Many countries have begun a gradual opening of society after a period of lockdown. Now, some people must go back to work after a period of working from home, where most of us have tried to find a balance between our private lives and work with a more than a few video meetings in sweatpants.
Working from home has emphasized the importance of good cybersecurity habits. This blog will tell you how to build good cybersecurity habits both at the office and home and why it’s important.
When COVID-19 shut down numerous countries and sent everyone home, many got busy working out how to ensure good cybersecurity and data protection when working from home. Not that working from home is a new thing. Many of us have always had the opportunity to work from the home office one or two days a month – it just has not been to the extent and scale that we have now seen until now.
Everyone from tinfoil hat conspiracy theorists to serious institutions was quick to give their inputs to how to manage to work from home in an extended period. The former can always be ignored, and the latter provided great reminders of what basic good behaviour is in relation to cybersecurity and data protection.
It is basically the same good advice that applies to normal circumstances, but the long absence from the secure cybersecurity framework of the workplace means that this advice becomes even more important to follow. At the home office, you are more on your own and help from a good colleague and the IT department can seem far away. Therefore, it is even more important to be aware of your good and bad digital habits.
When we use the word tinfoil hat, we refer to people who perhaps are more likely see the world through conspiracy theories than the rest of us.
The word comes from some of the first technophobes, who used tinfoil hats to keep the ‘dangerous’ electromagnetic waves out.
Habits are basically everyday actions that we no longer question because they are ingrained in our daily life. On one hand, it is difficult to get into habits that we cannot see the purpose of. If you think about it, brushing our teeth every day, twice a day is one of the more mundane things that we do. But because we don’t want bad breath and fake teeth at the age of 50, we diligently do so to take care of our dental health. We think that brushing our teeth works and is necessary.
But when I see the sign at the swimming pool with instructions about washing my body from head to toe before I go in the water AND repeat the entire process if I simply have to get out to use the toilet, then I admit that I do break the rules sometimes. I am happy to take the first trip under the shower, but after a mid-swim toilet visit, I sometimes manage the extra cleaning under the sink and try to act normal while sneaking back into the pool.
I know that it says something about 1,000,000,000 bacteria, but I hardly know what that means and why it’s bad. So, I make up my own interpretation of the rules. I’m not convinced about its importance and going the extra mile simply does not seem worth the effort. That is obviously my own opinion – but when was it the last time you followed the instructions to the letter, when you were standing in your swimsuit at the swimming pool?
The same goes for habits when it comes to cybersecurity and data protection. If we do not understand the importance of a guideline, we make up our own interpretation or avoid it altogether. That’s why I think it’s worth taking a closer look at three good tips that people have shared in relation to the shutdown of society and look at the misconceptions. This may underline why people might not always follow the advice given.
Broadly speaking, protection of the physical access boils down to remembering to lock your machine when leaving it alone. On a Windows machine, it is easily done by using the Windows Key + L when physically leaving the computer. Many people don’t do this because it seems excessive to do this every time when going on a little break.
It’s important to state that it’s not about suspecting that the peers in your work environment have any bad intentions of being cunning data spies. Basically, it revolves around the issue that your work computer gives access to a lot of data and rights that you are obliged to protect. It is your responsibility to make sure others cannot gain access to personal data. If you leave your computer open and freely accessible to anyone in the room, you have in principle given those people access to all this personal data, even if nobody intends on abusing it. In this case, it is not a significant breach of the GDPR nor is it about excessive suspicion of your surroundings – it is about the principle of protecting other peoples’ personal information.
Many see updates as something which is mean to improve their experience of using the computer. It may become faster and the software will run more smoothly. However, this is only part of the truth. Not everyone is fully aware of how important an updated control system and browser is for the basic security on the computer. Even if the IT-department makes sure that the computer is automatically updated, it is common that the employee must themselves allow, approve, and actively complete the installation. The option of postponing the update is tempting. Why should I be inconvenienced with waiting on a time demanding restart and installation process, if I do not think that anything is ‘wrong’ with the computer?
This logic can stand in the way of preventing security breaches on your computer. If you do not complete the update, you risk working with open security patches on your machine. This is reason is difficult to ignore, and hopefully, you may be less likely to postpone updates than before.
This piece of advice is especially important when working from home. Working from home challenges the way we normally work because the need for digital meetings and new ways of communication are required. You might be tempted to use Zoom, for example instead of the approved programme for video meetings (e.g. Teams or Skype).
As private people, we are used to changing to new services and programmes to use without worry. But when it comes to the work computer, the same attitude can have negative consequences. Here, you are not responsible of approving a programme and assessing if it lives up to the many strict demands about personal data processing and cybersecurity, so it can be difficult to understand why you cannot just download, install, and use new programs for work. For example, why can’t you use your private Dropbox for sharing files with a colleague? Dropbox is a legitimate platform. The two main reasons for this are that the workplace must be able to 100% guarantee the safety of a service and must, at the same time, have a 100% overview of where all the data managed by the organisation is stored. If half of the files are messily kept in the employees’ private Dropboxes or private inboxes, this becomes an impossible task.
This was an excerpt of the good advice that the Danish Centre for Cybersecurity has published. We have heard these suggestions before, but it is a good idea to repeat them when working from home plays as big a role as it does in these times. The main point in this article is that even though employees are told to follow the guidelines, the other part of the equation is missing. Understanding why is important.
Unfortunately, there are many misconceptions of why the guidelines are in place. If you think that it relates to excessive suspicion, unnecessary updates, and bureaucratic rules, you are likely to ignore the guidelines and continue your bad habits. If we communicate why the advice is given, then it is more likely that the individual employees make a serious effort to take their cybersecurity responsibilities seriously.