top of page

Remote working is any work that's done away from your physical office. This is often referred to as telecommuting or working from home. The benefits of remote working often centre around being able to achieve success in your daily tasks without the need to commute to an office each day.

Whilst varying levels of remote employment existed before the pandemic in 2020, many workforces were forced to quickly adapt to allow more workers to work from home when lockdown rules came into effect.

As well as fully remote workers, many businesses have staff who have flexible working environments, such as office workers who still want to ensure they have a traditional desk in the office to maintain personal connections with colleagues and meet with clients via the traditional office environment.

Flexible working has long also been everyday working for workers who may not have the capacity to work from home on a full-time basis. This includes; legal professionals, field sales, building contractors, editorial freelancers, photographers and more.

Working from Cafe

What are the Risks of Remote Working?

Cybercriminals typically prefer to target people who work in HR or finance departments, as their job involves opening and managing multiple 'office' documents and handling personal and financial data - often coming from a variety of sources - paychecks, invoices, CVs, application forms, etc.

With the continued rise in the number of contractors, casual workers and freelancers, cybercriminals are beginning to shift their focus away from these traditional areas and onto self-employed workers. Freelancers often will communicate with vast numbers of people they won't know personally (prospective new clients), they will regularly open new files from emails and share personal information in their inboxes (invoices, bank details, etc).

As many freelancers work on laptops, mobiles and tablets on the go, they can be using insecure networks - whether that's at home, in the local cafe, in a motorway service station - it all makes them the perfect target for cyber criminals.

Hover over these boxes to learn more about the Risks of Remote Working

Unsupported Devices

Weak security or unsupported networks can leave the door open to threats like 'Ransomware', which allows a hacker to break into your network, encrypt your files, then demand payment before you can get them back.

According to cybersecurity ventures, some of the most vulnerable targets for hackers are social media accounts, bank details, personal mail and online stopping details.

Loss of Sensitive Data

When a cyber-attack takes place, more often than not the intention of the attack is to steal a business’s financial detail, customer financial details, sensitive personal data, customers’ or staff email addresses and login credentials client lists, IT infrastructure, IT services (for example the ability to accept online payments) or intellectual property. 

Public Wi-Fi

Using public wi-fi network security is often non-existent or very poor.
One form of cyber-attack that often takes place through public wi-fi is a Man-in-the-Middle (MitM) attack. This is essentially a digital form of eavesdropping and the clues in the title, an invasion of privacy occurs when a computer connects to the internet. Hackers can intercept these transmissions and read the data if there are insufficient protections in the wi-fi network.

Unsecured Devices

If you were in an environment with a group of people you didn’t know, you would be reluctant to leave your mobile phone unattended and unlocked, right? Regardless of the device and who owns that device, you should never leave a device unsecured when it is not in use.
If you are not using your device, it should always be locked in order to help protect the documents, client information or financial records that are on it.

Confidential Conversations

With remote working one of the many challenges that freelancers, contractors and consultants face is being able to hold private calls and conversations. If you occasionally work from coffee shops or hotel restaurants and take work calls whilst you are there, have you ever considered what information you could be exposing whilst you have this call?

Hybrid Workers

The more locations that an employee works from, the more vulnerable a business’s network becomes. If you are an organisation that is welcoming the hybrid model, it’s key that you run security scans for all devices and review all applications to ensure that they are safe.

 

Have your staff developed any bad habits whilst working remotely? Are these bad habits creating more risk for your organisation?

Risk Scenarios

Andy: Editorial Freelancer​

 

Andy is an editorial freelancer who offers copywriting services, has a home office and works remotely five days a week. Andy enjoys connecting with clients and supporting his local community at some of the local cafes most Friday​ afternoons.

  • Andy sends invoices, project plans and contact details of his clients via email without any encryption.

  • Andy uses his mobile phone and tablet that contain unsecured applications, personal accounts and files which hold personal data.

  • Andy often prefers to use his personal email account when replying to clients outside of his working hours.

  • Andy supports local coffee shops when having online meetings with clients - there he takes advantage of the unsecured public wi-fi network.

Editorial Freelancer.png

How can you stay secure?

