Staff security
Te whakamana i ngā kaimahi ki te mahi mamao

Enable staff to work remotely and securely

Allowing your employees to work from home gives them more flexibility and can help with business continuity. Unfortunately it comes with an increased risk to your business's services and data.

5 min read

The risks

Some of the security measures you have in place at your workplace won’t protect you if your staff are using different devices, networks or systems from another location.

These may include:

  • web filtering
  • firewalls, and
  • data encryption.

Before you open up access to your data and confidential information, consider how to implement other measures to cover these risks.

How to protect your business

The National Cyber Security Centre (NCSC) has advice on increasing your security capability to allow staff to work from home.

Advice for organisations – NCSC

1. Do a risk assessment and create a policy

A cyber security policy will help you work out which security measures will be best for you and your employees.

Online security risk assessments for business

Create an online security policy for your business

2. Secure staff devices

Your staff will need mobile devices, like laptops, to work remotely. If you don’t currently provide mobile devices, decide if you will offer them or let staff use their own.

Company-owned devices

If you can’t afford to offer a company device to each staff member, prioritise giving devices to staff members who access more sensitive systems.

You'll have more control over the security of devices you own, and you can:

  • configure the device to apply patches as they are available so it can stay up-to-date
  • only allow certain programs to be downloaded and block known bad software
  • configure regular backups
  • configure hard-drive encryption.

Apple has a free hard-drive encryption tool for all users called FileVault. Microsoft offers a tool called BitLocker, which is free to several licences of Windows 10.

FileVault for Mac – Apple

BitLocker for Windows  – Microsoft

Employee-owned devices

If employees can use their own laptop, consider what rules you would like to put in place before they can access company systems. For example, you could require that they:

  • keep their operating system up-to-date
  • use hard-drive encryption and a strong password to unlock it
  • upload any documents they have saved locally to the network, and
  • run their antivirus software regularly (and keep that up-to-date as well).

Educating your staff about online security

3. Protect your business systems

Remote access software

Your staff will need to use remote access software, like a virtual private network (VPN), to connect to your organisation’s network. This creates an encrypted tunnel between your computer and your work’s network protecting the files and data you’re accessing from your home network.

Types of remote access software 

Long, strong passwords

Strong passwords are the first line of defence in systems that can be accessed on the internet. Require strong, unique and long passwords for every system and device.

Create a password policy for your business

Enable two-factor authentication

Two-factor authentication (2FA) helps to block attackers even if they’ve guessed your password or stolen your credentials. Make it mandatory for remote access.

Protect your business with two-factor authentication 

Use home internet networks

Advise your staff to use their home internet network for accessing business networks and systems. Not all WiFi and internet networks are secured in the same way. The best way to stay safe is to use the network that they have set up at home.

Securing your home network

Physical security

Remind employees to be aware of who can see or hear what they are doing if they need to work while out and about. Consider offering them a privacy screen which makes shoulder surfing a lot harder.

If their device is lost or stolen, make sure they have an easy way to contact you or your IT provider. Mistakes happen, and it’s better to know immediately so the impact can be managed.

Choose secure communication channels

When your team are located across multiple locations, being able to easily communicate with each other is essential. Look for messaging and video conferencing options that have end-to-end encryption. If the system you use doesn’t offer this, either choose a different system, or make sure everyone knows to avoid talking about any information you wouldn’t want made public.

4. Provide technical support

Sometimes people working from home may need more flexibility in their working hours due to childcare arrangements, family needs, and personal appointments. Make sure there is someone they can contact if they need IT support, especially if they need to report an incident.

Get help

If you think you've had a security incident related to remote working, talk to your IT provider and follow the steps in your incident response plan.

Creating an online security incident response plan

You can also report any online security issues to CERT NZ.

Report an incident