Last year, when staff started having to work from home, we did this without necessarily having the security systems, processes or procedures in place. It wasn’t easy for you or your IT admins, some of whom will have had sleepless nights planning and sourcing solutions. Or they might have been worried about how you’d all manage with their existing systems – were they resilient enough, will staff be able to keep our data secure?
Meanwhile, we all adapted by finding desks, or using dining tables, looking for a work-around to access the content, systems or services we needed to use. In scrabbling about, trying to maintain as consistent a service for your customers, it’s almost inevitable that bad habits might have crept in.
Staff are the most important protection for IT systems.
It’s now widely known that staff provide an important protective layer for all organisations. Investing in staff will reap rewards in terms of protecting valuable assets and will ease the burden of the return to the office. As we return, now is the time to plan for and take steps to ensure all of us understand what we need to do and what good security looks like. And that we establish the right components for the, now widely anticipated, Hybrid working model.
Here are some suggested actions you might take:
- Training
- Remind staff of obligations:
As we return to the office, now is a good time to remind ourselves of what the risks are. Consider implementing ‘return to the office’ update training sessions, or online awareness raising activities.
- Remind staff of obligations:
- Passwords
- Reset all passwords:
It's a really good idea to reset all organisational passwords we have control of; device login, encryption, social media accounts and website logins using suitable password standards. Whilst this may be mildly inconvenient, this will ensure that any shared passwords stored on personal devices become unusable. - Remind of password complexity expectations:
All organisations should have moved away from uppercase/lowercase special character/number complexity requirements. Best practice now suggests that you should use longer passwords made up of randomly generated words. - Encourage use of password managers:
It's been said before, but there's still time to encourage password managers. With so many now available, free and paid, there's no reason why you can't find one that suits you.
- Reset all passwords:
- Phishing
- Run updated phishing training:
There has been a tremendous spike in phishing and subsequent ransomware attacks over lockdown. It’s anticipated that, now we’re returning to the office, there will be a resurgence in attempted attacks. We all need know how to identify phishing attempts. - Consider simulated phishing campaigns:
If you can, run a simulated attack – see who clicks and provides additional support to those who do.
- Run updated phishing training:
- Non-work devices
- Remove/disconnect them all:
If you’ve had to use a personal device for work, then you need to take steps to ensure you’ve disconnected them from any organisational accounts, files, folders or other systems. This is where the password change will also help. - Remove all work data stored on them – encrypt and send:
If you’ve created/stored work files on a personal device, encrypt them and send them to work, via file transfer, email or memory stick. Then delete them from your device and from the recycle bin too.
- Remove/disconnect them all:
- Review all returning devices
- Sanitise for virus:
Any devices coming back to the organisation network should be considered ‘a risk’. If you can, before the device connects to your network run antivirus and antimalware checks to scan for, and remove, any malicious code. - Remove unauthorised software:
Whilst we’ve been looking for a work-around, we may have installed software to enables us to complete our work. Any unauthorised software needs to be removed. IT teams may have a process in place to achieve this for you, but you may need to do this yourself. - Ensure all devices are properly patched, including those previously left unused:
It’s always good practice to keep device software up-to-date. Corporate devices away from the corporate network may not have updated. Run the updater for all core software on your first day in the office.
- Sanitise for virus:
The last 18 months has been revolutionary for many of us who were previously office-based with greater freedom and flexibility, whilst still maintaining output. Don’t forget that as we come back into the office we must continue to be vigilant. ‘Tailgating’ (when an unauthorised person follows you into the office) will return as one of many issues we’ve forgotten about. IT teams will have been working frantically in the background to keep date secure. As we come back, this provides an opportunity to re-assert control over data and ensure operational success.
Discover our range of Cyber security services, including software & training