Blog post written by Andrew Wright, Lead Human Factors Engineer at Corporate Risk Associates.
One of the few truly positive things that have occurred following the outbreak of Covid-19 is the amount of goodwill and sharing that I have seen across my personal and professional networks.
There has been plenty of advice and guidance shared in the Human Factors community, from the Ergonomics of remote working as we adjust to the new norm, to the safe use of ventilators for those combating coronavirus on the front lines. The advice given is almost always excellent and I don’t really think there is a great deal that I could add to these particular efforts.
However, when it comes to working from home, I do believe there are other Human Factors issues that also need to be in the front of our lines…our behaviours.
And by behaviours, I’m not talking about rocking up to your home workstation and spending the entire time in your dressing gown and slippers (in fact, on some days I might even recommend this). Instead, I’d like to talk about something that has been in the forefront of my mind based on the work I have been doing this year.
And that is our cyber security behaviours.
As a respected professional I’m sure you’ll all be very flattered to know that I’d probably trust you enough to leave you in a quiet room with my modest supply of eggs and flour for the week, but for matters relating to information security, we must always be more careful.
And although many of us are working from home, probably many miles away from our IT teams, we must not forget the appropriate attitudes and behaviours that kept our personal and work information safe from individuals who would seek to exploit us.
In fact, working from home likely puts us at higher risk of information theft occurring. Being away from the professional office environment and working at home, it is not surprising that our behaviours could well change and become more relaxed. Social engineering will aim to exploit this and we will no doubt hear many more stories over the next few weeks where Covid-19 fears were exploited by cyber criminals.
So here are a few tips for those working at home, to supplement all of the good Office Ergonomics!
*Pay careful attention to emails requesting personal information, passwords and financial information. Phishing techniques where individuals pose as colleagues, clients or contractors are very effective, especially if they have a convincing email address. Always question whether the request is reasonable, logical and consistent with past exchanges.
*Be mindful that Phishing attempts will likely try and exploit the Covid-19 situation. Many successful Cyber Security attack include some degree of social engineering. Effective social engineering will try and exploit uncertainties, confusion and fears to coerce information from individuals who have acted before thinking. Be mindful of personal correspondence, noting Point 1 above. In particular:
*Hover over links to URLs to see if the actual address is legitimate before clicking!
*Look for poor/inconsistent grammar and tone from the sender.
*Scan the email address for small changes (e.g. firstname.lastname@example.org).
This UK government web page features examples of HMRC related phishing emails and bogus content: https://www.gov.uk/government/publications/phishing-and-bogus-emails-hm-revenue-and-customs-examples/phishing-emails-and-bogus-contact-hm-revenue-and-customs-examples
*Keep all work on your work machine (and preferably a Virtual Private Network (VPN)): It may be tempting to move your work to a personal device, but the security measures on your home devices may not match that of your work laptop and servers.
*Keep antivirus, anti-malware up to date on all devices and secure your WiFi: It’s not sufficient for only your work laptop to have the latest versions of anti-virus and anti-malware. Ensure all devices are kept up to date to prevent weak links.
*If in doubt, contact your IT department: A challenging attitude is necessary in remaining vigilant against threats. Whilst perhaps easier to maintain in a shared office space, a 2 minute email to your IT department is always worth the time writing if you think there may be a legitimate threat. If it turns out the threat is indeed real, an early warning can have huge benefits to limiting the damage.
*Lock your device: Does this one sound silly? Despite working in isolation, think about who shares your living space, and always remember that if someone knows who you are and thinks you are their ticket to making lots of money, then physically taking your device is never completely out of the question. Always lock your devices.
*Clean desk policy: Managing your paper-based information is just as important at home as it is at the office, e.g. shred / destroy company information when no longer needed.