Some of the security measures you have in place at your workplace won’t protect you if your staff are using different devices, networks or systems from another location.
These may include:
- web filtering
- firewalls, and
- data encryption.
Before you open up access to your data and confidential information, consider how to implement other measures to cover these risks.
How to protect your business
The National Cyber Security Centre (NCSC) has advice on increasing your security capability to allow staff to work from home.
1. Do a risk assessment and create a policy
A cyber security policy will help you work out which security measures will be best for you and your employees.
2. Secure staff devices
Your staff will need mobile devices, like laptops, to work remotely. If you don’t currently provide mobile devices, decide if you will offer them or let staff use their own.
If you can’t afford to offer a company device to each staff member, prioritise giving devices to staff members who access more sensitive systems.
You'll have more control over the security of devices you own, and you can:
- configure the device to apply patches as they are available so it can stay up-to-date
- only allow certain programs to be downloaded and block known bad software
- configure regular backups
- configure hard-drive encryption.
Apple has a free hard-drive encryption tool for all users called FileVault. Microsoft offers a tool called BitLocker, which is free to several licences of Windows 10.
FileVault for Mac – Apple
BitLocker for Windows – Microsoft
If employees can use their own laptop, consider what rules you would like to put in place before they can access company systems. For example, you could require that they:
- keep their operating system up-to-date
- use hard-drive encryption and a strong password to unlock it
- upload any documents they have saved locally to the network, and
- run their antivirus software regularly (and keep that up-to-date as well).
3. Protect your business systems
Remote access software
Your staff will need to use remote access software, like a virtual private network (VPN), to connect to your organisation’s network. This creates an encrypted tunnel between your computer and your work’s network protecting the files and data you’re accessing from your home network.
Long, strong passwords
Strong passwords are the first line of defence in systems that can be accessed on the internet. Require strong, unique and long passwords for every system and device.
Enable two-factor authentication
Two-factor authentication (2FA) helps to block attackers even if they’ve guessed your password or stolen your credentials. Make it mandatory for remote access.
Use home internet networks
Advise your staff to use their home internet network for accessing business networks and systems. Not all WiFi and internet networks are secured in the same way. The best way to stay safe is to use the network that they have set up at home.
Remind employees to be aware of who can see or hear what they are doing if they need to work while out and about. Consider offering them a privacy screen which makes shoulder surfing a lot harder.
If their device is lost or stolen, make sure they have an easy way to contact you or your IT provider. Mistakes happen, and it’s better to know immediately so the impact can be managed.
Choose secure communication channels
When your team are located across multiple locations, being able to easily communicate with each other is essential. Look for messaging and video conferencing options that have end-to-end encryption. If the system you use doesn’t offer this, either choose a different system, or make sure everyone knows to avoid talking about any information you wouldn’t want made public.
4. Provide technical support
Sometimes people working from home may need more flexibility in their working hours due to childcare arrangements, family needs, and personal appointments. Make sure there is someone they can contact if they need IT support, especially if they need to report an incident.
If you think you've had a security incident related to remote working, talk to your IT provider and follow the steps in your incident response plan.
You can also report any online security issues to CERT NZ.