The Most Frequently Asked Questions about Working Remotely and from Home
Employees might reflect upon several things when working remotely that they're unsure of or have questions about the staff working from home (either full-time or as part of a hybrid working routine).
We’ve compiled answers to some of the most common questions you might have about working remotely or working from home.
Questions about Working from home
1. What cyber security risks do you face when working from home?
Sensitive Data Exposure applies to electronic devices and physical paper documents/notes. Even family members should not be allowed to see Sensitive Data, which would breach GDPR. The best practice is to implement a Secure Storage Cabinet where all work items (devices, documents, notebooks etc.) can be kept.
Unauthorised Device Access - Even when working from home, your device must be locked whenever you leave it. Even though it may “only be family” that can see your screen, it is still a Cyber Risk
Using the correct device - BYOD (Bring Your Own Device) is a common strategy amongst SMEs and WFH culture. However, if it is implemented, it is important to ensure that work data and personal data are kept completely separate - if an Attacker gets your device, they may be able to gain further access to all the company information if it is not secure. The best practice is to use separate work and personal accounts and ensure strong and unique passwords are used in combination with Multi-Factor Authentication.
2. How can I ensure my home router is secure?
The best way to ensure your router is secure is to change the default password that is supplied by your Internet Service Provider. When changing it, it is important to follow NCSC Guidance of combining 3 random words, letters, numbers and special characters with a minimum length of 15.
For detailed information, read the guidance here.
3. Why do I need backups? How often should I be backing up my files?
Backups are one of the most effective defences against Malware Attacks because if you are the victim of one, and your data is encrypted by an Attacker, you effectively “ignore” the attack by reverting to your Backed Up data and start restoring business continuity from there.
There is no “one size fits all” approach for backups. The schedule will depend on business needs - some may require backups every 12 hours, but for others, it may be acceptable to back up every 24 hours. The most important aspect, however, is to ensure any Backups are stored separately from your business's network - either in the cloud or on a completely separate hard drive that is not network-connected.
4. Do I need to use the cloud for backups?
No, you do not need to use the Cloud. Depending on business size and requirements, an acceptable solution may be to manually back up your business data to a physical storage device such as a hard drive. But this hard drive must be completely disconnected from the business network when not in use.
5. Why is a Password Manager a safer way of storing passwords whilst working remotely?
Password managers take all of your passwords and store them in what is called a vault. However, when each password is put into the vault, the password manager will heavily encrypt its value so that it cannot be read by the naked eye. Then, the Password Manager will have you set an incredibly complex Master Password to access this vault (if you want to add/remove credentials from it). Finally, Password Managers have Two Factor Authentication (2FA) enabled by default, adding another layer of security by requesting you input a code whenever you want to access your secure vault.
6. Why is it important to keep your devices updated?
6a. Do my apps need to be updated regularly?
Yes, all of your devices (computers, laptops, mobiles and tablets, etc) should always be updated with the latest software. This is because the companies who provide the software (e.g. Microsoft) have security teams that search for vulnerabilities in their apps and fix them before Attackers can take advantage. The longer you go without updating your apps, the more vulnerable you will be to an Attacker
6b. Can I automate my device and application updates?
Yes - inside the settings of your device, there will be an option to update automatically, all you have to do is select “Yes”. However, if you don’t want your device to update in the middle of work, you can also select “Working Hours”, and this will tell your device only to install updates outside of that time
7. What is a Bring Your Own Device (BYOD) policy?
BYOD is the concept of employees using their personally owned device(s) for work purposes. With BYOD, an organisation owns the corporate data and resources that may be accessed or stored on a device, but the device itself is the user's property.
8. If you’re using your own device for work, why could a Bring Your Own Device (BYOD) policy be useful for a business?
When employees use their devices, if your budget is tight, you don’t need to buy extra computers, screens, mobile phones, and tablets. Using personal devices is a preference for people who want to stay connected to both personal and work life and with home commitments such as childcare.
If staff are working remotely, your BYOD policy will ensure your team can stay connected without needing to carry multiple devices.
Within a well-structured BYOD policy, employees should feel more at ease with their day-to-day work and help to keep them working in your organisation.
9. What are the benefits of a Working from Home (WFH) or Remote Working policy?
Giving employees access to a hybrid working environment will allow them to work comfortably from their home office. This may be especially useful when offering remote work on a flexible basis for employees with childcare needs, medical appointments or when having work done at home.
Spending long periods travelling to work each day can strain us all, especially with train strikes and cold, wet weather during the autumn and winter months. Remote workers can often feel more motivated and organised when working without a commute, with many workers using their commute time to talk, walk and exercise before and after work.
With more staff working remotely, many businesses in the UK have made cost-savings through reduced reliance on large offices and reduced staff turnover. Staff can often find increased motivation in a role that has introduced flexible hours and be more comfortable with staying in a job and progressing.
