With so many online threats, how can you protect your business and client data while working from home? In this Cyber Security based webinar, Virtual IT Director, Michael Hamer advises you on how to build the best defence.
Cyber Security Webinar
- What are the risks of working from home? (04:50 – 06:14)
- Why are you more at risk at home than in the office? (06:14 – 10:29)
- Why is the risk high right now? (10:29 – 12:05)
- What you can do to improve your home security? (12:05 – 12:09)
- What can home workers do to increase network security? (12:09 – 17:02)
- What can your manager do to help? (17:02 – 18:05)
- Which tools do you need to securely work from home? (24:49 – 44:20)
- Q&A Section (44:20 – 52:45)
Michael (00:00 – 04:50)
Hello, I’m Michael from Netitude, thanks for joining us today and let us know that you’re here by saying hi in the Q&A section. There’s a little chat bubble with a question mark in the top right-hand corner of your screen, you can use that to say hello to us, and also ask any questions you might have during the course of the webinar.
Once you said hello, also if you want to let us know um if you’re working from home at the moment and whether, you know, what the long term plan for that is, is there a long term strategy for working from home? Or at the moment is it still a reaction to lock down and Just the lack of certainty around exactly when that’s going to end.
Hello James. Good morning, Laura. And hello, Lily. Morning, Simon, mostly back in the office now. I’m just going to hold on for a minute too longer and then we’ll, we’ll kick things off.
A lot of time working due to coronavirus, for James and I think that’s pretty common at least where it’s easily done, whether where the job allows it. Most people, I know you were still working from home anymore, have started doing shifts in the office with a reduced number of staff in the office. Um just to be able to mix and get people out the house.
At least for us at the moment, now we’ve got shifts of a couple of people working in the office if they prefer to, but for the majority of staff, um, still perfect, able to work from home. But one of the benefits of being in an IT company is that we’re very well set up to be able to do that. Okie dokie, let’s get started.
So if anyone that hasn’t found the Q&A button yet, that is what it looks like this and it’s going to be somewhere up here for you.
The topic for today is staying cyber secure while working from home. My name’s Michael, I’m a virtual IT director and Account Director and Netitude. I’ve been working in Netitude for just under two years now and I’ve been working in IT for about nine years. One of the things I really like about this role at Netitude is that I get to talk to lots of clients about these kinds of things, looking at their IT and detail and really seeing how we can make improvements make it more secure or just make it easier for people to do their job.
So, what I’ve broken this down into is why you’re more at risk at home. So that’s going to try to just be a brief explainer on why, why we’re concerned about this in the first place. Second, what anyone can do to improve your home security. These things would even apply for your home IT not necessarily just work IT. And lastly, what sort of tools and software you can use to help staff or help anyone actually guarantee that they’re working more securely from home.
What are the risks of working from home?
Michael (04:50 – 06:14)
Section number one, what is the risk that we’re talking about here is it’s going to be something that we come back to and all the suggestions or the ideas around why we’re going to be doing these things is to try to reduce risks. So the kind of things we’re talking about is something can get onto a computer like a virus and that will cause the same problems. It could also take something off of your system. So client data personal data, commercially sensitive data, once something is inside your network or inside your computer, those are the kinds of things that could be lost, log in details as well. We’d be worried about losing them and the sort of problems that you see coming office directly financial say fraud or a breach of compliance. Reputational, it gets out that you’ve lost client data or that you’ve lost some data and clients, all of a sudden are a bit less confident in your ability to securely look after securely, look after them. And finally productivity. It’s still a costly one. It’s still bad. It might not be quite as long-term impact as the other two though so your computer has a virus, you can’t do any work because your IT company is helping to fix it.
No matter if you have successfully moved your business to the cloud, or recognise its the right time to make the move, our Remote IT service can provide the support you need, without the ties of traditional IT support. Click here to see our service page.
Why are you more at risk at home than in the office?
Michael (06:14 – 10:29)
This section is a brief look at why there’s more of this sort of risk at home than in the office. So we’re going to start with a traditional office structure. So you’ve got the internet up there at the top. You’ve got a big firewall and that’s the sort of traditional security operation we had in IT we a big security barrier between the outside world and the inside world. We trust everything in the office network and we’d say no to any outside access, however, times have changed and it’s not really realistic anymore.
