The recent changes in the work paradigm lead us to new work habits and with them new regulations and new risks. According to the Incibe institute, there are still many doubts regarding cybersecurity in the company and many of the computer attacks received are due to a lack of information and planning regarding computer security measures in the workplace.
The new modalities of remote work or teleworking they can cause us not to take the necessary precautions.
Contents
What should be taken into account in the field of cybersecurity in the company and teleworking?
The requirements and measures are very broad, from very important changes that require effort to seemingly insignificant measures that are very easy to implement.
Below we show a series of guidelines to follow to minimize the risks of cyberattacks in the workplace.
Study or analysis of technological dependency of the company
The first measure that the company must take into account is to carry out a study of the degree of technological dependence that your company has, that is, what technological means are used and what is the degree of dependence. Or what is the same, for how long could the activity of the company continue if any of these means failed?
- Development
- Mobile devices
- Servers
- Telecommuting or computer equipment outside the company area.
Main cybersecurity threats in the company
Some of the main threats that can be received through a cyberattack in the company are:
- hack pc
- Capture user credentials
- Loss of user data, systems or strategic information
- Being subject to blackmail and data ransom request
- Loss of data that is sold to third parties
Main vulnerable elements
- Defacement: change web page design to deceive the user
- web phishing
- Web denial of service attacks
- Impersonation or web spoofing
- Social networks: identity theft
- Negative comments on public profiles
The largest number of these threats are suffered by SMEs and the self-employed, mainly because they do not have the necessary resources and knowledge to avoid them.
Safe telecommuting for the employer
Implement teleworking safely with the following measures
- Safe telecommuting
- Remote capacity and security
- Comply with LOPD
- awareness measures
- Type of devices: corporate or personal: they must be updated / backup copies / replacement of equipment
Secure remote access
- VPN is the only secure mode method. We can create our own company network or hire an external service, but in this case privacy is reduced.
- Remote desktop not recommended
- If we opt for Wifi we will have to activate WPA2 although we will not be able to avoid a signal inhibitor. Better to use cable.
Safe use of the network
- If we want to contract a VPN network, it is convenient to investigate the provider, conditions, reputation and characteristics: end-to-end encryption. VPN within the EU / that offers log recording / LOPD that satisfies the company / scalable service
- WIFI: add network to VPN: firmare + Secure Pass. WPS or WEP are insecure
- IOT devices are vulnerable: they require multi-factor access control and security patches
Security in videoconference servers, backend and RRSS.
When carrying out work by videoconference, we must also take care of internet security.
- SSL encryption
- Private meetings through password access
- Protected Backend
- RRSS: multifactor authentication
Prevention and awareness
One of the easiest points to implement in the company in terms of cybersecurity is related to staff training.
- Use of team apps and not private or personal.
- Each company must have certain data and intellectual property restrictions
- Awareness: use policies / data protection / threat detection (spam, phishing…) / incident reporting / confidentiality agreements.
These are some of the most important aspects that the company must inform its workers, especially in the field of teleworking.
Safe telecommuting for the employee
- Secure telecommuting environment
- Prevent family members from accessing company data
- Use of strong passwords
- Monitor physical devices and prevent loss or theft
- Comply with the LOPD
- Avoid sharing personal and professional device
Remote access security
- Strong passwords
- Double authentication on PC and mobile
- Updated Systems
- Use of antivirus
- disk encryption
- Backup copies of all media
- Use corporate intranet resources if possible
- Use home network and avoid public networks. better wired
- WPA2 and disable WEPs
- Remove non-essential and unofficial apps
Tips to improve cybersecurity
- Spam emails avoid clicking
- Antivirus on all devices
- Choose a secure Wi-Fi password
- Profiles in RRSS. We must be careful with the data we share
- Messaging: do not use professional equipment for personal messages
- Do not share financial information
- If we must send money, always do it on reliable sites
Other considerations
- Multifactor access and not store them by default. Use of password manager
- Configure home computers according to company standards
- Update settings and equipment
- Separate work and personal
- Secure direct messaging
Fraud and other incidents
In the field of computer security there is no such thing as zero risk and there is always the possibility of being the target of some type of cyberattack. Some of the most recurrent are:
- Fraud
- false sales
- outdated equipment
- malware infections
dealing with an incident
What happens if, despite the measures implemented and complied with, we have to face a computer security attack?
We must follow the following steps:
- Form analysis and management team
- Inform affected parties, data protection agency and police
- Recover affected systems
- cybersecurity policy
Business continuity
- How to react: contingency plan and business resumption
- Actions to be carried out
- Set recovery period
- Mechanisms to evaluate defects
Each company must have a contingency plan to deal with this type of situation. Having a plan and qualified personnel to carry it out can make a difference in the activity of a company.
Best Practices
Finally, it is convenient to introduce common and global practices throughout the company in order to reduce the chances of suffering a cybersecurity attack in the company.
- Access control / connection security / recovery
- Security patches, copies and antivirus
- VPN usage
- cable before wifi
- https
- Implement company policies in the telework modality