DOES YOUR STAFF KNOW THE SECURITY RISKS OF BYOD & WFH?
ARE YOUR PROCESSES ROBUST?
This Key Insights Document from our Cyber Security Webinar and key highlights the key topics that surrounded the discussion and suggest tools to mitigate the risks in remote working teams.
FUTURE PROOFING THE BRING YOUR OWN DEVICE (BYOD) HOME SET UP
It is crucial that staff know the security risks of BYOD & WFH.
One of the biggest BYOD security risks can be loss or theft of devices. Employees often bring their personal devices wherever they go, this means there’s a higher chance of devices being lost or stolen, and a greater risk of the company data that’s stored or accessed on these being compromised. Thankfully there are heaps of ways to add in cost-effective and user-friendly solutions, processes and policies.
Bring-your-own-device security isn’t simple; however, as a starting point, your organisation needs the ability to monitor employee-owned devices at the device level from the moment they’re provided with access to your company data and every minute of the time they’re used for work or personal activities off-site.
ZOOM OR NOT TO ZOOM – THAT IS THE QUESTION
The question surrounding Zoom as a secure platform for virtual meetings can be determined by the purpose and size of the organisation. Whilst Zoom has a bit to go before being considered a secure tool, it is great for casual meetings when a multi-screen is beneficial and as one of the only virtual meeting tools that have this function, the notion, therefore, to dismiss Zoom altogether may not be viable for a business that seeks wider virtual team collaboration. Zoom is continually updating their security features however it is agreed that is is best to avoid it for when more critical data protection measures are needed at this point in time.
EDUCATE TO MITIGATE
It is so important to create an internal cultural awareness in business around cybersecurity risks and mitigation strategies. By making employees aware of security threats, how they might present, and what procedures to follow when a threat is identified, you’re strengthening the most vulnerable links in the chain.
Running an effective phishing campaign at work can be the difference between an employee who clicks on malicious links or attachments and one who reports them. For security professionals, a phishing test boosts employee cybersecurity awareness in a meaningful, controlled environment.
BYOD security product that easies cheap and highly rated for protecting against most malicious software. Includes a free version for up to 3 devices or a premium for $52 which is a great value.
https://home.sophos.com/en-us.aspx
Easy to use password manager, long and secure passwords are so important but it’s difficult to remember lots at one time so use a password manager.
https://www.dashlane.com/features/password-manager
Gophish is an open-source free tool to simulate phishing campaigns to help educate your business.
https://getgophish.com/
THE EXITING TEAM MEMBER
Every time an employee leaves a company, whether willingly or unwillingly, it is advised the security team are notified before the event of a team member departure. There is an incredible amount of data management and protection that needs to be actioned, making off boarding a very time-sensitive event. Mobile device management and smarter access governance are important. If an employee is terminated or begins exhibiting questionable behaviours, the policy should support your ability to immediately revoke access to sensitive data before it’s leaked.
PATCHING PROTOCOLS
Failure to patch vulnerabilities in computer code can lead to losses of information that can cost more than your company can afford to pay. At a minimum set a regularly scheduled routine every month to patch all systems should be implemented.
Have a clear process for applying patches – sometimes patches will have to come with no warning and will need to be applied as soon as possible. By having a clear set of steps and expectations for each standard patch release for teams and by making it a regular practice, it will make it easier for when emergency patches are released.
Zscaler for data protection coverage that forces all traffic to be encrypted and with no split tunnelling.
https://www.zscaler.com/
sItPhishing is a service that validates if a URL is a phishing page or not.
isitphishing.org
AusCERT provides members with proactive and reactive advice and solutions to current threats and vulnerabilities. We’ll help you prevent, detect, respond and mitigate cyber-based attacks.
https://www.auscert.org.au/
Disclaimer: The content of this document is a collection of opinions from the meeting and is not the express opinions of any representative of Method Recruitment or our guest speakers. All participants in the webinar accept no liability in the event of a cyber attack.