What we aim for now is some opening up so people can work from home but applying this idea of defence in depth. If we look at other bits, you’re gonna have some network equipment, you’ve probably got a server, you might have moved to the cloud already, lots of people still have servers, company-owned workstation. You’ve got wifi and because it’s a managed company network it’s got a guest network, so if somebody brings in their phone or a client brings a laptop into the office, they connect guest wifi and we use the security equipment to send them straight out to the internet – we don’t let them get anywhere near your computers.
Looking in detail of what we’re doing here, this security firewall might even be receiving security updates every half an hour. So, like the latest threats, your IT company, we’re checking to make sure it’s up to date that it’s not got any known vulnerabilities, we’re checking the wifi, every, every single bit of kit here is going to have some sort of update that needs applying, otherwise, it’s going to be vulnerable. Server restarts and an important bit of a managed service is actually this computer is supposed to have an update it’s failed for whatever reason. That alerts us, we assigned a technician to have a look at it. We made the problem go away. And then we know that the computer is up to date and safe. There’s no chance of it accidentally getting missed for several months and becoming a big chink in this armour of cybersecurity.
At home that looks a bit different. You’ve got an internet connection, you sort of have a firewall but it’s consumer-grade, so it’s a bit more of a simple device. It’s also going to have to come with some default settings. So we know the IP address, username, and password to get in. If you’re lucky, maybe the manufacturer set a more secure password but it’s still not really a brilliant password right there. One of the problems here is that these default settings are known just to help people get back into their router’s to change things that they’ve locked out. You can go and look them up on the internet. So if somebody wanted to do something bad on a home network, they don’t even need to try to guess or crack the passwords because they can just look them up and know what they are in most cases already.
You probably mostly connected by wifi bit less of a problem with the default wifi password hasn’t been changed, but that the similar thing applies. If you’ve got any defaults, potentially somebody just has a list of them ready to go.
Now, this is a problem when somebody brings their work computer home and starts working, rather than all the different layers and all the things that we controlled for in the office, there’s actually a lot of unknowns.
You put your personal laptop here, a personal phone, we don’t know whether it’s had security dates applied, we don’t know if it has antivirus and potentially the risk is even higher. Maybe one of your children’s friends has brought over their laptop and actually their quite wizzy with laptops and have been downloading films from BitTorrent or something like that. Something where there’s a high risk that the device is infected and it’s now sharing a network with a company computer.
Why is the risk high right now?
Michael (10:29 – 12:05)
The risk is higher right now. I mean, the obvious answer is why because of coronavirus and lockdown. So this situation that we’re looking at here is what I consider a bit more normal. You’ve got lots of people working in that nice, safe and secure office network and you’d have very few people outside. Maybe it’s just travelling salespeople, maybe they just access email from their phones, they probably already have a company laptop and here we’ve applied extra strong password security and we get them to change it on a more regular basis cause we know they’re more at risk because they’re outside of the company network.
What we’ve done now is very quickly, we’ve had to adjust to working from home. Maybe people have been sent home using their own personal devices cause they’re the only ones that were available. Maybe they’re accessing email from any device that they want. maybe that password security isn’t quite as strong as the people that we previously knew we’re definitely going to be working from outside and we’ve got lots of people making that move in one, go, it’s quite hard to control the flow, needs to be a really quick response just to be able to continue to run the business. But now is the right time to look at exactly what sort of mix we have here and put together a plan to make sure that long-term you’re moving towards something that allows people to work from home security.
What you can do to improve your home security?
Michael (12:05 – 12:09)
So, what can anyone do to improve their home security right now?
What can home workers do to increase network security?
Michael (12:09 – 17:02)
Change Default Passwords
We talked about that default password on the router that’s a number one to change. It’s relatively easy, the instructions are published. Probably your internet provider put a little piece of paper in the box asking you to do it and maybe you just haven’t because it works out of the box and it’s easier, but I really encourage you to do that.