Working from home can leave individuals and their businesses in a vulnerable position, making them bigger and more valuable targets to cybercriminals.

According to IBM Security's 'Cost of a Data Breach Report 2021', the average cost of a data breach for businesses with 81% (or more) of their workforce working remotely was $5.54m. With a recent rise in device and cloud service usage to perform work-related tasks, cybercriminals have capitalised on this increase, leaving more and more people victims of cybercrime.

Even though there are many ways a cybercriminal could take advantage of your remote working environment, there are many ways you can protect your workspace and mitigate your cyber risk.

Hover over these boxes to learn how you can mitigate your cyber risk

Anti-Virus & Firewalls

Ensuring firewalls are enabled is also another first step in protecting you against cyber-criminal activities. A firewall works by blocking or filtering network traffic, to ensure your devices are protected against malicious software. A firewall will only allow sources that meet particular criteria set in the firewall settings and restrict access to anything that does not meet these requirements. Similarly to anti-virus software, firewalls may already be readily available on your device, yet there are other options available that offer different security and protection levels.

Backup your Files & Devices

Ensure you perform regular backups of your devices and data, and keep these in an isolated, secure location. Conducting routine backups will also allow you and your business to continue operating and avoid downtime in the event of a cyber-attack or data breach.

Passwords

Keeping your login credentials secure and complex is a great way to ensure your accounts are protected. Cyber security experts now recommend replacing passwords with passphrases as they’re easier to remember and more secure.

 

A passphrase is a series of random words with no relation to one another, and including a number and punctuation will only increase its security levels:


‘Storm length month coal 7!’

Cyber Security Training

80% of cyber breaches are a result of human error. 

 

It is imperative to ensure you are regularly implementing cyber security best practices and are aware of current cybercriminal trends in order to mitigate your risk.

Cyber Essentials

Cyber Essentials certification is a government-backed scheme that was created to help demonstrate businesses have the appropriate levels of security in place.

 

Cyber Essentials works by evaluating a company’s technology defences to determine the current vulnerabilities and risk level. Once these risks are identified and managed, the company will be awarded the Cyber Essentials certification.

ChatGPT

If you are an employer or in any managerial role, then it's important that you educate yourself and those around you about the potential risks involved when using chatbots.

 

Make sure you clearly define the scope for which employees could use chatbots and the limitations that might be in place.

Staying secure

Andy: Editorial Freelancer​

 

To keep Andy's clients and his business safe, Andy should...

  • When providing invoices, project plans and other sensitive information, Andy should send via a secured transfer service or an encrypted email account.

  • It's important for Andy to use only his work devices for contacting clients remember to uninstall any unsecured apps.

  • Whenever Andy is in a public place and needs an internet connection, he should use a personal VPN or, failing that, use his 4G hotspot when communicating with clients.

