The Separation of Home and Work (From Home)

Staying Cyber Safe with The Post-COVID Permanence of Working from Home

During the height of the COVID-19 pandemic, many offices were forced to close to slow the transmission of the virus. Since many businesses, and certainly local governments and municipalities, cannot simply close, staff was forced to carry out as many day-to-day operations from home as possible. While the situation was not ideal, the community did what it needed to do to maintain a safe living and working environment for staff and customers alike. During the initial transition from in-person to remote work, however, many employees let their cyber security safety habits lax. ¹

Cyber security company Malwarebytes found that 20% of U.S. companies reported a breach due to a remote worker. Without the oversite of in-house IT, or even in-house management, employees find it easier to engage in risky practices while conducting business online. These risky behaviors can lead to data breaches, ransomware attacks, and costly viruses on company-issued devices. This is especially concerning given the post-pandemic permanence of remote work.

The Post-Pandemic Work Environment

Even with over half of the state of PA vaccinated as of August of 2021², there was a surge in community transmission of COVID cases in the late summer. Those offices that were able to reopen may choose to go back to some form of remote work in the future.  Looking forward to 2022 and beyond, remote work has found a permanent place in our post-pandemic life.  Governments, municipalities, and business owners should take a serious look at cyber security within their organization, especially among those working remotely.

Good Work from Home Cyber Security Habits

Cyber security best practices should be outlined by your IT department. Each employee who is working remotely should know the policy. Each employee should be subject to periodic reviews to ensure compliance.

A few items that should be considered when creating a remote work IT policy include the use of:

• A secure home (or remote) network for official tasks.
• Two-factor authentication to log into networks, systems, and secure information.
• Strong network passwords, and strong passwords in general.
• Company-issued devices that are not visible to other devices on a home (or remote) network.
• Official email only; no personal email use should be allowed.
• Secure messaging for sensitive information or PII.
• Common sense, particularly when dealing with suspicious email or PII.
• Incident reports as soon as an issue is detected.

Staff and the consulting IT firm or the IT department must have a good and trusting relationship. If the staff does not feel comfortable enough to report issues, many will be missed and not be stopped. Communication is a key factor in creating an effective team to combat any threats to the office.

Good Work from Home Cyber Security Habits

Cyber security best practices should be outlined by your IT department. Each employee who is working remotely should know the policy. Each employee should be subject to periodic reviews to ensure compliance.

A few items that should be considered when creating a remote work IT policy include the use of:

• A secure home (or remote) network for official tasks.
• Two-factor authentication to log into networks, systems, and secure information.
• Strong network passwords, and strong passwords in general.
• Company-issued devices that are not visible to other devices on a home (or remote) network.
• Official email only; no personal email use should be allowed.
• Secure messaging for sensitive information or PII.
• Common sense, particularly when dealing with suspicious email or PII.
• Incident reports as soon as an issue is detected.

Staff and the consulting IT firm or the IT department must have a good and trusting relationship. If the staff does not feel comfortable enough to report issues, many will be missed and not be stopped. Communication is a key factor in creating an effective team to combat any threats to the office.

Keeping Information Safe

Corporate assets need to be tracked, documented, stored, and backed up for retrieval.  Although this can be done, it is a challenging situation where remote workers are involved.  Qualified IT professionals should be consulted as to how to meet any minimum requirements concerning documents and document retention.  There are ways to comply, but all are complicated and almost all of them require written staff-based policies.

Make sure your company or municipality is maintaining backups. This can feel like a monumental task when employees are scattered across numerous locations. Backups must employ anti-ransomware techniques, or they will be worthless in the event of an attack or a breach.

Combat “Shadow IT”

Shadow IT is when staff operates outside of, or without the knowledge of, the IT department. Shadow IT can include things such as:

• Using personal email to send official correspondence.
• Sending passwords and other sensitive data via unsecure email.
• Storing work-related files on personal devices or your personal cloud.
• Signing up for work-related accounts without approval.
• Installing unapproved software on company-issued devices.

