Michele Colajanni, Scientific Director of the Open Program in Cyber Security Management of Bologna Business School shared some advice for employers and employees with the BBS Community to work independently, safeguarding data security and confidentiality of company information.
Among the emergency measures provided for by the Decree, smart-working has been adopted by companies that up to that point had not included this method in the least.
“I see smart-working as the greatest opportunity for awareness-raising on what is the correct cybersecurity scenario. Finally, now and only now, companies are worried about the centrality of the employee, his devices, his behavior and the data he treats to guarantee safety, it was like this before, but they hadn’t understood him enough. Therefore, generalized smart-working is welcome because, even when we return to the presence, I am confident that good practices will remain. Resistance to change also applies to the reluctance to go back. There are various elements to keep in mind and if the recipe book that follows seems trivial to most is a good sign.
‘I am safe from home because I access my company’s data and services via VPN’ is another misspelled phrase that I often hear. The VPN is an encrypted communication protocol that protects the connection from data interception. If you access the company from an infected computer, no VPN protects the company; on the contrary, the infection arrives in the company in an encrypted and therefore even less detectable way. So, the first goal of the smart worker is to do everything possible to keep his computer from becoming infected.
The more structured companies provide their computers to their employees with the necessary software already installed without the rights of the system administrator. However, even if the computer is personal, the tool for working in smart-working must only be used to work, not given to others and even less used to download and install applications, games and video players.
It is necessary to buy another laptop for these activities; the cost is affordable and the investment has a clear return. It should also be considered that the computer is not an appliance, but an instrument that grows with you and that must be treated like a seedling. All applications must be updated and those that are not indispensable ‘pruned’; it is good to clean up the ‘weeds’ with a certain periodicity; there are many cleaning products, although you should always pay close attention to what you install. Without a doubt, some defense technology must also be used.
First of all, the default password of all devices must be changed, starting from the modem for WiFi. And then a good antivirus must be chosen and installed together with a personal firewall as at home you are not protected from the corporate one. To allow true smart-working or even just the current remote-working, the company must activate a service, internal or outsourced, that can respond to the various technological needs and probable malfunctions that employees will experience. Finally, there are the most complex elements to improve security and ensure the use of uninfected computers for smart-working: human behavior.
The list is long, but many good practices do not change if the employee is in the company or not: do not disclose information externally, do not share passwords, do not accept social contacts from those you do not know in person, save of your data. If you use differential or incremental backup systems, it is not incorrect to carry them out at the end of each day; in any case, never exceed the week. I left a note on e-mail, a wonderful tool that, being born in 1971, should be considered for what it is: insecure by design.
Still, its convenience makes it the most popular medium for employees and, consequently, for attackers. Although the servers have been integrated with excellent antivirus, antiphishing and antispam technologies, the real defense lies in the user. No problem if the email does not contain links or attachments. Otherwise, a lot of attention must be paid before the click, even if the email comes from a known person”.
Data security and its management are an essential factor for any organization, even more so in a period of crisis such as today. The Open Program in Cyber Security Management addresses new vulnerabilities that no business and organization can afford.
Author: Michele Colajanni