Editorial Freelancer.png

Frequently Asked Questions about Remote Working

  • What is Cybersecurity?
    The protection of devices, services and networks — and the information on them — from theft or damage. Download the Small Business Guide to Cyber Security.
  • How much is the Cyber Security sector worth in the UK?​
    The UK’s cybersecurity sector is now worth an estimated £8.9 billion.
  • Where do I start with Cyber Security?
    It's important to understand the basics and why cyber security is important to all businesses regardless of size or sector. Download our Cyber Security Guide for Small Businesses and start your journey by becoming a free member of the Cyber Resilience Centre.
  • How do I protect my business from cybercrime?
    If you understand the basics of cyber security, but you're ready to learn more about the practical steps you can take next then we'd encourage you to become a member of the Cyber Resilience Centre or learn more about our affordable services.
  • What is a Cyber Incident?
    A breach of the security rules for a system or service - most commonly; Attempts to gain unauthorised access to a system and/or to data. Unauthorised use of systems for the processing or storing of data. Changes to a systems firmware, software or hardware without the system owner's consent. Malicious disruption and/or denial of service. We have created a Cyber Incident Response Pack, which contains documents to help support your business plan its response to a cyber incident. These documents are designed to complement any existing plans or assist you in creating one.
  • How do I respond to a cyberattack on my business?
    At the Cyber Resilience Centre, we have access to trusted specialist cybercrime investigators who can support you during an attack and recover digital forensic evidence to help identify who is responsible. We have created a Cyber Incident Response Pack, which contains documents to help support your business plan its response to a cyber incident. These documents are designed to compliment any existing plans or assist you in creating one.
  • What is a Vulnerability Assessment?
    A vulnerability assessment is a process of identifying existing weaknesses within your network. It can be host-based, network-based, wireless, application, or within your database.
  • How can I stay Secure from the Most Common Vulnerabilities?
    A Website Vulnerability Assessment (often referred to as Web Application Penetration Testing or Pentest) addresses the security of your website (Web application). Websites are mostly publicly available and are there to provide services for anyone with internet access. This makes them a primary target for attackers.
  • What are the biggest myths in Cyber Security?
    In the world of cybersecurity and cybercrime, there are a lot of myths, misconceptions and rumours shared between business owners and employees. The five biggest myths that we hear the most are: Small and medium-sized businesses aren’t targeted by hackers. Cybercriminals are more interested in larger companies. Businesses must buy expensive hardware or software solutions to implement effective cybersecurity. My business has nothing worth protecting from cyber-attacks. Password managers are unsafe and a risk to my business. Public Wi-Fi is safe to use. It’s just like any other wi-fi network. Read our Cyber Security Mythbusting Guidance
  • What cyber security risks does the recruitment sector face?
    Sensitive data management A lot of the data that is stored in the recruitment is Personable Identifiable Information (salaries, gender, contact information, job description, previous employers, references etc.). Therefore it is critically important that only those who are authorised to do so can access it. This means ensuring all accounts have strong, unique passwords and Multi-Factor Authentication enabled. The best practice would also be implementing a data classification tool to prevent sensitive data from leaving your organisation intentionally or accidentally. Phishing attacks / Malware (email attachments) As a recruiter, you will receive vast amounts of CVs as email attachments. As any one of these could be disguised malware, you need to stay vigilant in checking them. The same goes for hiring managers and finance staff or recruitment businesses, as these staff and departments are also more likely to receive malicious email attachments Remote working - lots of staff working remotely, high volume of client meetings A lot of staff working remotely brings a lot of cyber security risks as senior leaders will have less tangible control over where their employees work, meaning they could be working from unsecured public wifi, they could be working on a crowded train leaking sensitive data to anyone closeby who happens to be shoulder surfing, they could be leaving devices unattended in public working spaces. Learn more with our blogpost: The Cyber Security Dangers for Recruitment Agencies
  • What cyber security risks do you face when working from home?
    Sensitive Data Exposure - This applies to electronic devices, and physical paper documents/notes. Even family members should not be allowed to see Sensitive Data, and this would be a breach of GDPR. The best practice is to implement a Secure Storage Cabinet where all work items (devices, documents, notebooks etc.) can be kept. Unauthorised Device Access - Even when working from home, your device must be locked whenever you leave it. Even though it may “only be family” that can see your screen, it is still a Cyber Risk Using the correct device - BYOD (Bring Your Own Device) is a common strategy amongst SMEs and WFH culture, However, if it is implemented it is important to ensure that work data and personal data are kept completely separate - if an Attacker gets your device, they may be able to gain further access to all the company information if it is not secure. The best practice is to use separate work and personal accounts and ensure strong, and unique passwords are used, in combination with Multi-Factor Authentication.
