Teleworking without cyber risks

Cyberattacks are among the ten most serious threats on the planet,  according to the World Economic Forum’s 2020 Risk Report . And even, cybercrime generates annual profits of 600,000 million dollars and is more profitable than drug trafficking, which moves about 400,000 million dollars a year.

These realities give great value to information as a profitable asset that must be protected, aligned with the sustainable strategy and understood as part of the corporate culture.

“It doesn’t matter how much technology and controls you have if your human team doesn’t make good use of them,” says Lida María Montoya, IT manager at Cadena SA, a company that started remote work a week before the quarantine was decreed, with a strategy gradual for 200 employees, and that today it has 420 people who work from home.

“The crash plan required us to ensure, in record time, that all the computers had antivirus updates, VPN installations and were inventoried, at the time the company left,” explains Juan Carlos Lujan Duque, Director of Information Security in Chain SA

For their part, spokespersons for Bancolombia, which has 19,500 employees working from home, highlight that the remote work plan included a “donation” or obtaining thousands of laptops among all areas in order to send the largest number of employees to telework possible, which required setting up the security equipment to facilitate the remote monitoring of data in real time, as was done at the bank’s facilities.

Among others, untimely teleworking required companies to have signed, as part of labor contracts, commitments to good use and compliance with safety recommendations and manuals, to have technological control and monitoring attachments, and mobility supports.

The support of the internal communication and human management units has also been key to sensitizing the human team about cybersecurity situations that may arise and the possibilities of dealing with them, how to use the devices correctly and have safe behaviors.

But beyond that, understanding how cybercriminals think and act makes it possible to implement and socialize good data protection practices in terms of being thoughtful when receiving, opening, and sharing information.

Corporate teleculture changed offices and business corridors for   telephone  chats , extranets , video calls, and virtual channels that keep people together and almost inside the office. Today, standing aside is not possible, but it is possible to share the screen, see each other talk and make decisions.

1. 1. Make regular backup copies on external or corporate media.
   2. Close work sessions and apps when you’re not using them.
   3. Use double or triple factor authentication to make financial transactions.
   4. Work in spaces where there is no risk of losing information due to equipment damage, this includes moving away from food.
   5. Avoid sending files with corporate information through unofficial means such as WhatsApp, Dropbox, Wetransfer or free domain emails, among others.
   6. Do not connect to unknown networks or USB ports.
   7. Do not install applications that do not come from reliable sources, from official stores or that require permissions to access confidential information (agenda, geolocation, contacts, etc.).
   8. Keep the operating system of the equipment up to date.
   9. Do not lend your company devices to your family.

1. 1. Activate multifactor authentication in email accounts and tools (access to systems after two or more proofs of identity).
   2. Before enabling services on the Internet, evaluate that contingency actions do not affect data security.
   3. Update the operating system on all devices with the latest security patches released by the manufacturer.
   4. Install and keep antivirus software from a reputable manufacturer up to date.
   5. Deploy storage solutions like corporate Onedrive and Google Drive to store collaborator files.
   6. Permanently monitor the infrastructure of the services used by employees who work from home in order to analyze possible unauthorized actions. Generate backup policies to avoid information loss.
   7. Implement encryption policies on computers, servers, and transactional tools to protect information.
   8. Use comprehensive and centralized protection tools for devices.
   9. In the event of device loss, configure security measures to protect corporate information (location, screen lock, remote data wipe, and monitoring of running applications).