Change the default wifi password, once you’re in there and you’re changing the router’s default password, it’s only an extra little step to update the wifi password and at the same time, you could always change your wifi network name to something recognizable or a bit more fun. If you’re going to change any of these passwords, please do make sure that you write them down on a piece of paper or some-um store the password somewhere security so, it doesn’t get forgotten.
Keep Devices Up to Date
Make sure all your computers, laptops, and smartphones are up to date. So, that’s something we’re looking after for the company devices. But actually a lot of people don’t worry on a day to day basis about whether the computer is up to date. Maybe it’s been pinging you these updates and asking for a restart. Maybe some updates are stuck and you’re not going to know until you go in and check. So whether you’re on a Windows device or a Mac, just go in there into the settings and search updates and see what it’s got to say there.
Install a Third-Party Anti-Virus
Install a third-party antivirus. Both Windows and Mac laptops and computers come with an antivirus already. Year and year, the comparisons show that other third-party pieces of software are better. Bitdefender, Malwarebytes are ones that we recommend, they have free versions and they will improve the level of security on your device. Now, I know lots of people still think that Macs are more secure than windows. Windows has definitely had a long history of being heavily targeted by viruses, one of the reasons for that was simply that there were a lot more Windows computers out there. So they were an easier target, you could create a virus once and you know it could go on to hundreds of millions of devices. However, Mac’s are a lot more popular now and as something becomes more popular, it becomes a good target.
Do you need a new router?
One of the things we’re checking for is that the router is up to date and receiving security updates. IT equipment has a shelf life and after a couple of years, it will no longer receive security updates. That means that people will find out things have broken, bad people will know they’re broken, they can take advantage of it and there just, isn’t gonna ever be a fix. You can just ask yourself if it’s been hanging around for a couple of years, if you change internet provider or had an upgrade, you might’ve gotten a new piece of kit anyway and you’ll be okay. It’s worth asking the ISP if it has been hanging around but just watch out, they might try to charge you for it. It just depends on who your internet provider is. I’m just going to check the questions bear with me for one second. I’m just checking the questions in the question and answer section.[Question] AVG free. How do we rate AVG free? Generally, any third-party antivirus or anything that has a paid option performs better than the window antivirus. They all have strengths in different places. These just the two that we really like, I think if somebody’s already using AVG free, that’s a step in the right direction. I’d still recommend going with these, I trust them more.
[Question] Are free versions really to be recommended? The paid versions better they might have more features, but generally, they’re not completely cut down products because there’s this concept of uh… Again, back to defence in depth. So these antivirus pro providers know that if they give antivirus away for free to people that may not be paying for it, they’re actually improving security even for their paying users because more people have antivirus. I wouldn’t recommend the free versions for business because we want to be able to manage and control it and know that everybody, everything is up to date, but at least in the home absolutely I think the free version is a bit defender of Malwarebytes are an improvement on the built-in antivirus.
Read more information on how to secure your home network.
What can your manager do to help?
Michael (17:02 – 18:05):
There are some things that people can’t do directly but as a manager or just talking to your colleagues, you might be able to help with.
Enable Multi-Factor Authentication
Number one, adding a layer, Multi-Factor Authentication is something we always come back to. It’s a really easy win, it really just boosts the amount of security you have in your accounts in an incredible way. If you’re not familiar with it, when you guys are login, you get a code sent through by text, where you have to enter a code from your phone. You probably do it for online banking or lots of other services already. What it means is effectively you could accidentally you lose your email address and password without it being a complete disaster, because the person who steals it, isn’t going to have your phone as well. And it isn’t going to be able to log in. I mean, losing those details is still bad, but this can stop a lot of bad things from just happening. It can just stop them in their tracks.
Build Awareness Around Phishing
This is a really big one actually, even in the national news there’s been coverage that since coronavirus and lockdown has started, phishing attempts have gone up. So, I think some of the reasons for this is phishing attempts and more likely or fraud emails are more likely to be successful when you’re distracted when you’re under pressure – and we all are right now. They also have a benefit that you’re not sat right next to your colleagues, so maybe they can slip in an email about why don’t you just quickly transfer this money, to this account instead and because you’re sat at home rather than sat in the office, you can’t just talk to that person. There’s just that slightly higher chance of something going wrong and they know that they’re sending out enough of these fraudulent emails that they’ll be successful. So watch out for them being higher than normal, let your colleagues know – talk to them about it.
