Following more than a year and a half of monitoring fully remote employees, many IT teams are now gearing up for a phased return to the office and the challenges that ensue.
IT departments across the world know that employees may have forgotten their cybersecurity hygiene and developed bad habits from working remotely, causing unexpected risk exposure. In an article by Deloitte, prior to the pandemic, about 20% of cyberattacks used previously unseen malware or methods. During the pandemic, that has risen to 35%.
With the pace at which emerging technologies like the internet of things (IoT) and cloud computing continue to advance, the need for a robust approach to combat cybersecurity vulnerabilities at an organizational level is vital. Simply put, from an IT perspective, even offering the flexibility to print from home computers comes with its own set of challenges.
Here are some guidelines for your employees that you can customize for your organization:
Don’t: Allow personal laptops, tablets, or electronic devices to be used for business purposes.
While the lines between work and personal tech have blurred over the past year, returning to the office gives IT teams the opportunity to reestablish a clear divide. In other words, it’s important to remind employees that personal information, like bank logins, Social Security numbers and sensitive information of this nature, should remain off a work computer for their own privacy, as well as the protection of the company’s network from potential malware.
Alternately, employees should refrain from transferring proprietary, encrypted company information -- such as customer data -- to their personal computer or tablet, helping to mitigate the risk of exposing confidential company information.
Do: Remind employees to immediately contact the IT helpdesk or cyber team after opening a suspicious email or attachment.
Employees may not understand the gravity or feel a false sense of security after clicking on and closing a phishing link, so they don’t bring it up to IT. However, it is critical for IT leaders to emphasize the importance of reporting such happenings, as it may leave the entire network vulnerable to threats.
Below are steps that employees should take after clicking a suspicious link, which can be sent as a reminder:
- Call the IT/cyber team immediately or email them letting them know what occurred.
- Disconnect their computer from the internet if at home, the IT team will disconnect them from the network.
- Do not power down the device, leave it on after it’s disconnected from the network/Internet, as the IT/cyber team will want to preserve any evidence there may be on the device.
- Update all their passwords -- and I mean all of them with unique complex passwords.
- Back up their files in a secure place, but this is something you already encourage them to do regularly, right?
Don’t: Ignore when employees download unauthorized apps.
Apps are a mainstay in our modern world, but it’s up to IT to thwart the habit of downloading unauthorized apps to avoid unnecessary access points. Given this, the IT team should educate employees about the approved app and vendor list(s) as well as where to find it for reference. Throughout my career, I’ve learned first-hand that a lack of vendor controls can compromise an otherwise strong cybersecurity plan.
IT teams should also communicate to employees that downloading software from unknown websites poses a high risk and should be avoided. As an IT leader in my organization, I focus on understanding who has access to the data in the network and monitoring all “directions” of traffic -- north, south, east, and west are all equally important -- which proves extremely challenging if unauthorized apps are present.
Do: Host engaging cybersecurity trainings for employees.
You and I know that the practices shared in a cybersecurity training are relevant to all levels, as no one is immune to a cybersecurity attack -- not even C-suite executives. But this message isn’t always clear to employees. To ensure they retain the information, take time to develop engaging and memorable “lessons” to share at company-wide trainings.
When speaking to the larger organization, emphasize that eradicating cybercrime and vulnerabilities requires a long-term commitment from both the employees and the company. While it’s the IT team’s job to protect the network, employees need to be comprehensively trained to understand cyber threats, know what to look for, and how to best respond in a vulnerable situation, such as a phishing attack.
Overall, I recommend creating and prioritizing “balance” when it comes to protecting customer and employee information. Having both a series of preventative controls as well as detective controls in place is critical to knowing what’s going on in or around an environment. To aid in this pursuit, I follow the principle of “least privilege” access, ensuring that all employees can do their job but only have access to the absolute necessary information. This best practice translates into system availability, limiting unscheduled downtime, and ensuring that customers always have access to their data when they need it.
Whether at home or in the office, I urge you to ask employees at your organization to think twice before clicking on a suspicious email link, pause before copying corporate data to a personal device or a personal cloud storage, take a moment before downloading that app, and retain information shared during company-wide cybersecurity workshops. At the end of the day, if employees follow the above guidelines, your organizations network will be safer and more secure.