With many employees working in remote locales, cybersecurity should not be forgotten
As many organizations today offer work-from-anywhere policies, many employees are jetting off to distant locales for a change of scenery while still on the job.
Employees in Canada often choose Barbados, Dubai UAE, Iceland, and Estonia as their remote work destinations, according to a global remote work index from NordLayer.
But the best scoring countries for accommodating work-from-anywhere (WFA) employees are actually Germany, Denmark, the U.S. and Spain, finds the network access security provider, which compares 66 countries’ attractiveness based on: cybersecurity, economic and social conditions, digital and physical infrastructure, and COVID-19 response and handling.
And it’s that first one, cybersecurity, that should not be forgotten. When travelling and working, there are some obvious countries to avoid, according to Carlos Salas, engineering manager at NordLayer in Vilnius, Lithuania.
“Most of the time, countries that are against VPNs are risky to work from. For example, Egypt, South Sudan, Afghanistan, of course, North Korea, if you managed to get there, it’s going to be hard for you to work from there.”
Theft is also a real risk faced around the world — with some devices able to unblock mobile phones remotely and delete content — and for some companies, when an employee returns home from certain hotspots, “it’s extremely risky so for some of the more hostile ones there’s many companies who will dispose of the devices once you get back, the threat is that high,” says Salas.
Always be prepared
Cybersecurity should start when the employee arrives, and HR should have a hand in implementing the cybersecurity regime, he says.
“If we need to start onboarding people that are going to be working remotely, HR has to be working almost hand-in-hand with the IT administrators, with the risk assessment teams, with CTOs in order to be able to fulfill the whole cybersecurity perimeter.”
And it’s important not to forget about the C-suite, says Greg Young, vice-president cybersecurity at Trend Micro in Ottawa, as this is becoming one of the most popular targets of malicious individuals.
“You should pay extra attention to working with senior management because they’re typically going to be the most targeted for phishing schemes.”
That includes making sure that they’re not exempted from training and supervision, and monitoring, he says.
“Attackers would love to go after senior managers: they can approve things, especially if they’re busy — even approve a purchase order or approve fund transfers — and that’s where the big money’s made, it happens quite often. But if you support them and don’t exempt them; make sure they’re trained, make sure they’re part of that culture, they’re protected and businesses are protected.”
HR-related phishing emails are more likely to be clicked on, according to another report.
It’s also important to provide the proper security tools for employees working remotely, and not to be cheap, says Young.
“For example, giving out free desktop security tools or even providing devices to help with this, especially if there’s kids doing schooling from the same device. Give them a security cable, give them a free license for a desktop security tools — give them those tools, give them for their families, in fact; give them five licenses for their home so they can secure their kids because they’re on the same network; they’re probably using the same tools.”
Plus, if you have a shared device, or your partner works for a competitor and you’re sharing the same device, it raises some that haven’t had had to be accommodated, says Young. “Businesses can accommodate that but they’re really slow to do it.”
Educating workers
In addition to software and hardware solutions, providing employees with cybersecurity training on a regular and ongoing basis is always a good idea, according to Carlos.
“This has to be done at least every two quarters, in order for people to keep it fresh and to be able to go back and forth to anywhere they want to work from but to still be safe about it,” he says.
Many (80 per cent) of organizations suffered some sort of cyber breach over the last year, according to another report.
With phishing being one of the biggest risks faced by organizations, this topic should be regularly addressed, says Young.
“Definitely the anti-phishing training that’s available, the higher-level ones, are fantastic because attackers recognize now this is a great soft spot to get into companies [and] will get access to the corporate network that way,” he says.
“[So] number one is quality training — not the usual kind of gotcha stuff that a lot of companies do but the really quality stuff.”
It’s also about recognizing how things have changed, says Young, “especially a lot of the human engineering part of phishing [which] has gotten really advanced, the social engineering side of it.”
It’s also key to remember that when securing data and devices, different rules may apply to different types of workers, says Salas. A remote CEO, for example, may have account numbers, along with confidential contracts, on their devices.
“So for each of the different employee levels, employee responsibilities and industries, there has to be different type of profile that you need to create alongside with your risk assessment team. It’s not a one-size-fits-all; it’s more like you need to do something that is custom in order to be fully safe.”
When something happens
Besides the training, how should employers handle it when something goes wrong and a laptop or device is infected?
“Everybody makes mistakes,” says Young. “Every cybersecurity professional I know has made a mistake at one point — responded to a phishing email or… clicked on something they shouldn’t have — and having really easy-to-understand ways to connect with support and the internal security of the company to report that, it should be a key part of the training.”
Plus, employees should not be afraid to report any issues that suddenly appear with their company devices, he says.
“That’s why it’s so important to have a no-shame culture, just having a culture [where] there’s no punishment, there’s no shame for reporting that. If somebody’s worried about their job, their employment status, worried about getting fired for it, there’s a problem with that culture.”