Learn how to spot a fake email.
The general advice is if you’ve been asked to enter your login details or transfer money, just pause and think before you do it. Especially if the email says it’s urgent, pause and think for twice as long, because that, that um talking about it and urgent is one of the ways that fraudsters, just try to get you to do these things before you’ve really had a chance to think about it. If you have any doubts at all, speak to the person in question by phone. I’ve seen some really clever ones where you respond by email to say, Hey, is this real? And the actual protester is on the other end, sending the emails back saying, yes, this is definitely real. And the person actually enters their email account is, is not in the wiser.
Policies and Processes for Large Financial Transfers
Lots of people already have processes in place around large financial transfers. If you don’t already, now would be a good time to potentially set a limit on how much money somebody can move without talking to somebody in person to approve it. Sort of like the MFA, that is a hard stop on letting these things get too far if they’ve started.
Do Not Send Work Files to Personal Accounts
You can also help colleagues in your own behaviour sharing files safely. Hopefully, your IT set up would let you take what you need from work home, to continue working but there’s always going to be those cases where you’re just heading to the door, you’ve realized you’ve got something you want to check at home quickly and you email it into your personal account because you know it’s already up in your laptop. This should be avoided as far as possible. There are lots of controls on the IT provided systems, personal email accounts you might not have that multi-factor authentication set up. It’s a little riskier.
The same goes with Dropbox or your personal Google Drive account, really handy files syncing tools but again, moving company information into those platforms is not a good idea one for security and also long term. You can accidentally end up building a separate file structure or somebody leaves the company and without realizing it they’ve taken an important file along with them.
Never Use USB Sticks
USB drives as well. I think that age has really passed. Plugging a USB drive into your home computer, taking it into the office and plugging in its office computer is a really good way of accidentally transferring a virus and there are also risks to your file and your work. It’s really easy to lose a USB drive and if you’ve got a key spreadsheet on there, there’s no way to get it back. If it gets in the IT systems, it’s going to be a level of backup and a way to recover it. So the message here ready is if you think you’re about to do something like this, just have a pause and think about whether a company system provides the same features.
You could email your own company email account and you can log into that from home for most cases where again, Office 365, or on Gmail or Google drive and if you are on that for email, you probably actually have file sharing features built-in already that you don’t know about. Now, there are some questions around whether they’re backed up properly, whether they’ve got the proper sharing controls on before everybody jumps in and starts using it wholesale but just have a thing about whether those features or tools might already be available and ask IT or ask someone else, whether they have any options and I’m sure we’ll be able to help out that.
Keep Home Anti-Virus Up to Date
So, what else can we do to help each other? Antivirus update status. IT will be looking after that for company devices. As you saw in the diagram earlier, if an update fails, somebody should be alerted, somebody will fix it. Just check in on your home devices, ask your staff to check-in and make sure that those updates are applied.
Do You Have a Remote Working Policy?
And finally, one of the messages here is that we’ve moved quickly into a situation and we need to decide what the future of homeworking will be and what your policies will be. Who will be allowed to, what devices they’ll be allowed to have and when you think you’re going to finish moving from this sort of reactionary stage to a point where everything is settled. I think right now we might have eased up in some of the remote access security to get people working and I think there’ll be a lot of understanding for that because everybody’s going through the same thing.
However, the longer it goes on that will reach a point where these sort of security concerns won’t be looked on as kindly because it’s just going to be, have been so long since the initially needed to quickly move to work from home.
Don’t have a remote working policy in place? Check out this template to get you started.
Which tools do you need to securely work from home?
Michael (24:49 – 44:20)
So, this next section is looking at ways and software and tools for getting everybody working from home security. Just bear with me for one second.
I’d just like to check the Q&A
Okie Dokie, so.
