Until good cyber hygiene practices are truly ingrained in workers’ approach to how they use their devices, IT managers must show the way
You know who hasn’t been bored by coronavirus isolation? Hackers. As more government employees work from home, often from their personal computers, it’s not uncommon for some basic levels of cyber hygiene to have slipped. This, in turn, has broadened government networks’ attack surface and makes the job of the IT manager that much more difficult.
Cyber hygiene in the work-from-home environment is absolutely critical, and it falls to IT managers to communicate not only its importance but best practices as well, even if those practices seem elementary. Remember that the government took on the responsibility of explaining the basics of virus prevention and hygiene at the outset of coronavirus isolation. Similarly, it’s up to agency IT managers to explain the basics of cyber hygiene to employees – especially now, when work and personal activity are likely happening on the same computer.
The risk is multiplied for agencies that have relaxed their bring-your-own-device policies. With more employees using their home computers for non-classified work, agencies may be facing increased security vulnerabilities from phishing efforts that target remote workers’ home computers via their personal accounts, VPNs or streaming entertainment services.
Communication is critical
So what's to be done? In a nutshell, regular, proactive communication. Don’t take the hygiene of employee devices for granted. Many employees simply don’t know enough about the basics of cyber hygiene, and the IT team must educate them.
Is it a hassle? Of course it is. Agencies that don’t do this work, however, will have a much bigger job cleaning up the mess that comes after.
IT managers should make it a point to routinely email staff (even weekly, if necessary) with the basics of cyber hygiene. Get employees to focus on security from the outside in – from Wi-Fi to the device itself. Among the policies to communicate:
- Make sure Wi-Fi is locked down.
- Make sure any guest network default is also locked down, with settings and virus definitions all up to date.
- Make sure anti-virus and malware detection software is current.
- Make sure systems are scanned, updated and rebooted regularly because employees may be ignoring updates, which is obviously the biggest possible point of entry for hackers.
It may seem elementary, but it’s like hand washing to prevent the spread of the coronavirus. We may have been lax about it previously, but it has to be part of our routine from this point on.
Communication among teammates is equally important to ensure that slip-ups in employee cyber hygiene don’t wreak havoc with security. For example, don’t underestimate the importance of authentication. There are many two-factor authentication options to consider – one-time passwords, SMS, push notifications and so on. Some more recent developments are quite effective against phishing, such as FIDO (Fast ID Online), which provides technology-agnostic security specifications for strong authentication.
Access management tools can grant different network permissions depending on where and how employees are logging in. In the office, employees may have access to various servers to retrieve data. For remote workers, those permissions should be narrowed.
Finally, device recognition is a must. Agencies allowing personal devices, whether at home or in the office, must have a system whereby employees enroll any personal device they use on the job by serial number, which effectively limits the people who can log in. All processes must be communicated clearly to employees by the IT department.
It may seem elementary, but cyber hygiene must become the new normal. Until it is completely ingrained in workers’ approach to how they use their devices, IT managers must show the way.