Charity staff returning to the office for a few days each week need to take some specific cyber security measures to keep their organisations secure
Charities of all sized are facing a new cyber security challenge which will become increasingly significant over the coming weeks. That’s because staff at many charities are starting to make the switch from home working to a blend of home working and office-based working. As this blended work pattern becomes more prevalent, charity staff need to adapt the cyber security measures they use while working from home to take into account this new way of working.
The obvious question to ask is this: why does blended working require different cyber security measures to home working? The answer stems from the fact that, unlike home workers, staff doing blended working work in two different places and therefore face more cyber threats.
For example, staff may travel between the two workplaces with laptops, data stored on external drives or USB sticks, and smartphones – all of which can get lost or stolen while in transit. There are also potential cyber security problems that arise when a laptop used to work at home is brought into the office and plugged into the computer network, potentially introducing viruses or ransomware onto the network.
Here are four important cyber security measures that you should take if you making a switch to blended working:
If a laptop or storage device is lost or stolen during a journey to or from work, then any data will remain secure as long as it is encrypted. If personal data about customers or clients has been lost then you may have to report this to regulatory authorities, but since it was encrypted this will not be a major issue. You can encrypt data on Windows devices using Microsoft’s Bitlocker or AxCrypt, and computers running MacOS or Linux using the free VeraCrypt encryption utility. BitLocker can also be used to encrypt USB sticks, or you can use self-encrypting memory sticks such as Kingston Technology’s IronKey or Integral’s Crypto drive.
The laptop should also be protected with a password or biometric such as a fingerprint or Windows Hello facial recognition to make it harder for anyone who may get access to the laptop to see what is on it without removing the hard drive.
Of course, the data will still be lost unless it had previously been backed up. That’s why a backup service such as Google Backup and Sync or MSP360 which backs up data to the cloud automatically as soon as it is created or modified is a good idea.
For some charities, a better solution is to store all data in the cloud or on office servers accessed using a virtual private network (VPN), so no data ever needs to be stored on laptops or storage devices which can be lost or stolen. For example, Matrix Neurological a small, local charity based in Middlesbrough, set up a VPN for its staff at the very start of lockdown so that they could access data stored in the office securely when working from home. When staff return to the office they can continue to work with data that they had previously accessed remotely from home using the VPN.
Perhaps the most important single thing that anyone doing blended working can do to improve their cyber security posture is to adopt two factor authentication for every account that they sign into if it is available.
That’s because two factor authentication adds "something you have" – a mobile phone or a security token – to the "something you know" – your password – during the login process. That makes it much harder for a hacker to gain access to any of the cloud or other accounts that you access. That’s because even if they get access to one or more of your passwords – perhaps because you fall victim to a phishing attack or some other cyber crime or because you unwittingly download keylogging malware – they won’t be able to log in to your account without also getting physical access to your smartphone or security token. This is extremely unlikely, for the simple reason that most hackers are physically located hundreds or thousands of miles away overseas.
If you are doing blended working then it is more important than ever that any laptop that you bring into work is used exclusively for home working when at home. That’s because if the laptop is used by others in the household – especially teenagers who may want to download games and other applications from unknown sources on the internet – then there is a chance that they could fall victim to a cyber crime and it could become infected with malware or ransomware. Introducing an infected laptop onto the office network could then cause catastrophic disruption to your charity’s activities, or result in significant data loss.
If you do not need to transport a laptop to work and back then you are likely to come across the problem of needing to remember passwords for multiple accounts that you access (such as office systems and cloud applications). This can become very complicated very quickly if you change a password in one location and then need to remember the new password at the other location. But writing your passwords down or storing them on a USB stick and carrying them from home to the office and back is a very bad idea from a cyber security perspective.
A password manager like Keeper Password Manager or LastPass can help you because you only need to remember one strong master password (plus optional two-factor authentication), and all your other individual passwords are encrypted and stored in the cloud and entered automatically when you log in to an account. That means that they can easily be accessed from either location without ever needing to transport them from one place to another. Password managers can also protect you from phishing attacks as they can "spot" fake websites and will not log you in to them.