How to stay cyber-safe between offsite and onsite workplaces

We’re now approaching the end of the year and Victorians are redefining the role of the workplace in their business.

At the start of 2020, many businesses were quick to adapt and set up remote-working environments. But not all business owners anticipated just how effective remote working can be.

Research from the Australian Bureau of Statistics showed that in September, 31% of Australians with a job were working from home. And research from Adaptavist indicates that 85% of workers cited increased productivity during this time.

Because of this, remote working will likely play a larger role for participating businesses moving into the new year, as businesses integrate both onsite and offsite workplaces into their regular operations.

But moving between workplaces poses risks around device security, data integrity and the potential to spread malware infections in the workplace.

To meet these shifting norms, business owners and workers must foster safe work environments, whether working from home, in the office or in a local cafe.

Consider the following measures and safety advice to ensure that you’re cyber-safe across all work locations.

Create a BYOD policy before returning to the office

As Victorians continue to return to onsite work, it’s important to consider your office’s ‘bring your own device’ (BYOD) policy. As many workers are likely to adopt a hybrid approach to remote working, work devices such as laptops, tablets and mobile phones could be used at home, in public spaces and in shared workspaces.

This introduces a range of risks for the business, from potential data loss from lost or stolen devices to an increased likelihood of transmitting malware infections (viruses) between remote and onsite workplaces.

To reduce the risks of using remote devices, create separate wi-fi networks for offsite and onsite devices, as well as a BYOD policy that limits which devices can be used remotely, on site and for work purposes.

Find out more about creating a BYOD policy.

Be cautious of public wi-fi

With the re-opening of cafes and public spaces, it’s not uncommon for workers to partially operate on shared wi-fi.

Public wi-fi connections, while convenient, introduce significant security concerns, namely the fact that public wi-fi is a shared and often unencrypted connection. This essentially means that your activities can be monitored and viewed by any malicious individual using the public wi-fi connection.

If you’re accessing sensitive work information or making an online payment, scammers on the same network can eavesdrop on this activity to steal data or cause further harm.

So, whether you’re working from a home network or a public wi-fi connection, always use a VPN connection approved by your workplace and try not to access sensitive data on your devices while working on public wi-fi.

Also keep an eye out for public wi-fi hotspot scams. This is where a scammer creates an open and malicious wi-fi connection posing as a valid public wi-fi network. For example, if you were trying to log in to a wi-fi connection called ‘Smith St CoffeeSpot’, a scammer may create a false and malicious wi-fi network called ‘SmithStCoffee’ in the same location.

You can confirm whether a wi-fi connection is valid by checking with the staff of the establishment while setting up your device.

Lock your screens

One of the bad security habits that many of us have picked up at home is leaving our devices unlocked. There might not be much concern that your spouse or housemates are going to steal private data but when you’re operating in a shared or public space, it’s a serious threat.

Say, for example, you’re working in a shared workspace and you leave your laptop unattended to use the restroom. You may believe that nothing harmful can occur in the short time that you’re away from your device. But with an unlocked laptop a malicious person or passerby can do any of the following in a matter of seconds:

  • Use a plug-and-play USB to install malware on the device.
  • Photograph or record private data left on the screen.
  • Commit identity fraud by sending communications from your device.
  • Download or delete critical business data from your systems.

Many of these threats also apply to mobile phones and tablets.

Even if you’re surrounded by people that you know and trust, it’s always a good idea to lock your devices any time they’re left unattended.

Review your passwords

Reviewing your passwords may seem common practice but it’s particularly important for those who have recently transitioned to or from a remote-working environment. Each time you access work systems from a new device, you’re increasing your risk of a potential breach.

Home devices are usually shared between housemates or family and often contain viruses or unsafe password storage practices (such as leaving passwords in a notepad document). When you consider the number of scams that are currently circulating under the guise of legitimate workplace brands, it’s dangerously easy to mistakenly lose sensitive login data to a scam while attempting to log in to work systems.

