BT Deputy CSO, GM Cyber and Physical Security Operations and Programmes
Working from home is now part of our daily lives. With many companies letting their employees work from anywhere – full time. And though this comes with many benefits, there are some who are trying to exploit the situation.
With teams dispersed and a greater reliance on technology than ever before, we can’t just turn to the side to discuss or check our thinking or actions with a colleague. Working from home is a change in mindset and behaviour, and such changes can make people behave differently to how they would in an office.
We tend to use our fast thinking, not our rational thinking. Rational thinking takes a bit longer to kick in, so when we feel under pressure, fast thinking may take over. But this can lead to us slapping our foreheads as we realise we’ve made a decision too quickly; one that’s led to a mistake.
And we’re facing pressure from potential hackers - trying to exploit the situation.
So - we need to turn on our human firewall.
In our security organisation, we adopt a 3-stage thinking process:
As we all face new ways of working, it’s a process we think everyone could benefit from.
We’re seeing hacking campaigns that are a mix of social media and emails. The subjects range vastly – often making you panic as they seem so realistic.
These kinds of emails make you want to act. They make you feel that time is of the essence. They purposefully engage your sense of urgency, worry and fear.
If you’re facing a security threat or have fallen foul of a scam, don’t be embarrassed, but do act quickly.
The digital world is moving so rapidly that normal procedures are impacted. Scammers are focused on this change in work mode. They’re creating plausible stories to draw you in, or making their emails appear to be from someone with financial accountability, or recommending a collaboration download that’ll make working from home easier. The more legitimate the email, the better the response.
They need just enough intelligence about an organisation and who the accountable people are to be able to direct their emails. All they need is one or two people to act out of character (in good faith), and they could get the credentials of someone in the organisation.
Or they’ll try a broader scatter gun approach or a low, slow working of credentials in an organisation - trying simple passwords that people may be using in haste, something users find easy to remember – until they get access to a mailbox. Then they can set up a forwarding rule, so the user is completely unaware.
If you receive an email, no matter how legitimate, no matter how urgent, take a pause. Take a step back. Ask yourself, ‘Is what I’m being asked to do normal?’, ‘Is there anything strange about this email/instruction?’
If there’s a little niggle at the back of your head about it, pay attention. Think how you can verify if it’s real, how you can keep yourself safe, and who to report it to if you’re suspicious.
It takes no more than 30 seconds to engage your rational brain. Those seconds won’t make much of a difference to the right decision, but it could make all the difference in the world to the wrong one.
Your location and physical security are just as important as your online security. So, when setting yourself up to work from home – particularly when it’s at short notice – try to give some thought to where in your home you’re working from.
- your screen and paperwork can’t be seen through your windows or doors
- your computing equipment is hidden from outside view.
You don’t want to be a victim of theft, and if your computing equipment is stolen, your ability to work from home is taken away too. Follow the same security as you would in the office – lock your screen when you’re not using your computer, and at the end of the day, tidy away any confidential paperwork.
The human race has been successful because of our ability to think ahead, consider different scenarios and plan. So, do that with your colleagues – and especially for the key functions you’re involved with. That way, you can rapidly check and verify key decisions or transactions.
And make sure you:
- use your rational brain
- stay aware
- try to think ahead.
If you’re facing a security threat or have fallen foul of a scam, don’t be embarrassed, but do act quickly. Your security team is there to support you, reduce the potential impact and protect you. Make sure you know who to contact if you need them and together, we can do our bit to help our businesses and communities survive during these challenging times.
Take a look at some more security advice – and discover how we can help to protect your business.