By Dr. Kevin Harris
Program Director, Cybersecurity, Information Systems Security and Information Technology Management at American Military University
As the coronavirus has forced many workers to work from home these days, one area where they need to become more involved is the protection of sensitive data. The responsibility to ensure data protection abruptly shifted from the IT staff and corporate security departments to the remote worker.
So it is imperative that these workers understand that they are part of a collaborative cybersecurity culture within their organization and a vital part of protecting digital data.
Individuals who have devices provided by their organization must stay vigilant in ensuring that these devices are considered another piece of technology in the home and that other family members do not have access to them.
Banning Others from Accessing Office Devices Limits Introducing Malware and Prevents Loss of Data
The prohibition serves multiple purposes, including limiting the opportunity for introducing malware, preventing accidental deletion of data by others, and ensuring that corporate digital assets remain confidential. Employers should provide training so employees are aware of the various types of sensitive and Personally Identifiable Information (PII) as well as related policies and legal implications of exposing data intentionally or through neglect.
Many employers have various measures to protect the network while their employees work remotely. Virtual Private Networks (VPNs) are one example to enhance network security. VPNs are either hardware or software technologies that encrypt traffic as well as provide access to resources on a remote network.
VPNs Connect to Company Resources Such as Printers, Proprietary Applications, Files and Email
While VPNs are often used to provide a more secure experience using open Wi-Fi, organizations often provide their remote employees with VPNs to connect to company resources such as printers, proprietary applications, files and email. Home environments should not be considered secure because other devices connected to the home network could be compromised. Workers with VPN access should use it whenever they are working online remotely.
Additionally, VPNs should be disconnected when not in use. Remember, the use of a VPN places your computer on the company network. So regardless of whether the computer is a company device or not, all traffic can be monitored.
Social Engineering Is a Method Whereby Individuals Are Tricked into Divulging Information
Communication is another area of focus for individuals working from home for multiple reasons. As remote environments increase, social engineering is an additional risk. Social engineering is a method whereby individuals are tricked into divulging information through phone calls, texts, emails or personal interactions.
An example of a potential communications security breach is a worker who receives a phone call from the CEO whom he has never met requesting that he be sent an important file at home. Without proper training, the employee might proceed to transmit the file and not realize that the request should have been verified beforehand.
At-home workers must constantly be watchful for emails and other forms of communication that may look official but are actually attempts to circumvent security controls.
Cyberbullying is another area of communication concern for the remote workforce. We often attribute cyberbullying to only school children, but adults are also significantly affected. The phenomenon for individuals to lash out in online environments is drawing considerable attention
The stress of blending working from home and personal life compels human resource managers and supervisors to emphasize to employees the importance of always adhering to a professional environment. Employees should always comply with human resource policies regardless of where they are working. Moreover, they should contact Human Resources if a policy violation occurs.
Many Organizations Have Employee Assistance Programs for Support
Additionally, if an employee feels overwhelmed by the current uncertainties of living amid a pandemic, it is important for that employee to remember that many organizations have employee assistance programs to provide counseling and support.
Device security is another area where remote employees should familiarize themselves. Because employer-provided equipment is no longer under the watchful eye of surveillance cameras, security guards, or behind locked office doors, it is important to take proper steps to secure these devices.
One of the first steps is to avoid creating a home office environment near a window, which could attract the attention of a thief. Also avoid placing monitors facing a window that could expose sensitive information.
Locking up office equipment when the user is away is always the best practice. In a work-from-home environment, users should still rigorously ensure that all mobile devices, as well as computers, are locked when they are away even for a moment. This will ensure that there is no accidental deletion of data or compromise of sensitive data potentially exposing PII.
Data storage is an additional area that remote workers should not overlook. Whenever possible, data should not be stored locally, but on company servers via a VPN that is backed up according to company policy. In the event that remote storage is not possible, users should save files using passwords and encryption to mitigate the chance of the information being compromised.
A work-from-home environment should increase the understanding that users are a critical piece of their organizations’ cybersecurity infrastructure. Users should take time to ensure their home networks are properly secured as well as to verify that all personal devices are patched and updated to reduce the chances of malware affecting any of the devices.
Cybersecurity is not solely an IT responsibility, it is a collaborative duty. Employees working from home have become another type of cyber warrior.
About the Author: Dr. Kevin Harris is the Program Director for Cybersecurity, Information Systems Security and Information Technology Management at American Public University System. With over 25 years of industry experience, Dr. Harris protected a variety of organizational infrastructure and data in positions ranging from systems analyst to chief information officer. His career encompasses diverse experiences both in information technology and academia. His research and passion are in the areas of cybersecurity, bridging the digital divide, and increasing diversity in the tech community. As an academic leader, he instructed students at various types of institutions including community colleges, HBCUs, public, private, graduate, and undergraduate, as well as online. Dr. Harris trained faculty from multiple institutions in the area of cybersecurity as part of an NSF multistate CSEC grant. To contact the author, email IPSauthor@apus.edu.
Sign up now to receive the InCyberDefense eNewsletter.