  • Why do I need backups? How often should I be backing up my files?
    Backups are one of the most effective defences against Malware Attacks because if you are the victim of one, and your data is encrypted by an Attacker, you effectively “ignore” the attack by reverting to your Backed Up data and start restoring business continuity from there. There is no “one size fits all” approach for backups. The schedule will depend on business needs - some may require backups every 12 hours, but for others, it may be acceptable to back up every 24 hours. The most important aspect however is to make sure any Backups are stored separately from your business's network - either in the cloud or on a completely separate hard drive that is not network-connected.
  • Why is important to keep your devices updated?
    Do my apps need to be updated regularly? Yes, all of your devices (computers, laptops, mobiles and tablets, etc) should always be kept up to date with the latest software. This is because the companies who provide the software (e.g. Microsoft) have security teams that search for vulnerabilities in their apps, and fix them before Attackers can take advantage. The longer you go without updating your apps, the more vulnerable you will be to an Attacker Can I automate my device and application updates? Yes - inside the settings of your device there will be an option to automatically update, all you have to do is select “Yes”. However, if you don’t want your device to update in the middle of work, you can also select “Working Hours” and this will tell your device to only install updates outside of that time
  • Why is a Password Manager a safer way of storing passwords whilst working remotely?
    Password managers take all of your passwords and store them in what is called a vault. However, when each password is put into the vault, the password manager will heavily encrypt its value so that it cannot be read by the naked eye. Then, the Password Manager will have you set an incredibly complex Master Password to access this vault (if you want to add/remove credentials from it). Finally, Password Managers have Two Factor Authentication (2FA) enabled by default, adding another layer of security by requesting you to input a code any time you want to access your secure vault. Read more with our FAQ guide to Remote Working
  • What is a Bring Your Own Device (BYOD) policy?
    BYOD is the concept of employees using their personally owned device(s) for work purposes. With BYOD, an organisation has ownership of the corporate data and resources that may be accessed or stored on a device, but the device itself is the property of the user.
  • If you’re using your own device for work, why could a Bring Your Own Device (BYOD) policy be useful for a business?
    When employees use their own devices, if your budget is tight you don’t need to buy any extra computers, screens, mobile phones, and tablets. Using personal devices is a preference for people who want to stay connected to both personal and work life and with home commitments such as childcare. If staff are working remotely, your BYOD policy will ensure your team can stay connected without needing to carry multiple devices. Within a well-structured BYOD policy, employees should feel more at ease with their day-to-day work and help to keep them working in your organisation. Read more with our FAQ guide to Remote Working
  • What are the benefits of a Working from Home (WFH) or Remote Working policy?
    Giving employees access to a hybrid working environment will give them the option to work comfortably from their home office. This may be especially useful when offering remote work on a flexible basis for employees with childcare needs, medical appointments or when having work done at home. Spending long periods travelling to work each day can be a strain for all of us, especially with train strikes and cold, wet weather during the autumn and winter months. Remote workers can often feel more motivated and organised when working without a commute, with many workers using their commute time to talk walk and exercise before and after work. With more staff working remotely many businesses in the UK have made cost-savings through reduced reliance on large offices and reduced staff turnover. Staff can often find increased motivation in a role which has introduced flexible hours and then be more comfortable to stay in a job and progress. Did you know? Members of the Cyber Resilience Centre get access to several Cyber Security Policy and Procedures Templates to help staff you put the right measures in place to ensure your business has clear security strategies and can respond efficiently if an incident occurs. Learn more about our Membership options for your business. Read more with our FAQ guide to Remote Working
  • What key things should be covered in a Working from Home (WFH) or Remote Working policy for a business?
    Explain why you’ve created the policy and which members/teams it applies to. For example, you may want to clarify whether the remote worker policy is in effect only temporarily or if your business has decided to offer all staff flexible working contracts. Specify whether your contractors, part-time employees, interns and new hires are covered by this policy, or if it only applies to existing full-time employees who have been with your company for at least six months. If your business is entirely remote, there may be some eligibility criteria you’ll want to include; will employees need to live within a certain distance or can they move anywhere in the UK? Outline who is working from home and when. For instance, your remote work policy may state that people in client-facing roles can only work from home three days per week. You can also create other criteria rules, such as those who have passed their probation can work remotely. Some roles aren’t suited for remote work; employees who need certain equipment that can’t be replicated at home, access documents available only in the office or regularly interact in person with clients. If there are broad categories of positions that are not eligible for remote work, remember to list them in your policy.