Shadow IT can be difficult for a business without a dedicated IT team to avoid. However, there are some methods that even a small company or local government could employ, with the help of a consulting IT firm. While some companies go as far as monitoring keystrokes, files, and time on the internet, there are some less-daunting ways to monitor employee behavior. Several ways to combat shadow IT include:

• Monitoring employee email.
• Installing time-tracking software on company-issued devices.
• Using project or task management software where applicable.
• Performing scheduled and unscheduled device reviews.
• Requiring the use of company-issued devices.

Working on a Company-Issued Device

Working from a company-issued device is where the separation of home and work-from-home is most important. Many employees will use work-issued devices to stream movies and download games. Truth be told, anytime one downloads anything from the internet, there is a chance of downloading malicious software. The risk increases exponentially when one downloads and streams these media illegally. When one downloads malware or a virus onto a company-issued device that is hooked to the business’s network, the attack can span the entirety of the network.³

Even when working solely on company-issued equipment, things happen. In the instances where something does get by an employee, properly set permissions can serve as a cheap yet effective deterrent to cyber attacks. By only allowing employees access to what they need to do their job, an attacker can only get so far. Many offices allow 100% access to all employees and that is a very dangerous practice. If a virus were to infect a device while working from home, if/when it is connected to the main network it could spread and cause damage to the rest of the system. But if an employee is, for example, restricted to only 10% of the network then the damage can only extend that far.

Company-issued devices must have up-to-date virus protection installed and maintained. According to Malwarebytes study “Enduring from home: COVID-19’s impact on business security⁴”, 61% of respondents issue a device for their staff to use remotely. Only 35% of those respondents installed up-to-date virus protection on these company-issued devices.

When connecting to the business network from home, use a virtual private network (VPN). A VPN is also important when using Wi-Fi that you don’t control like in coffee shops, libraries, airports, and hotels.

Cyber Security Training

Staff education is probably the most effective safety measure per dollar spent. According to cyber security expert Gabriel Mariani, “A properly trained staff can help avoid many of the pitfalls and traps that get an office into trouble.” It is important for all staff to stay up to date on the latest scams and trickery used by criminals for monetary gain. Staff should be required to undergo cyber security awareness training when hired and then attend periodic refresher courses for the duration of their employment with the company. Some insurance companies are starting to offer “free” cyber security awareness training when a cyber insurance policy is purchased. There are also a few great free options available online. CyberSafe Work offers free security awareness posters each month⁵. If it fits into the budget, it might be worthwhile to purchase cyber security training via a service like KnowBe4⁶, SkillShare⁷, or Udemy⁸.

Part of the cyber security training should include the rules of engagement for using the internet on company devices from the office or remotely, what to do if a breach occurs, and what the company or municipality will do if they are attacked. The company’s legal counsel and IT professionals should be involved in creating a cyber security education plan.

Remote working may have a permanent place in our workforce as we emerge from this COVID season. With a little bit of preplanning, staff can work from home while maintaining good cyber security practices and keeping sensitive data safe. The responsibility of good cyber security lies with those in charge in creating and enforcing policy and employees to follow the rules.

1. https://blog.malwarebytes.com/reports/2020/08/20-percent-of-organizations-experienced-breach-due-to-remote-worker-labs-report-reveals/
2. https://www.governor.pa.gov/newsroom/gov-wolf-75-percent-of-pennsylvanians-have-received-first-covid-19-vaccination/
3. https://www.newsweek.com/hackers-increasingly-attacking-companies-through-employee-online-activities-1605745
4. https://www.malwarebytes.com/resources/files/2020/08/malwarebytes_enduringfromhome_report_final.pdf
5. https://cybersafework.com/free-security-posters/
6. https://www.knowbe4.com/
7. https://www.skillshare.com/
8. https://www.udemy.com/