A data breach at a small or mid-size company could cost a business everything. This is why practicing good cybersecurity is in the best interest of all employees, according to Charles Russman, senior counsel and cybersecurity attorney at Clark Hill, a large firm in Detroit. DBusiness Daily News asked Russman to discuss his best cybersecurity measures to practice when working from home.
DB: What are some cybersecurity issues people need to be aware of when they’re working from home?
CR: Some of the things from a cybersecurity perspective that are the most important to think about, especially when you haven’t been working at home, is to make sure that one, you’re going to have proper access to everything you need. Most people think about things like printers and bringing their computer home, and they know the password to their computer, but it’s amazing how quickly people forget things like the password for systems they use at work. The other big-ticket item, which homes are notoriously weak with, is Wi-Fi connection. When you join a Wi-Fi network that doesn’t have a strong password, you run the risk of people being able to hop on to that network and then view what you’re doing on your computer.
The third big-ticket item is to make sure that, especially if you’re using a shared computer and are just using a VPN or you don’t have secure access, other people in your household who may share that computer are not getting access to things that they shouldn’t have access to. Make sure you’re properly logging out, and that you’re downloading things only to the secure portions of the computer.
Also make sure you have the right logins. More and more, companies are moving to cloud-based platforms. When you have people who are used to using Google or Office 365 at home, they need to make sure they’re using the right account when they’re doing work from home.
Another item that’s a bigger concern, especially for people who are not used to working from home, is the concept that with most privacy laws, even verbal correspondence can be treated as a breach. It’s important to be working in a space where you have the same level of privacy you’d have if you were working in the office.
Another one that I think people are increasingly becoming aware of is how much information is on their personal devices, and making sure those are being kept secure. Now that you’re not working in the office, it’s increasingly important to make sure those devices are being kept somewhere where they’re secure. When you’re taking your stuff home, that is not the time to stop at the market or stop at the drug store and leave those devices in the car or let someone borrow your phone.
DB: How can you protect yourself from these issues?
CR: One of the most common things I see when I work with clients is that people will work remotely, and they don’t know how to contact IT from home because it’s an internal phone number. Even simple things like that, whether it’s emailing someone at the office or looking up the number before you go, making sure you have properly prepared yourself. If you’re working as a consultant, if you’re an accountant actuary, any one of the professional groups, even doctors who sometimes now work from home taking calls remotely rather than having people in offices, (make sure you know) how to securely discuss things with clients. Many are dealing with sensitive information. How does that get communicated? If you have a work computer that may not be an issue. If you’re going to be using a home computer, or your phone, do you have the right level of privacy and security on it? Those are the kinds of things I’d say if you’re working from home to make sure that you’re doing. Also, make sure you’re not going back and forth between work and personal stuff on the same computer and device.
DB: What should information technology teams do differently to combat threats when employees are working from home?
CR: Make sure that employees are reminded of the common threats that are taken care of when you’re in the office that are not necessarily taken care of at home – for example, fire walls, common reminders about phishing and other scams, especially that are targeted toward businesses where they allow remote workers. When people start working from home, they tend to all have the same half a dozen to a dozen issues. Having those addressed in an email or in a place they can get to easily will really help IT.
Serious thought should be given as to whether there should be some process for ensuring that the people who call and say, “I need access to the system and I’m working from home today, I lost my password” or whatever the issue is, is actually someone who needs that information and isn’t someone who is trying to scam their way into your system. That’s is the kind of issue you don’t see when you have most people working in the office. If you have an employee who normally works at the office and never turns their computer off, who knows when they last put their password in? When they call, you should make sure it’s them.
Other things IT should really think about is making sure you have the bandwidth and the access for that many remote users. IT should also make sure that if there are any software or apps that are used every day, that they aren’t going to treat every person who downloads it to another device to work at home is going to be seen as another license when there isn’t any additional users.
DB: Is the frequency of threats or breaches increasing as more people to work from home?
CR: it’s a little hard to say yet if it’s more or less common. There’s no reason to think it’s less common. It’s just a question of whether it’s becoming more common as more people work from home. The trend has been to see a notable increase year to year in risks and successful attempts at hacking or other bad actions. With more people working remotely, especially without training or expectation to work at home, I would expect to see more scams, more phishing incidents, (and) more wire fraud type things. It’s a little too early to tell for certain yet, but there is no reason to think it will decrease. I would expect nothing but an increase, given the opportunities this kind of situation presents.
DB: You’ve been hacked. Now what?
CR: You should do exactly what you would do if you were at the office. The first thing they should do is contact IT. I always suggest to clients make sure everyone knows how to get in contact with IT without having to look up the number on the system because if you get hacked, you may not have access to the system anymore. Most people do not have the expertise to know what to do with a hacking incident, and they also can’t resolve it one way or the other.
More and more businesses now have a crisis response guide that would include what to do if you were hacked, or you think you’ve been hacked. I would suggest everyone read that or look at it or find out what they should do before they leave the office to work at home. A lot of times, the faster you can respond, the better off you’ll be.
One thing I would also suggest, which kind of sounds archaic but works well, is disconnect your computer from the internet until you’ve contacted IT and they’ve told you to reconnect it. If you have someone who’s hacked in and is downloading files or transferring files to or from your computer, they can’t do that if it’s not connected to the internet. The best thing you can do is exercise proper security hygiene, as it’s commonly called, which is before you respond to an email with sensitive information, open up another email, resend it that way. Don’t respond; create a new email stream. Think critically before you answer things, and watch for the common tricks of emails that look close but aren’t exactly the same. The best thing to do is avoid it, but if you do get hit, disconnect and call IT.