When your municipal employees work from home, one thing that might not be on their minds is information security. That’s where your town or city needs to ask some tough questions and ensure you are not exposing your files, documents, and databases to cyberattackers while also risking permanent data loss.
If people are not used to working remotely and you’re not used to supporting remote workers, you may not realize that various security vulnerabilities exist that don’t necessarily appear at the office. Teleworking introduces increased cybersecurity risks as employees work from home with their personal computers. Here are some areas you need to assess.
While ideally you should give your employees municipal-owned and supported computers, employees may be using their personal desktop computers and laptops when working from home. When employees use their own personal computers, security risks include:
Most employees will have a wireless router of some kind set up at home. Many people do not pay attention to the security of that device, protecting it not at all or with a weak password (like “123456” or a simple, easy-to-crack password like their name or favorite sports team). Along with weak passwords, many people do not know about basic WiFi security settings (such as using WPA2 security instead of WEP security).
However, you might think that the likelihood of a cyberattacker selecting your employee to attack through their home or office router is a low probability. Think again. Cyberattackers can be anywhere and you may never know if someone is spying on your employee’s computer as your employee accesses sensitive municipal information.
A personal computer attached to your city's network through a VPN could become the gateway for a cybercriminal to enter your network. VPNs work well when the employee is using a city-owned and supported computer, but they are not a good idea to use with a personal device. That’s because personal devices are susceptible to security vulnerabilities—and we just talked about some of those vulnerabilities above. Are you willing to trust the security of all your city data based on your employees’ device security? Do you feel they are securing their devices to the best of their ability?
We encourage you to read our recent article, “Tips to Help Municipal Employees Fend Off IT-Related Coronavirus Scams,” which goes into phishing and scamming risks in detail. Are your employees ready to recognize and fend off email phishing scams, spear phishing scams, communications where the scammer pretends to be your IT vendor or department, or coronavirus-related scams?
Devices that use no or poor encryption can be easily hacked by cyberattackers. Are you confident that the data your employees access and transmit is sufficiently encrypted so that a cyberattacker cannot easily read and steal it? Encryption covers applications, web browsing, file storage, email, and data on their computer.
If your employee accidentally destroys or damages their device, downloads malware, or makes a mistake when handling municipal data, then what happens? Are they able to recover that data? Or is there a big risk of permanent data loss? Employees that store data to their local hard drives may lose important data permanently if it’s not backed up. If employees have access to data in a centralized location, then is that data protected from unauthorized access, deletion, and corruption? Does an offsite backup component exist to ensure you can recover from accidental data loss?
Cities can mitigate against these cyber threats by implementing the following best practices:
Need help addressing cyber risks to your teleworking employees? Reach out to us today.
Original Date: 5/6/2020