  • What is a Virtual Private Network (VPN)?
    Virtual Private Networks (VPNs) allow businesses and organisations to provide secure connectivity between devices, especially useful if staff work remotely.
  • Is public wi-fi more secure than a mobile hotspot?
    The biggest threat to free Wi-Fi is for a hacker to position themself between you and the wi-fi point. So instead of talking directly with the wi-fi router, you'll be sending your data to the hacker, who might exploit this data. Using a phone hotspot can increase your security, your mobile connection is secured and private as you would be making a phone call or using your phone to browse the internet. Most phones now are using 5G networks which use 256-bit AES encryption, this blocks fake mobile network transmission sites (referred to as stingrays) and encrypts your phone’s ID during transmissions.
  • Why isn’t public wi-fi secure when working remotely?
    You may be unaware that an innocent trip to a coffee shop may have threats lurking in the background of their public Wi-Fi network. Public wi-fi is common in most locations when working remotely, we all frequently connect to them to check our emails or social media without thinking twice. Whilst your local cafe owner may believe they’re providing free wi-fi to try and keep you in-store to buy that extra slice of cake, chances are the security on these networks is minimal or nonexistent. A Man-in-the-Middle (MitM) attack is a form of eavesdropping. When your laptop or phone connects to the Internet, data is sent from your device to the website, and security vulnerabilities can allow an attacker to get in between these transmissions and “read” them. Your data could be no longer private and shared amongst a criminal network. If a public wi-fi router hasn’t got encryption, the information being sent from your laptop/phone to the wi-fi router could be intercepted. There’s also no way you can tell if a public wi-fi spot has got the necessary encryption. Attackers way look to slip malware onto your computer without you even knowing through public wi-fi. If attackers know of a software vulnerability they may use a busy public location to write code and target a specific vulnerability, and then inject the malware onto your hundreds of devices through a public wi-fi network. Wi-Fi snooping is what it sounds like. Cybercriminals can buy special kits and devices to eavesdrop on Wi-Fi signals. This technique can allow the attackers to access everything that you are doing online — from viewing whole webpages you have visited (including any information you may have filled out while visiting that webpage) to being able to capture your login credentials, and even hijack your online accounts. Rogue public wi-fi networks trick victims into connecting to what they think is a legitimate network because the name sounds reputable. Say you’re staying at the Hotel Easy and want to connect to the hotel’s Wi-Fi. You may think you’re selecting the correct one when you click on “HotelEassy,” but you haven’t. Instead, you’ve just connected to a rogue hotspot set up by cybercriminals who can now view your sensitive information. Read more with our FAQ guide to Remote Working
  • How can you stay safe when using ChatGPT?
    If you are an employee, sole trader or small business, ensure that you are not using sensitive information within your prompts to ChatGPT or any other chatbots. Also, always double-check the responses against other information if the topic you're asking about is something you might not know much about. If you are an employer or in any managerial role, then it's important that you educate yourself and those around you about the potential risks involved when using chatbots. Make sure you clearly define the scope for which employees could use chatbots and the limitations that might be in place. This would come hand in hand with regular review to ensure that it is up to date with any new regulations or legislation that may emerge in the future. Learn more with our guide on the Unseen Risks of Implementing AI Chatbots in Your Business.
  • During the busy summer period, are travel and tourism companies vulnerable to cyber attacks?
    Could an overwhelming summer tourist demand disrupt the good cyber practices within your business? With such a drastic change to how companies work, such as working from home and taking bookings and payments online. Your business is more vulnerable to attacks from hackers. Concerns about the safety of corporate devices running on employee home networks or employees using their devices while working from home have been heightened recently. These concerns include businesses and their employees running the risk of letting their good practices in cyber-security become too relaxed due to the notion of being outside an office environment. Learn more with our guide on how Tourism and Travel companies can stay protected from Cyber Attacks.
  • What is Cyber Essentials?
    Cyber Essentials is a simple and effective Government backed scheme, supported by industry experts and the Cyber Resilience Centre. The scheme helps you put measures in place to protect your organisation, regardless of size or sector, against a range of the most common cyber-attacks. This includes protecting against threats such as malware, ransomware and phishing.
  • Why should your business get a Cyber Essentials certificate?
