Throughout the entire month of January, The Fintech Times will be exploring every dimension of one of the industry’s most pressing topics: cybersecurity.
With remote working being the new normal in the wake of the Covid-19 pandemic, there are still concerns regarding the security of the practice. With working from home (WFH) bringing in additional risks, from using personal computers or devices, accessing sensitive data from outside the office and in places and less oversight from management to name a few, there remain fears of breaches, both from a company perspective and for individual workers.
In light of this, The Fintech Times asked top industry experts to share their advice on how companies can best protect employees in a WFH environment.
Have a plan
Data fraud expert Colum Smith, chief vision officer for a Top 60 Law Firm and creator of RCP Innovation, said: “The threat from cyber-crime has never been greater. But the businesses who deal with it best are the ones who have the slickest plans in place to protect staff from falling victim to attacks.
“First, appoint someone within the business to have overall responsibility for cyber-security. Even small teams should aim to do this and consider rotating the role in order to ensure everyone gets knowledge of what is a vital issue.
“Hold regular bulletin meetings – monthly if you can – to update your team on any new cyber-related dangers. Share examples of where things went wrong. Don’t name and shame people within the business but be open about how criminals compromised your defences. If you don’t, they’ll attack the same way again.
“There are many practical things you can do to reduce the chances of a staff member falling victim to a cyber attack. A great place to start is the 10 steps to Cyber Security report published by the National Cyber Security Centre. It’s regularly updated and is easy to understand. But companies must create their own internal security policies which ensure their own unique business models are best protected. A company holding large amounts of customer’s personal data for instance will have a very different level of risk to a business dealing with commercially-sensitive details.”
Smith concludes by offering his 6 key rules for keeping workers safe.:
- Passwords: Create strong ones and change them regularly. Only 1 in 7 companies currently use strong passwords to protect data.
- Staff training: Employees are your defence against cyber-crime. Yet 1 in 5 SME’S currently doesn’t invest in staff training.
- Assess data: Don’t keep old, client information. Delete any data you don’t need.
- Knowledge: Do your research, get external support and keep up to date with the latest cyber-attacks so you can be prepared and minimise potential risks.
- Plan ahead: 1 in 10 firms currently don’t plan ahead for this type of attack. Implement a cyber security incident management plan.
- Have a strategy for when things go wrong: Create an action plan for notifying customers and put procedures in place to help you investigate should you experience a breach.
Best practices
Similarly, Jason Dowzell, CEO and Co-Founder, Natural HR said:
“With so many employees now working from home, it is more important than ever that organisations make sure there are no holes in their cybersecurity strategies and to remind employees of best practices while they are working away from HQ.
“It can be easy to assume that cyberattacks only happen in the workplace, where criminals gain access to servers, databases and computers through holes in defences.
“Of course, companies can put precautions in place to reduce the risk of a cyberattack including installing security software on company devices, having a robust firewall to protect networks from unauthorised access and taking regular back-ups of data.
“Holding regular cybersecurity awareness training sessions with employees will ensure they are helping, not hindering your cybersecurity efforts. This training should cover everything from managing and sharing sensitive data to how to generate stronger passwords and how to report any potentially harmful cybersecurity incidents.
“Importantly, this training should also encourage workers to practice self-awareness and habitually question any unexpected or unsolicited contact.
“Integrating this training during the onboarding process is an ideal time to begin expanding an employee’s awareness and knowledge, and provides an opportunity to outline internal cybersecurity policies and procedures early on in their tenure.
“Furthermore, HR should be collaborating with IT well in advance of an employee’s start date to allocate equipment, arrange system access and make sure they only have access to the tools and data they need to carry out their job.
“In some cases, a simple reminder to workers to remain vigilant to the ever-changing nature of criminal online activity. These ruses are becoming increasingly intelligent, often aligning with current events, crises or time of the year.
“Sometimes, an employee falling prey to these security breaches is down to a simple case of ‘right time, right place’ for cybercriminals.”
Company computers
Amir Hashmi, CEO and founder of managed-IT services provider zsah believes company hardware is a good step in the right direction to protect workers.
He said: “Working from home means that many of your employees have to rely on their personal devices – computers, smartphones, and tablets, plus any internet access hardware – to complete work tasks.
The trouble here is that these devices usually lack the tools and solutions that an office device would automatically have – such as a VPN, antivirus, and a secure network.
Although this isn’t possible for all companies and requires an initial investment, an elegant solution to the working from home problems is distributing work on computers.
In this way, you could ensure that they have all the necessary defence mechanisms installed – though this may, of course, be a prohibitively expensive strategy to deploy, especially during times of crisis.”
Training and resources
Andrew Hindle, Chair at IDPro, thinks companies should update awareness training to be appropriate to circumstances.
He continued: “Provide the right level of access to tools & data. Too much access is evidently dangerous, but too little access can also create problems — people will just try to find a way around the restrictions, which can create invisible risks.
“Implement strong, standards-based multifactor authentication. And, if you haven’t done so already, start the transition to single sign-on and, over time, to a full passwordless architecture.
“Modern security approaches will improve the user experience: this will help with compliance, as well as improving overall security posture. And it will reduce helpdesk costs, too.
“Providing the right tools can also help reduce risks. For example a cloud-based collaboration environment can reduce the amount of data and number of documents an individual needs to keep on their local hardware. This in turn reduces the overall risk of data loss.
“Finally, consider how to improve the environment for the security operations teams as well: at least in the first instance, their workload is likely to increase and the types of issues they are having to deal with will change. Overinvest in training to make sure they are as effective as they can be.”
