Who Can It Be Now? (Wo)Men At Work
You are a fully remote business. You think you have all of your ducks in a row regarding risk management and business continuity. You *think.* Let’s make sure.
You already thought about cyber security and have your team use VPNs and MFA to log into the system. That will keep cyber criminals out! Meh. You’re more able to keep them out than without those two layers of protection BUT there are still things you have to consider that are threats. And the call is coming from inside the house!
If you aren’t training your staff on phishing tactics, you might as well have put all your passwords on your homepage. To quote one of my favorite bank heist movies – The Town – the state of the art vault is only as good at keeping thieves out as the person who has the key to let them in. In this instance, your untrained employees all have the key and are leaving the door unlocked. The easiest way to get people to open that door? Use the most effective phishing email ever: “attached is the bonus schedule.” Everyone clicks on it. That is an example of accidental exposure letting the enemy inside. But what if the enemy is already inside?
Most people don’t talk about the disgruntled employee who wants to do great damage to the company. It’s been an easy thing to accomplish. The first thing to do to protect your company is restrict or terminate access to accounts that employees don’t need to do their job. Second is restrict the access to cloud storage websites on all corporate computers – it will prevent employees from moving things out of the work environment for their own personal need (employees taking files is very common, even if not for nefarious intentions). If you terminate an employee, immediately make sure access to their accounts is disabled and let any third-party service companies know.
I personally know a person who plead guilty to cyber intrusion after the network consulting firm fired him in 2001. The next day, using passwords and user codes obtained during his employment, he remotely accessed the company’s servers and destroyed data and files. More detail of the story is he used his friend’s computer (who also worked at the firm) to remotely access the network. So also tell employees not to allow their recently fired friends to have unsupervised access of their home workstations!
Ok, enough about cyber! We’re good – we have it all covered! What about preparing for physical structures? Have you thought about whether or not the location of your servers is in a disaster prone area? And if it is, do you have a backup location or plans to move it?
That’s your only concern, right, if uou don’t have a physical office building? Yes and no. Correct, you do not have a physical office building so that’s something you can scratch off the list. But what do you have? Fill-in-the-blank amount of physical home office buildings (homes!) for every one of your dispersed employees. Are your most vital employees congregated in Tampa, FL? You should be thinking about how they are practicing business continuity in their own homes. You should also think about how if one whole group is taken out for at least a week, can the other work-from-home employees take on the extra workload.
Here’s to pondering and planning! Who can it be now? (Wo)Men At Work. All your work-from-home employees for a variety of reasons. Just because they aren’t under one roof doesn’t mean you don’t need to worry about them.
- Secure and restrict access for current employees
- Train on phishing but be prepared for that to fail (part of business continuity is preparing for failure)
- Recognize every location your employees are at requires a minimum form of disaster planning.