Security Versus Convenience
All of these things are going to have an element of security versus convenience. You could be incredibly secure but that makes your IT incredibly inconvenient and that has a knock-on effect for productivity and also in some ways, security. So if you have to jump through too many hoops to work, you’re going to start emailing documents to yourself. You’re gonna use your home Google Drive, even though you shouldn’t. There will be a tendency to do that. Or when you come to work, you’re gonna have so many logins and things to do that you get slowed down.
So, this first set up is sort of the ideal scenario for me as an IT person and that’s because it controls for all of the risks.
In this scenario, we treat everywhere like a branch office and we say you can’t work from home unless – the same as I was showing for the office – you’ve got this firewall, you’ve got IT company provided equipment, a company owned laptop at home, even with an internet connection. However, the drawbacks of this one are really going to be when you start to add on more and more people, it starts getting expensive quite quickly. And actually, there’s quite a lot, a long lead time to get an internet connection installed, so it’s not like somebody can say, “Oh, I’d like to start working from home next week” and you’d have to say, “well, no, because you’re not going to get an internet connection for the next three to four weeks”. And that was before lockdown happens and honestly, I’m not sure if that’s even taking longer right now. But if anyone’s trying to log in from the coffee shop completely blocked.
So, everything’s controlled for, we know exactly what’s going on, but the cost is quite high. The flexibility is low. And I think unless you are in a highly secure industry, like potentially defence, this is probably overkill. It’s too much security and not enough convenience and probably too much-running costs as well for most people. So everything else that comes after this, there’ll be some sort of compromise but I think towards the end, I’ll show you a way that for most people is, is a really good balance.
The next one that I’d see as a really secure way of doing things, is keeping your data inside your network. What this means is that you don’t have to worry about what device somebody is working from, whether it’s their own laptop or a company laptop, because actually your data, your information never leaves the office network or at least the company network. It doesn’t necessarily need to be on a server or in an office, this could, this applies just as much for a cloud-based solution.
So, the way this works is we had a secure login and you log into a remote desktop. It’s a little window that pops up it lets you remote control the computer somewhere else. You might recognize names, so there’s like remote desktop terminal server Cetrix even ConnectWise control is being used at the moment by some clients as a, as a remote access tool that works in a similar way does have some drawbacks in the long term. But I wouldn’t go into that right now.
So what happens is your employees working from home, they can see this compete to the remote controlling or they’re sending to that are keyboard controls and mouse movements and what they get sent back is just a video of what’s happening on that computer. The key thing here is even if you’re working on an Excel sheet spreadsheet of the most sensitive things you can imagine, it’s always inside this, this network. It’s not come home. In fact, from this computer, there’s very little way with the right controls set up for it to come off or be moved out apart from reading it often and typing up again. Some of the reasons you might not do this everywhere is that you do need a certain amount of server infrastructure or running costs in the cloud to provide these computers, to staff that each one is essentially a mini-computer that needs to be kept available, needs to be managed and needs to be updated. And there’s also a licensing cost just to get it all running.
It’s worth touching on VPNs now, it sounds a bit old fashioned but they are really useful and they’ve probably been used very widely at the moment. So, briefly what that does is in this example, you’ve got a, a computer in the office and they can see the server. So you can get your map drives. You O-drive your S-drive whatever you call where you’re sharing your files. But with coronavirus and lockdown, we’ve moved that computer home and it can no longer see the server, it can’t get that’s, it needs a helping hand to be able to continue to work on those shared files. So we set the VPN up and over the internet, it helps the computer find and connect to those match drives.
Now, one of the drawbacks of VPN is that anything that goes over it, because of the way it secures everything, tends to go slower. So you can use the VPN as a security tool in a sense and send everything through the server, through the company network. So, in this case, you want to go to a website and it goes off over the internet, back down to the office and back out of the office to the internet or Teams call. And these extra steps can slow it down unless you have a really good internet connection and the key in the office to support this kind of high-performance connection. A lot of people don’t have this, so you’d find using the VPN quite slow. What we do instead is anything that is for the internet Teams, website browsing, it just goes straight out over your home internet connection instead. So, when you’re using VPN that way, and the majority of people are, it’s not necessarily a security tool, it is more of just a remote access tool.