    Cyber Essentials helps you demonstrate a commitment to cyber security to your customers and clients with a certificate and badge to display on your premises and website. Having the certificate makes your organisation more resilient against the most common forms of cyber-attacks. Gives your business peace of mind knowing that your data is protected and your security systems are robust, should a cyber-attack occur. Allowing you to reach further business opportunities, as Cyber Essentials will enable you to tender for specific contracts in government.
  • How and where can I become Cyber Essentials certified?
    At the Cyber Resilience Centre, we work with a small group of Cyber Essentials Partners who are official providers of Cyber Essentials and Cyber Essentials Plus Certification. Any members or businesses in the North West should contact us, and we can refer you to a partner in your region who can help you get certified.
  • Does my Business need Cyber Essentials Certification for Government Contracts?
    Cyber Essentials is mandatory for businesses looking for specific government contracts.Without Cyber Essentials, you will not be able to bid for such contracts. Often these contracts will involve delivering certain IT products and services and the handling of personal information.
  • Do businesses in the recruitment sector need Cyber Essentials?
    For recruiters, your business processes large quantities of valuable data, making you a big target for cybercriminals. Cyber Essentials can help protect your business from most cyber threats. With 82% of UK recruitment firms adopting some form of hybrid working, you need to ensure any staff working from home are secure. Cyber Essentials can provide your business with the guidance to make the switch safely. Your recruitment business is built on trust – your clients and candidates need to know their personal data is safe in your hands. Cyber Essentials certification provides government-backed proof your business is taking cyber seriously and keeping your data safe – crucial when looking to retain current customers and win new clients. Learn more with our FAQ guide to Cyber Essentials
  • Why should your business get a Cyber Essentials certificate?
    Cyber Essentials helps you demonstrate a commitment to cyber security to your customers and clients with a certificate and badge to display on your premises and website. Having the certificate makes your organisation more resilient against the most common forms of cyber-attacks. Gives your business peace of mind knowing that your data is protected and your security systems are robust, should a cyber-attack occur. Allowing you to reach further business opportunities, as Cyber Essentials will enable you to tender for specific contracts in government. Learn more with our FAQ guide to Cyber Essentials
  • Why would a law firm need Cyber Essentials?
    A law firm’s greatest asset can often be its reputation, and it only takes 1 cyber incident for this reputation to be damaged beyond repair. However, if you are Cyber Essentials certified then you are safe from over 80% of cyber attacks. Cyber Essentials also helps reassure your Clients that you have good cyber hygiene and practices in place, especially when it comes to data protection, data handling and GDPR. Cyber Essentials can also support your Lexcel certification Does your law firm have a Cyber Incident Response Plan? Our Cyber Incident Response pack can help you prepare for, respond and recover from cyber incidents. Learn more with our FAQ guide to Cyber Essentials
  • Does a manufacturing business need to think about Cyber Essentials?
    Manufacturing is an attractive target for cybercriminals. So much so, 47% of UK manufacturers report suffering a breach that cost them time or money. And, with more back-office staff working from home on unsecured networks and devices, the risk is only growing. Cyber Essentials is a government-backed certification that shows your business takes cybersecurity seriously. This makes you an attractive partner and is reassuring new and existing customers. Depending on what your business manufactures, government contracts could be an important source of revenue. If this is the case, then your business will need a valid Cyber Essentials certificate in order to bid for them. Learn more with our FAQ guide to Cyber Essentials
  • Do I need to have Cyber Essentials before getting Cyber Essentials Plus?
    Yes - If your business wishes to become Cyber Essentials Plus certified, you must first pass Cyber Essentials. In addition to this, you must take the Cyber Essentials Plus audit within 3 months from the date that your Cyber Essentials certificate was awarded.
  • My business has Cyber Essentials, do I need Cyber Essentials plus?
    There is no mandatory requirement for your business to obtain Cyber Essentials plus - If you wish to bid on government or MoD contracts then you will need Cyber Essentials as a bare minimum. However, having Cyber Essentials Plus shows your company is going the extra mile to ensure security and data protection. However, if you do not require this then Cyber Essentials can make your organisation more resilient against the most common forms of cyber-attacks and demonstrate to your Clients that you are committed to being cyber secure.

Where is the most secure place to work when working remotely?

With the rise of remote and hybrid working, are your employees at increased risk of falling for a scam or cyber attack when out of the office? 


We looked at the most common remote working environments and explored what risks you may face and have collated some of the ways you can ensure your employees stay secure when working remotely.

  • Co-Working Spaces

  • Service Station

  • Public Transport / Train Station

  • Local Cafe

  • Hotels

Give us a call

If you'd prefer to call us and discuss your cyber security needs within your organisation, we'd love to hear from you! 

bottom of page