How can HR can support cybersecurity for remote workers?
Article by: Jason Dowzell, CEO and Co-Founder of Natural HR
Whether by design or by default, large swathes of UK employees are now working remotely. Fuelled by advancements in technology and developments to cloud-based software, remote working is now the new normal for many of us, for the foreseeable future at least.
The introduction of the GDPR in May 2018 means that any kind of data breach or cybersecurity incident can prove costly. Businesses must now map their data flows, assess the risks involved in their processing of sensitive data and identify where controls and checks must be put in place.
With the maximum financial penalty for non-compliance standing at €20 million or 4% of annual turnover, the consequences of making mistakes can be crippling and that is before you consider the internal and external reputational damage this is likely to cause.
When it comes to your cybersecurity, your weakest link is often your people. Research by Kaspersky Lab found that almost 90% of data breaches were caused by human error or social engineering in 2019.
As a method of online attack, social engineering relies on human interaction and often involves coercing people into breaking normal security procedures and best practices in order to gain access to systems, networks or physical locations, or for financial gain.
With so many employees now working from home, it is more important than ever that you make sure there are no holes in your cybersecurity strategies and to remind employees of best practice while they are working away from your HQ.
Deliver regular cybersecurity awareness training
The methods of attack enlisted by online criminals is constantly changing so frequent cybersecurity awareness training is key.
A well-informed employee can make all the difference to your business’ cybersecurity efforts. Holding regular training sessions with employees will ensure they are aware of any new threats, are kept abreast of any changes to data protection legislation and understand your own internal policies and procedures.
Make cybersecurity part of your onboarding
There is no other time during an employee’s tenure that they are more motivated and more willing to consume information than their first few weeks with you.
As such, it is prudent to make cybersecurity training part of your onboarding processes; doing so will make your internal policies and procedures crystal clear from day one.
HR should be collaborating with IT well in advance of an employee’s start date to allocate equipment, arrange system access and make sure they only have access to the tools and data they need to carry out their job.
Encourage your employees to habitually question any unexpected or unsolicited contact. Being aware of the context within which you receive emails (and phone calls and text messages) can help to identify any potential threats.
Always ask: Am I expecting this? Does it make sense? Would this person send this to me? Why? Why now?
If you’re unsure for any reason or something just doesn’t ‘feel right’, you shouldn’t respond, click any links or open attachments and delete the message right away. Most senders will use another method of contact to get in touch if the message in question is in fact legitimate.
Make sure remote workers remain vigilant
It can be easy to assume that cyberattacks only happen in the workplace, where criminals gain access to servers, databases and computers through holes in your defences. Particularly during times of crisis, it is easy to be distracted by the current situation and time-sensitive matters, that give cyber attackers the opportunity they need to breach your defences.
Simple lapses in concentration can be costly. A companywide email, seemingly from your IT team, saying as part of ongoing security measures everyone needs to reset their passwords and should click to do is a classic example of a phishing attack. But cybercriminals are becoming increasingly intelligent in designing their ruses to align with current events, crises or time of the year.
You might receive an email from your supposed CFO asking you to log-in to HMRC to pay a tax bill at the end of your financial year as they are struggling to log in. Your IT team might be contacted using a personal email address requesting a password reset for a known homeworker.
Sometimes, falling prey to these security breaches is down to a simple case of ‘right time, right place’ for cybercriminals.