If you have a VPN and you have the infrastructure, the internet connection to be able to use it yeah, it’s really good to use. It’s just not going to be right for everybody to use. And I think the next slide is what we’re going to look at for things would be a bit more suitable there.
Okay, so back to layers of protection. Somebody is working from home – ideally is a company owned laptop because we know that the updates are being done, we know the antivirus updates are being done as well. There is some flexibility for having your own device in the mix but it is less secure and you need to work a bit more on potentially even the policy that you have with employees and with staff and what devices they’re allowed to use.
So, the first thing we’re going to add to this mix is Multi-Factor Authentication. We’ve talked about that one already. It’s an easy win for strengthening security. Another example, in this defence in-depth strategy or another layer, is advanced email filtering. So, email is a really good way of getting viruses or getting fraud emails from outside of the network onto your company devices. So if any clients with a support contract, they have filtering built-it and this is something that we apply, just because it’s so useful – but in this example, bad emails trying to come in it goes through an extra stage of scanning and if there are any questions about it, you can view it in the cloud. So you’re not letting that, any suspicious email, even get to your computer before you’ve checked. If we’re happy that it’s safe, then we release it and it comes through down to the computer.
The other thing that we can do is also try to add an extra layer where the fact that you’re not working behind a big secure firewall as we saw in the office network earlier. We can add some of those protections in a more basic way but it’s still extra layers. So, somebody at home tries to go to the internet and with an extra piece of software, we’re checking what they’re going to. If it’s a known bad website, if it’s a website that we know has viruses or is suspicious or it’s a category that somebody shouldn’t really be going to – gambling other things that normally blocks in the office this software checks what you’re doing, and if it’s unsafe disallowed it, won’t let you go to that web page.
This is really useful because as an example of how layering works, even if a fancy new fraud email gets through the filter it gets by you get to the computer and you’ve clicked a link to go to a website. This little bit of software is checking to say, hang on, I think you’re going where you wanted to, or where you think you’re going – so I’m going to flash up a screen that says sorry, you’re not allowed to go here, speak to IT and that just works together to make sure that it’s safe before doing that.
In this scenario, this personal device, phone, a tablet is blocked. One of the things we’re going to look at in the next page is a way where if you are more cloud-based, we have quite a bit more flexibility to allow it for the right kind of work.
Another layer is the checklist that we talked about. We can share a blog post that touches and makes the same topics afterwards so that you can run for it doing something like that, making sure everything’s up to date, making sure router passwords at home aren’t set the default, helps add a layer of defence but it’s not something that can easily be controlled for. So whilst it is really good a lot of the other things I’d focus on are things that are controlled by IT and managed centrally simply because, you know if it’s been done or not and you know if something’s going wrong, we can do something to fix it.
Phishing awareness. Awareness is a layer of defence. You need to be suspicious at all times. And certainly sending around some email reminders saying, “Hey guys, we’re at a point in time where we’re seeing more fraud, emails and normal just think twice before you click anything” could be really useful. But we have seen in the long run, all of the studies, all of the results show that essentially if you’re not constantly being reminded on an ongoing basis, being reminded about the risk of phishing emails, your overtime you just lose that concern about it and people just tend to forget which increases your vulnerability.
So, um some sort of ongoing training around phishing and fraud emails is really useful for just cutting down making sure that last step is really secure. That can even be pretend phishing emails send out by us, by your IT company to test people, and if they click on something that they shouldn’t have, if they start to enter their details, well, the good thing is as a test email and it can flag up a reminder and say, Hey, you’ve done this by accident. This is the things that you should be looking out for. And we’re going to send you some training for you to do.
Now, this step is one that is more for people that are already heavily in The Cloud. So, if I was in Office 365, SharePoint – everybody’s in a different stage on the cloud migration. If you’ve got a server, you might be able to do some of the things right now, you might not be able to do all of them so it’s definitely not off the shelf – it depends very much what you have at the moment and when you’re expecting to sort of complete any migration into the cloud. I’d certainly see the previous slide as a good setup for most people and this is something extra that could then be done once you’ve reached that, that point.
