Blog: How Tos

9 things to consider when staff work from home unexpectedly

Ken Munro 10 Mar 2020

Many businesses are reviewing and updating their response plans currently. Some might consider closing offices. This may be an appropriate response, but have you considered the effect on employees that have never worked from home before?

Security considerations can be quite different, as working on a desktop in the controlled environment of an office is very different from a table at home, particularly if it’s the first time.

It’s also important to balance the needs of the organisation and its continued operation with the needs of data protection and security.

Here are a few thoughts that might help you prepare your staff for unexpected remote working:

1. Phishing

We know that scammers take advantage of uncertainty around incidents. Bear in mind that some of your staff won’t be used to working remotely.

Are your staff familiar with using a VPN? If not, have you given them materials to show them what to do and more importantly what not to do? Hopefully they are using a work laptop and not a personal system, but that laptop may be unfamiliar to them.

Two factor authentication for that VPN would be a very good idea, but do you have the time to implement that in a hurry if you haven’t already?

Scammers will be keeping an eye on news reports to identify businesses that have sent staff home.

Staff may be unused to laptops & VPNs, so could be easier to phish

2. Rogue phone & email scams

Again, scammers will be alert to changes through the media. Both opportunistic and targeted attackers may contact your staff, claiming to be from the helpdesk.

They will exploit a chaotic situation to explain away inconsistences in phone number, email format and unusual actions, such as installing software.

Prepare a briefing so that staff know what is and isn’t legitimate contact. What email addresses will you use, plus how does a staff member validate that?

3. Unexpected rogue couriers

Bold scammers may call on staff at their home address with a ‘replacement’ laptop or phone.

In the confusion, it may be difficult for newly remote staff to determine whether they are legitimate or not.

Make sure staff know in advance whether or not to expect couriers to visit

4. Staff migrating to unmanaged personal messaging systems

Whilst it’s admirable that staff will use anything to communicate and keep the organisation operating, it’s easy for WhatsApp and other unmanaged messaging systems to become the norm.

How long before sensitive data is shared on that system?

Do you have a managed messaging system in place that you could migrate to quickly, if needed? What if the corporate VPN was unavailable?

5. Staff using personal email

This is a higher risk if laptops aren’t provided – staff may misinterpret working from home as working from their home PC

It takes moments for sensitive customer data to unintentionally be sent from personal email. How do you recover from that?

Be very clear in your briefing materials to newly remote staff about use of personal email

6. Unmanaged / unauthorised cloud storage

It’s hard enough to keep unmanaged cloud storage and data sharing apps at bay in normal business operation. How do you stop it during times of upheaval and change?

Set a policy in advance that is pragmatic, that enables the organisation to operate, but does not expose data.

7. Invoice fraud may be easier to carry out

Your suppliers may be in a similar position, working from home unexpectedly, making it hard for your accounts payable personnel to validate bank account details for supplier payments.

Suppliers may have failed to plan for home working for their accounts teams, but this should not affect your validation processes.

This creates the perfect opportunity for scammers, giving them the ability to explain away changes in email addresses and phone numbers.

Brief your finance team how to validate payment details in uncertain times

8. IT systems may be less stable

Support staff may be stretched with a sudden increase in remote working. Outsourced support providers may struggle, particularly overseas support organisations that are less able to support their own remote working.

Instability and inability to contact support opens the door to the scammer.

Brief your staff about support protocols, particularly around authenticating inbound phone calls from your support organisation.

9. Bring on Citrix!

One quick solution to the remote working issue may be using a remote desktop. It’s worth ensuring that you have sufficient licences and hardware to support a significant uptick in users though.

Whilst you’re there, be certain that it’s well locked down, or suffer the consequences.

Do consider the consequence of a keylogger running on the remote worker’s personal computer though