Remote workers bring additional security risks
Even though working remotely has become part of the new normal, companies must not neglect maintaining an integrated cybersecurity approach, especially when it comes to mission-critical functions such as payroll. According to Mathew Payne, Chief Information Officer at CRS Technologies, malicious users have leveraged the uncertainty around the COVID-19 pandemic to target businesses and gain access to sensitive information.
“Typically, social engineering and phishing attacks use the coronavirus as a hook to entice employees to either provide the information they would not ordinarily import or click on suspicious links in emails. This will inevitably result in the installation of some form of malware on an employee’s device that provides an easy way into the corporate back-end,” Payne explains.
He believes that with the lockdown resulting in employees working outside the relative safety of the corporate network, attention must turn to the effectiveness of their home security solutions. For example, most people do not change the default security and password settings of their personal routers. As these networks provide connectivity to a variety of personal devices, many of which do not even have cybersecurity software installed, hackers can piggyback on a direct link into the company’s systems.
“More than any technology solution, continuous education becomes indispensable to ensure employees understand good practice when it comes to security protocols. It is highly unlikely that HR will email a person to confirm their ID number or bank account details. Even on the off chance if this should happen, it is always advisable for the employee to confirm the veracity of the request with their manager,” Payne adds.
Organisations can also insist that remote workers only use company devices for work purposes. Of course, the business must then have supplied these employees with secure laptops and smartphones. This is especially critical for sensitive job functions such as HR and payroll where data integrity must be maintained.
“Even though BYOD (bring your own device) has become part of the way of work for many, the lockdown could see a return to company-supplied equipment to mitigate the risk of compromise. Employees’ laptops and other devices will be optimised to work effectively with the corporate network and have the required security protocols set up.”
Perhaps one of the most important areas to focus on is about making remote working easy, Payne continues. “If employees battle with difficult-to-use systems to log in to the corporate network, or if their virtual private networks become too slow, they might be tempted to find more user-friendly workarounds. This is where the risk of ‘shadow IT’ comes into play, which refers to the technologies and solutions that people use without the knowledge of the IT department.
“These alternative solutions are often designed for consumer environments and are not secure or robust enough to deal with the complexities of a business network. It could provide another avenue for malicious users to compromise data. Companies should consider using this remote working window to identify new ways to manage the business as securely as possible,” Payne concludes.