age. Additionally, most workers view their home networks as a trusted network, creating a compromise of any of those devices especially risky to employers. Here are some points to remember while connected to your home network. 

  • For company-owned devices, act as though you’re on a public network. This is called “zero trust.”  
  • Make sure that your home wireless network uses WPA2/WPA3 encryption, and that WEP has been disabled. WEP is an outdated wireless encryption that is easily exploited by hackers. 
  • Use a VPN for work-related remote connections, especially when handling sensitive or critical data. 
  • Make sure the other devices on your home network (laptops, desktops, routers, printers, gaming consoles, TVs, DVRs, smart home devices, etc.) are patched with the latest manufacturer security updates as they become available. This is something workers must be proactive about since end users usually don’t receive update notifications from manufacturers. Check device settings for update options, or go to the manufacturer’s support page. 

Company-owned Computers 

Employers usually maintain the ability to monitor your access to corporate resources and manage some baseline security parameters of your corporate-issued devices. However, they rely on you as users to follow some basic cybersecurity practices.  

  • Company-owned devices should only be used by employees. 
  • Keep devices in a safe physical location. 
  • Always lock screens when not in the presence of your device. 
  • Protect your device from drops, spills, or other damage. Equipment is much harder to replace in a timely manner when not in a corporate environment. 

Protection of Sensitive Data 

Remember that when working away from the office, you are not in a privileged location. Family members and guests may stumble across private or confidential information from work. Ensure that private or sensitive data is protected, e.g., putting away work-related paper documents. Additionally, don’t have work-related conversations with clients or co-workers in circumstances where others can hear. This applies to phone conversations and teleconference meetings. 

Incident Response 

A security incident is an adverse event that could harm a system or the information on that system. Your organization has established procedures for mitigating detected incidents. Be familiar with those procedures and take action when necessary. If you suspect something may be malicious or things don’t seem quite right, say something. Don’t attempt to resolve suspected security issues yourself—escalate to the helpdesk. They are trained to handle security incidents and can more efficiently address problems before they get serious. 

Basic Security Practices 

Here are some general best practices that should be included in your cybersecurity hygiene routine that should be utilized while working from home or the office. 

  • Don’t reuse passwords on multiple accounts, neither personal nor corporate. If you use the same credentials across many online accounts, only one of those accounts needs to be compromised for an attacker to be able to access the others. Consider using a password manager to manage unique and complex passwords for your accounts. 
  • Use multi-factor authentication (MFA) on all accounts where it is an option. MFA adds an extra layer of protection that an attacker will have to overcome to be successful at compromising your account. Options could include receiving a text message or email, using an authenticator app on your phone, or biometrics (e.g., fingerprint or facial scan) to verify that you are the owner of the account. 
  • Remember your cybersecurity awareness training: 
  • Be vigilant against phishing attacks through email or instant messaging services. 
  • Don’t open unexpected/unsolicited attachments, and don’t open attachments from unknown senders—when in doubt, contact the helpdesk for assistance. 
  • Don’t click on obfuscated links in emails—hover your mouse pointer over the link to see where the link is sending you. 
  • Beware of threats of digital pain or urgency—legitimate senders will almost never threaten you with punitive action in an email. 
  • Don’t store data locally—use the firm’s approved cloud storage. Locally stored data is just one more vector that could be lost, stolen, or compromised. 

Conclusion 

Cybersecurity awareness isn’t paused when users work remotely. If anything, users should be more aware of the hazards they face in a remote work location. Agio is a firm believer in brilliance in the basics—clearly communicate how users should secure home networks, treat company-owned devices, protect sensitive data and report cyber incidents. Remind users of the basic security practices they may have forgotten when they transitioned from the office to home. 

If you need help creating end-user cybersecurity awareness training, give us a call. Agio is here to help.