Did you know? Members of the Cyber Resilience Centre get access to several Cyber Security Policy and Procedures Templates to help staff you put the right measures in place to ensure your business has clear security strategies and can respond efficiently if an incident occurs. Learn more about our Membership options for your business.
10. What key things should be covered in a Working from Home (WFH) or Remote Working policy for a business?
Explain why you’ve created the policy and which members/teams it applies to. For example, you may want to clarify whether the remote worker policy is in effect only temporarily or if your business has decided to offer all staff flexible working contracts. Specify whether your contractors, part-time employees, interns and new hires are covered by this policy or if it only applies to existing full-time employees who have been with your company for at least six months.
If your business is entirely remote, there may be some eligibility criteria you’ll want to include; will employees need to live within a certain distance, or can they move anywhere in the UK?
Outline who is working from home and when. For instance, your remote work policy may state that people in client-facing roles can only work from home three days per week. You can also create other criteria rules, such as those who have passed their probation can work remotely.
Some roles aren’t suited for remote work; employees needing equipment that can’t be replicated at home access documents available only in the office or regularly interact in person with clients. If there are broad categories of positions that are not eligible for remote work, remember to list them in your policy.
Questions about Working Remotely
11. Why isn’t public wi-fi secure when working remotely?
You may be unaware that an innocent trip to a coffee shop may have threats lurking in the background of their public Wi-Fi network.
Public wi-fi is common in most locations when working remotely; we all frequently connect to them to check our emails or social media without thinking twice. Whilst your local cafe owner may believe they’re providing free wi-fi to try and keep you in-store to buy that extra slice of cake, chances are the security on these networks is minimal or nonexistent.
A Man-in-the-Middle (MitM) attack is a form of eavesdropping. Data is sent from your device to the website when your laptop or phone connects to the Internet. Security vulnerabilities can allow attackers to get between these transmissions and “read” them. Your data could no longer be private and shared amongst a criminal network.
If a public wi-fi router isn’t encrypted, the information sent from your laptop/phone to the wi-fi router could be intercepted. There’s also no way you can tell if a public wi-fi spot has got the necessary encryption.
Attackers way look to slip malware onto your computer without you even knowing through public wi-fi. If attackers know of a software vulnerability, they may use a busy public location to write code, target a specific vulnerability, and then inject the malware onto your hundreds of devices through a public wi-fi network.
Wi-Fi snooping is what it sounds like. Cybercriminals can buy special kits and devices to eavesdrop on Wi-Fi signals. This technique can allow attackers to access everything that you are doing online. From viewing the whole webpages, you have visited (including any information you may have filled out while visiting that webpage) to being able to capture your login credentials and even hijack your online accounts.
Rogue public wi-fi networks trick victims into connecting to what they think is a legitimate network because the name sounds reputable. Say you’re staying at the Hotel Easy and want to connect to the hotel’s Wi-Fi. You may think you’re selecting the correct one when you click on “HotelEassy,” but you haven’t. Instead, you’ve just connected to a rogue hotspot set up by cybercriminals who can now view your sensitive information.
12. Is public wi-fi more secure than a mobile hotspot?
The biggest threat to free Wi-Fi is for a hacker to position themself between you and the wi-fi point. So instead of talking directly with the wi-fi router, you'll send your data to the hacker, who might exploit this data.
Using a phone hotspot can increase your security; your mobile connection is secured and private as you would be making a phone call or using your phone to browse the internet. Most phones now are using 5G networks which use 256-bit AES encryption; this blocks fake mobile network transmission sites (referred to as stingrays) and encrypts your phone’s ID during transmissions.
Did you know? The Cyber Resilience Centre has released a new guide on Cyber Security myths. Are Password managers unsafe and a risk to your business? Is Public Wi-Fi actually safe to use?
13. What is a Virtual Private Network (VPN)?
Virtual Private Networks (VPNs) allow businesses and organisations to provide secure connectivity between devices, especially if staff work remotely.
14. Why would using a VPN help secure your laptop/phone/tablet when working remotely?
VPNs are encrypted network connections that allow remote employees to access your company's services securely. VPNs are one way to guarantee the security of 'data in transit' across an untrusted network. If you have offices in multiple locations, you can use VPNs to provide access to your remote users for any corporate email and file storage services.
15. How can you help staff identify phishing emails when working away from the office?
Phishing remains the most common type of cyber-attack - affecting 79% of businesses in 2023 - and results in the largest financial losses for companies.
Phishing is a tactic used by criminals who try and trick you into clicking a bad link that can download malware or try to encourage you to hand over passwords or account details.
Look at the email address, not just the sender. Do they match?
Check the spelling and grammar, are the domain, name, sender's name and signature spelt correctly?
No legitimate company will send emails using ‘@gmail.com' or ‘@hotmail.com'.
Did you expect to receive the email or attachment? Don't open an attachment unless you are fully confident that the message is from a legitimate contact or company.
Travel and Tourism companies can be targeted by phishing attacks during the summer month; learn how to stay secure here.