So in the past, and a lot of the things that I’ve actually talked about so far the worry or the concern is where are you working? Are you inside the office? Or are you outside the office? A more modern way to approach it that we can do with the right tools is to ask what are you working on? Do we trust the device? Does it have all of these layers that we’ve been talking about? And if say, Oh, maybe for most cases you can actually use it anywhere that you like. Especially because we’re all moving around between the office and from home so much right now.
So in this example, we’ve identified staff members that don’t have any access to really sensitive data, HR, finance, things like that. And we’ve said if you’re going to try to log in from a company device, absolutely go ahead. We trust it completely. So you can log in from anywhere on that, that’s, that’s no problem. We’re not so trusting of your personal laptop and your mobile phones but we know that there’s nothing too risky in your emails, and actually it’d be really useful for you to be able to see that kind of thing from home or from wherever you are. So if you want, you can access your emails from your iPhone, but not files. If you do want to work on files, rather than connecting your laptop to and downloading files, you can just log in to webmail and sort of word online, a light version. But to a lesser extent than, than the remote desktop solution we looked at, you’re probably not moving files onto the computer. But there’s a good layer of separation there where we think that for less risky files, you can actually use it for free the browser and any device, we’re not too worried about that.
However, we know that management has access to a completely different set of files. So we’re going to treat them a little bit differently. We’re going to say if you’ve got a company laptop login and from wherever you want, and you can work quite happily on that. However, we don’t trust your personal devices because we don’t know enough about them. What you’re seeing is quite sensitive. So you’re not allowed any of those types of logins that you have above.
And finally, a really advanced step would say to try to balance this thing where actually management can see everything from anywhere. There’s an Excel spreadsheet. It’s got really sensitive HR details it’s something that wherever the most sensitive thing that you have is, and we can apply an extra rule and say if you’re on a company device and your work in the office, go ahead and work on it. We trust that it will be kept safe there, but actually, if you’re logging in from home, you can’t see that from home. You just can’t log in. You can’t say it’s not allowed, it’s too sensitive to risk at going outside.
So that will be a final advanced step to really tighten up security and also give flexibility, because in this example for most people, what you’re saying is if you have a company laptop off you go and just open it up and start working and we will take care of stopping you from doing anything that’s too risky with it, with this sort of a high level step up here.
Okay, that’s everything I wanted to just talk about for today. Please let me know if you have any questions, that’s what we’re going to be looking at. Now while you sent for any questions I will just run through a quick summary, a quick reminder of, of what we looked at for today.
So, we’re concerned about this because a breach has some sort of risk, financial reputation or productivity. Secure IT requires layers of defence, home networks have less layers – change the default passwords, update, everything that you can – so it’s adding layers. Be suspicious of emails, especially right now. Anything that we did look at doing, you’re always going to have this balance of security and convenience. So decide what your level of risk is or what the level of risk is of different parts of your data and where generally for most people we’re going to head to is a situation where we can trust company devices for most things, wherever they are in the future, we’d add extra controls for the most sensitive data. So that staff can also work quite easily without having to worry about doing the wrong thing because the systems won’t even let you do the wrong thing. So you can just concentrate on, on working. Just bear with me for one second. I’m just gonna check the question, answer.
Michael (44:20 – 52:45)
Okay. We’ve got a question that is [Question] if you were working on a phone, but within a company network i.e. SharePoint is okay?
So that is going to depend on whether it is a personal phone or company phone. One of the things I didn’t go into detail here, but actually we can jump back on and look at is… It’s going to be this slide here. So, if it’s a company phone it’s managed and we don’t worry about it. Yes, absolutely, you can use it. If it’s a personal phone, the question is, do you want, do you trust people to use their own phones or not? If you completely trust them, you can allow free access. And at the moment that is the default. If someone wants to for most people, if someone wants to have their email accounts to the phone, they can. You can wholesale block their phone, or we can actually, that’s also a sort of midway house with some extra checks where we can say yes, you can use your personal phone. But before you do, we’re going to check that it has encryption, that it has a password and it has a lock screen on. And if it has all of those things, we know that we can mostly trust it to have access to company data. And even if you lose it nobody can get on it and we’re, we’ve covered on protecting the data there.