So, before you log back in at home or in the office, reset your work credentials across the business. Make sure they’re strong, secure and haven’t been used in the past.

If you find it difficult to create and remember strong passwords across the business, you can also consider using a password manager.

Review your access control processes

While you’re making sure all passwords in the business are secure and up to date, review who has access to the data and systems of your business.

Access control refers to the process of determining which members of the business can get into or use specific business systems, applications and data.

While operating remotely, many businesses may have found themselves inadvertently ‘muddying the waters’ in regard to who can access what. For example, people working in support may have wound up with access to billing systems. Or your colleagues may have gained more access than intended to business information from files shared in Dropbox or Google Drive.

It’s important to remember that, regardless of whether you trust your employees to access sensitive business information, every point of unnecessary access in the business is an opportunity for a cybercriminal to cause harm.

Now is a crucial time to review who has access to what and ensure that staff don’t have access to business data and systems they don’t need.

Clean up your systems

Have you been using a new app or service while working remotely? Are you going to keep using it? If not, get rid of it!

The more systems, platforms and apps you use, the more your business data and information is spread around. This can significantly increase your risk if any of your accounts are attacked or compromised. Review all services such as office chat systems and cloud sharing services to determine if they’ll be used in the future or if they should be removed.

While this is more of a financial concern than a security issue, review the licences that you’ve purchased throughout the year to make sure you aren’t paying for services you’re not intending to use.

To clean up your systems:

  1. List all the systems, platforms and apps set up in the business.
  2. Consult with your business members to figure out what is needed and what is not.
  3. Download any important information from the apps and systems that you intend to decommission.
  4. Remove and deactivate licences for all the apps and systems that you no longer need.

Set up or update policies and insurance

If 2020 has shown us anything, it’s that no one can fully predict what businesses might have to face.

If you’re yet to set up cyber insurance and policy documents such as an Incident Response Plan, now is a good time to prepare them.

Having cyber insurance and policies in place not only helps to ensure that your business is meeting compliance and regulation requirements, but also enables you to have a clear and prepared understanding of what to do in the event of a cyber incident.

If you already have policies or insurance in place, consider the ways that your business has changed throughout the year and update them to accommodate these changes.

Communicate and collaborate with your colleagues

A major benefit of onsite working is the ability to collaborate and communicate in a shared space. This is particularly helpful when it comes to getting a second opinion on a suspicious email.

While working from home, it can be easy to keep to yourself and be hesitant to contact colleagues outside of conferences or the necessities. But regardless of your work situation, it’s important to maintain a collaborative environment when it comes to cyber safety. Ask for your colleagues’ advice if you have a security concern or receive a suspicious email.

Although most professional email accounts do have spam filters, you can never trust a spam filter completely. While the algorithms used to develop spam filters are mostly reliable, it’s not uncommon for blatant scams to get around these systems anyway.

So, if you’re even slightly suspicious of a malicious email, ask a co-worker for their thoughts. You can also call the sender directly (via a contact point established outside of the suspicious email in question) to confirm whether it’s a valid email or a potential scam.

Ultimately, whether your business is intending to operate remotely or on site in the future, it’s always a good idea to ensure that all workplaces are secure.

For more advice on bolstering your remote working security, visit our previous remote working article.

Finally, keep an eye out for current scams. Cybercrime is showing no indication of slowing down and it’s important that your business can identify common scams when you see them. You can find updates on trending scams on Scamwatch.

Jonathan Horne

CEO | Cyber Aware

Jonathan Horne has been building, running and selling online businesses since he walked out of the school gate. Over the last 15 years he has built some of Australia’s most trusted brands, servicing both small local businesses as well as some of the most well-known brands in the world. After witnessing a multi-million dollar competitor go out of business due to a cyber incident, Jonathan focused and researched heavily on improving his own businesses' cybersecurity. Through this experience grew CyberAware.com, an awareness training platform that removes the technical jargon from cybersecurity, and works to make cybersecurity easy for businesses of all sizes.