With working remotely the norm for people all across the country due to the coronavirus pandemic, cybersecurity has become all the more crucial as the threat of an attack has increased dramatically.
Someone who knows about this is Pete Walker, the Chief Technology Officer at OurPeople, a mobile communication platform that aims to disrupt the Human Capital Management (HCM) industry. Here Pete shares his thoughts on the challenges of cybersecurity in SMEs.
Pete Walker, Chief Technology Officer at OurPeople
Last year, more than 34% of UK tech firms had to deal with at least one cyber incident. With most businesses back to remote working, employees are once again logging in remotely from their own personal devices – which presents even greater threats to data security.
Across all industries, including fintech, the nature of the threat is evolving. The targets, impact and techniques involved in cyber attacks have changed: attackers seek to access to internal control systems as well as communication; not just steal but alter data to create distrust; and target individual employees – often the chink in a business’ cybersecurity armour – through malicious insiders and phishing.
The Challenges Businesses Face
Ensuring employees have secure access to the right systems and information is a challenge even with everyone together in the office. But with workforces geographically spread and businesses operating without the physical security of their own premises, coordinating and maintaining remote policies is trickier than ever.
Employees are connecting to company networks from home, in many cases using personal laptops to do so. Without workplace cyber defences in place, the highly sensitive material and valuable personal business data employees handle are suddenly at risk. This is exacerbated by most communication shifting to email, which can be targeted through social engineering attacks.
On a human level, many employees will feel isolated after nearly a full year spent on-and-off working from home. Maintaining morale with limited face-to-face contact is not easy. Add in the additional factor of distributed devices with sensitive information on which once belonged to a former employee but current restrictions mean they can’t be returned to the business to be securely wiped. It’s an extremely challenging time for ensuring cybersecurity.
Policies to Protect Data
Developing and implementing a strong data protection policy is crucial when employees are all working with the same IT infrastructure. Without office cyber facilities and firewalls configured to admit static broadband IP to manage cloud services, however, it takes on even greater importance. Not only do these policies need to be in place, but it’s imperative they are understood and adhered to in order to protect against attacks and avoid potential fines for GDPR breaches.
Businesses must ensure different types of data have clear guidelines for where they can be securely stored and processed. Take personal identifiable information (PII) for example – this should never be shared on an internal chat system.
With cloud storage services increasingly popular, strict password policies should be in place to safeguard information and data. At my company OurPeople, we ensure all credentials and PII are stored in a password manager to ensure strong and encrypted protection. Alternatively, single sign-on solutions can also be an effective barrier.
We also require a secure VPN to access our cloud infrastructure – this is a policy all small and medium-sized enterprises (SMEs) can adopt. As a best practice, ensure that detailed logging for this service is turned on and active. Doing so means that – in the event of a cyber attack or suspected breach – businesses can quickly perform forensics to ascertain both the root cause of the incursion and the extent of any damage.
Sometimes, the lack of access to shared office equipment means employees have to use their personal devices for work. In these situations, it’s vital businesses have clear BYOD (bring-your-own-device) policies so there is no ambiguity regarding the types of data and communication devices should and should not be used for.
One essential condition for each business’ BYOD policy needs to be the installation of a centrally-managed anti-malware software on all devices used for work. If possible, mobile device management solutions should also be in place. Together, these policies ensure real-time protection of sensitive information – devices will be safeguarded against malicious software and viruses, can have corrupted data restored and be remotely wiped in the event of a data breach.
How to Support Workers to Keep Them Safe
From a mental health perspective, the most important thing is to retain some level of informal contact with all employees. At OurPeople, daily check-ins are a crucial part of our routine. There are many great benefits to keeping in touch regularly with staff – not least the likelihood that they will feel more motivated to follow security procedures. Ideally, these check-ins will be carried out through secure video-conferencing and chat solution platforms.
Furthermore, with sites and offices remaining closed up and down the UK, arranging for employees to receive on-premise, face-to-face training isn’t currently feasible. Instead, the key is to invest cloud-based training and assessment services – doing so will vastly improve staff security awareness, as well as their understanding of GDPR. However, it shouldn’t be entirely the responsibility of employees to ensure they’re up to speed with these issues – having a third party to audit policies and test a business’ internet-facing assets is a wise move.
Although the cyber threat is changing, the good news is there are policies businesses can quickly put in place to minimise the risks. Clear guidelines for data storage, strict password and BYOD policies are small policies that will protect a company should it fall victim to a cyber attack. One in three SMEs tech businesses were affected last year – failing to prepare is a risk you don’t need to take.