We’ve got another question, which is [Question] a lot of emails are received, have links to join meetings, register for meetings, etc. I usually check the email they have come from, is there anything else I should be doing?
I’ve not actually seen too many fraud emails with meeting invites on. I think if you are already thinking about weather, you’ve registered for that email you know, are you, are you associated with the company? Or have you ever talked to them in the past, should they be sending you a webinar invite? That’d be the first check. You can look at the links and make sure that they’re definitely taking you to a company website though because so many webinars are run for your third parties is not always going to be clear. So yeah, in that case, I would just focus on making sure that you’re expecting to receive an email from this company.[Question] An observation I recently signed up to VPN service at home and have noticed an increase in speed that is really good to know there’s, there’s a whole process of the VPNs where any data that you pass through them gets encrypted and in most cases that that will slow things down. So, I don’t think we’ve got anything to fix that loop there, but it’s a good improvement to have. I can’t honestly say I- I’m sure why that would be happening, but it’s certainly good news. And it’s really good. There are situations where you can use VPN and the slow down isn’t even noticeable, or it’s not that bad. In which case it’s is a suitable tool to use and it would be useful to use. Some people with a mix between their home internet connection and whatever internet connection they’re connecting to on the other end of the VPN can experience quite a bad slowdown and it sort of puts people off from using VPN. And I think in that situation, your risk of people trying to work outside of the provided systems and making themselves insecure.
So we’ve got a question about the microphone not working one of the notes. I’m not quite sure on the exact situation. One of the nights I didn’t mention is when you’re using that remote desktop option highly secure can be a little bit more complicated to use teams for because you’re not necessarily working on the computer. You’re connected to there is possible there can be fixes. And I think we’ve got the details, but we can get in contact now with that one.[Question] Are our thoughts on Zoom still the same, is it still less secure than teams?
Yes, but it’s still really good for the break kind of situation. We use zoom for our Friday quizzes at, at work because we want to be able to see more people’s faces on the screen at one time. It’s not sensitive, it’s not risky information. So that there’s no problem using it there for any client interactions. We’re using teams right now. And I still recommend using teams. One zoom is now limiting people to 45-minute meetings they’ve they were going longer than that for free. During the style of lockdown. Two, Teams is linked to office 365 accounts. So we’re looking after the username, we’re looking after the password, we’re making sure they’re strong, insecure Zune. If you have an accountant that is management it’s outside of that says a situation. Zoom hasn’t received a lot of negative news coverage recently, which is good for them. They’re working very hard and security and I think maybe by the end of this year just cause of the negative coverage they have received, it may be that they are incredibly secure. Just one that we need to keep under review. I’d still say generally use Teams for internal or sensitive meetings and use Zoom if it’s suitable for larger public meetings where you know, but nothing too sensitive is going to be talked about.
Read about “How to Stay Safe on Zoom“.
The next question is [Question] Should everyone let you know when they have changed their mobiles and working on them, so you can check them, if so, what info do you need? Thank you.
Uh if they, if we have all the controls in the right place, then we would know when somebody has a, a new mobile phone, so the point of any of these systems isn’t to add more manual checks because they could easily be worked around or missed. And that’s where you start to have weaknesses that you’re not aware of. The idea is to use the systems so that any of the improvements are enforced or that happening automatically if you’re appearing, this question is appearing is anonymous. So if in the Q&A, you can just let us know what your name is and which company you’re in contact from then. We can have a look at the specifics and work out a, a better answer rather than just the sort of general answer for that one.
Okie dokie, Just give you a few minutes if anyone’s got any other questions or thoughts.
I don’t think we’re seeing anything extra from you right now. So I think we’ve reached the end. Thank you for all coming and attending. It’s been really good to get a chance to sit down and explain all this in detail to you all. We’ll be following this up with an email. So if you have any extra questions respond to that email and we’ll make sure the right person from Netitute sees that and is able to put together an answer for you.
Thank you very much for attending.