Technology and Cybersecurity in a Work-From-Home World: Q&A with Wiss’s Director of Information Technology Joe Turk
Series introduction: In this four-part Q&A series, Senior Professional in Human Resources (SPHR) Lisa Calick speaks with experts from Wiss to learn about the challenges that clients face due to the changes in work arrangements and culture as a result of the pandemic.
As a Senior Professional in Human Resources (SPHR), I spend my days giving human resources advice to Wiss clients, helping them with everything from benefits inquiries to staying in compliance with employment laws. My job is to help clients strengthen their operational processes to allow them to focus on their core strategic support.
I am interviewing experts from Wiss about the challenges clients face due to the pandemic and the new work-from-home paradigm. I had an interesting discussion with Wiss’s Director of Information Technology, Joe Turk about what companies need to be thinking about with regards to technology and cybersecurity in this new work world where many employees are operating remotely.
My key takeaway from this interview is that making sure employees’ use of technology keeps up with the reality of today’s remote work environment comes down to proper planning, keeping everyone trained, and then following up on the plans and policies that you have in place. It’s all about keeping everybody in the loop.
Many companies are still operating with remote employees, or in a hybrid environment, and will continue to do so for the foreseeable future. What steps do they need to take to ensure that they have the right technology in place to support that type of workforce?
I think it all starts with making their infrastructure and their data available to the people who are working remotely. Businesses who haven’t already done so should start planning a move to Cloud services. There are many vendors and solutions out there. Larger companies can use more robust Cloud solutions where they can host virtual servers and provide users with virtual desktops.
Companies should also be thinking about how they are going to be communicating and sharing data, and then also how are they going to be keeping that data secured while in transit. Employees should not be sharing files via e-mail without securing them with encryption. Secure file transfer can be set up with vendors such as One Drive, Box within Office 365, or Citrix Share Files. Video conferencing should also be a part of the technology strategy and can be provided by vendors such as Google Hangouts, Cisco WebEx, GoToMeeting, or Microsoft Teams in Office 365.
Given the increasing number of remote workers, does a company need to be concerned about the employees’ security systems at home?
For keeping your data secure, we would suggest giving employees access to work laptops. You can make sure that they are secured and protected.
There are a few things that you want to make sure are done such as updating the operating system regularly, which you can set to be done on an automatic schedule.
You also want to make sure that your employees are using complex passwords and using various passwords at each different level of access. These days we are telling people to use less of a password and more of a pass-phrase because passwords are easily broken into by hackers. I have seen people use passwords such as “123,” or use the word “password” with one S written as a dollar sign, but that just isn’t enough anymore. It must be complex, alphanumeric, and a minimum of 10 characters. We suggest using password managers such as Dashlane and LastPass.
Another important step to take is to set up two-step authentication, also called multi-factor authentication. When an employee tries to log in, it is going to send a text message with a verification code to their cell phone, which will then need to be input before access is allowed. This two-step access is very secure.
If employees are using their own equipment for work purposes at home, employers should require the network administrator to install monitoring software on that equipment. They should also push automatic security updates and remind employees to regularly change their passwords.
What else should employers pay attention to when employees are working from home?
If an individual employee’s home network firewall isn’t set up correctly, or they don’t even have a firewall set up on their router, bad actors can potentially get access to the home network computers.
It is important to make sure to always be installing updates and patching antivirus, computers, and firewalls. And, when at all possible, you want your employees to connect to your business environment using a VPN, which is a virtual private network. It is a virtual tunnel between you and your work environment, where outside sources cannot try to capture that traffic.
I know there has been an increase in fraudulent activity these past few months, where people are getting individuals’ personal information and using it to file for unemployment claims or other criminal activity. So certainly, a company wants to make sure that their systems are tightened up and reduce the likelihood of any breach.
Cybersecurity training is critical especially with a remote or hybrid workforce. To figure out where you might be vulnerable, considering hiring a consulting firm or IT specialist to audit your system and seek out any weak spots. You can then make targeted changes to your infrastructure to strengthen your security.
One major way hackers or criminals access people’s passwords and user accounts is through social engineering — that is, phishing scams and the like — and a lot of that can be alleviated through cybersecurity training. Companies should conduct training with all employees, at a minimum once per year. We train our employees annually and follow up with monthly videos.
We also notify our employees about certain emails that are known to have been received, and how to spot phishing scams. One simple suggestion we have made to our employees to confirm an email is legitimate is to hover over the sender’s name, and the actual email address that it came from will pop up. This simple tip alone can help everyone better identify fraudulent emails.
Another red flag is an email containing an emergency message, where the receiving person has to “click here” because his or her account was breached and “we need to verify your username and password.” A lot of people fall for this type of scam because they get nervous. The most important step is to get your users trained and comfortable with knowing what to look for in those emails.
For companies that might not have an in-house IT department, how do they begin to focus on these steps?
A company can reach out to anyone who is handling their technology operations for support in these areas. We have services here where we go out and help clients, by conducting an assessment of the current technology platform. We’ll do an audit and look at their environment and give them ideas on where the concerns might lie. And if they need assistance with training their employees, we give them ideas on where to start and what they need to upgrade.
Is it fair to say that the need to focus on technology is amplified now given the last few months with so many people working more remotely?
I think it is. Those working remotely are separated from the internal connectivity of their business partners and their IT departments. As a result, they’re often not sure where to go and who to contact. You should always have someone in your business that they can contact about a questionable thing that may pop up.
I’ll give one example from one of our clients. They were hit with ransomware that gave them 48 hours to contact someone to make a payment and get the data back. They didn’t know what to do, they didn’t know where to go, and then they contacted us two weeks after the fact.
The problem they faced is that the data on the machine was encrypted with ransomware, which was then in turn backed up to the server. And then the following night that was backed up to their back-up system, which was offline. If this was caught within that first 24 hours, it could have been fixed and taken care of very easily. Once it was on the desktop, a server, and the back-up system, it became a much more problematic situation.
This is why you should have a business continuity plan or disaster recovery plan in place, have your backups done regularly, and have them done off-site through a Cloud provider. If you can’t do them off-site and instead do them locally, make sure that you are taking them off-site each night.
We have some clients who back up to a local hard drive. If you do that, make sure you buy two, so you have one that you take home and one that you leave in the office for that nightly back-up. Then if you do get the ransomware, you have that other backup that you can recover from.
An important consideration, especially related to remote workers, is preparing for lost or stolen laptops. People are taking their laptops home, or they’re working at a Starbucks or wherever they can get connectivity. They should never leave their devices or their laptop in their car. Any laptops that are taken out of the office environment should have the hard drives encrypted using Microsoft and an encryption process called BitLocker. This will prevent someone from removing the hard drive from the machine and attempting to recover the data.
This is all good to know. For companies that have existing computer usage policies, or don’t have any, should they refine their current policies?
Absolutely. Companies should definitely be updating their policies and procedures to incorporate issues related to the remote workforce that they have now.
A lot of companies are seeing that remote work is here to stay for the foreseeable future. Employees feel they’re getting a lot more done at home or have a need to telework due to the pandemic. As a result, companies should make sure to stay current with the issues that affect their technology in this environment.