Special Reports
A special report is content that is edited and produced by the special reports unit within The Irish Times Content Studio. It is supported by advertisers who may contribute to the report but do not have editorial control.

Training is the key to reducing cyber risk

Remote employees must avoid ‘cross-contamination’ by maintaining the separation of work and personal usage

Remote workers need to be trained to identify potential cyber attacks
Remote workers need to be trained to identify potential cyber attacks

“The nature of today’s workforce is truly mobile with the use of laptops, tablets and smartphones. This means that all users are in essence a type of remote worker,” says Justin Moran, head of governance and security at telco Three Ireland.

“In the current environment end-users who are accessing a company network – whether remote or in the office – are often the most likely target of malicious hackers who are seeking to gain a foothold and entry point into an organisation. For this reason policies and procedures alone are not sufficient. It is imperative that companies launch a proactive information security communication and awareness programme which grabs the attention of end-users and highlights the most likely threats,” he says.

While remote working may give the impression of a more “relaxed” work culture it in fact amplifies the necessity that certain policies are stringently adhered to, says Catherine O’Flynn, partner and head of employments and benefits at law firm William Fry.

“Employees must maintain the separation of work and personal usage, avoiding the forwarding of emails containing attachments or company confidential content to personal email accounts or devices as such cross-contamination can potentially expose a business to the unintentional disclosure of sensitive data,” she says

READ SOME MORE

Employers should review their confidentiality and data protection policies, and implement new measures that specifically deal with remote working.

Whilst it may be acceptable for files to be left on an employee’s desk within the controlled confines of the office, the same may not apply at an employee’s remote workspace, she adds.

If employees are handling physical files containing sensitive data from their remote workspace they must be aware that company data protection and confidentiality policy applies, and that they must take steps to protect the confidentiality of these documents.

“Similar concerns should also be considered regarding the security of telephone and video calls made by employees in third party spaces. Likewise, employees should be advised to unplug Alexa/Google or any other smart device that can ‘listen in’ while on Skype or Microsoft Teams calls to avoid potentially compromising sensitive information.”

The best way to educate users is have a training programme in place, says David McNamara, managing director of cyber security company CommSec. This will provide the tips and tricks that can help keep an organisation safe, such as hovering on an email link that might look legitimate but isn’t. “It might just be that the o in the address purporting to come from Microsoft is actually a zero,” he points out.

Cyber criminals play on human weakness too, with urgent calls to action for things like CEO fraud, wherein accounts payable might get an email purporting to be from the boss, saying pay money to this account now to seal a deal.

Training staff about the dangers of social engineering means they are alert to cases which he has come across of people calling into a receptionist to say they are here for interview but spilled coffee over their CV and asking if the receptionist could print one off. “They hand over a USB key and that’s it, they are in,” he says.

Cyber awareness training also ensures staff know to be careful of what they post on social media. “Have false profiles,” he advises. “Never give your date of birth. People can simply go to Facebook, get your date of birth, see your cousins and know your maiden name, and that your favourite pet is called Fido. With that they can access your bank account.”

Talking about their own bank account, as opposed to the firm’s one, can help. “By now everyone is aware of cyber risks but it’s natural for humans to become complacent over time,” says Dani Michaux, EMA cyber leader’ at KPMG. That’s why it is essential to engage employees at an emotional level.

“Businesses should communicate not only why cyber security matters but also what’s in it for them personally,” she says. “Our natural instinct as humans is often to resist change, so striking an emotional chord is essential to landing the message with employees.”

Sandra O'Connell

Sandra O'Connell

Sandra O'Connell is a contributor to The Irish Times