Manage cyber security when staff are working from home

December 2021

Working from home has become the new normal for many businesses. But with staff out of the office, managing cyber security is even more challenging. 

A big cultural shift has taken place in the workplace in recent years: home working. While this was escalated by the pandemic, working from home has been gaining popularity among staff and employers for some time.

This workplace revolution has plenty of perks. Employees get a better work/life balance and there’s no daily commute. Employers have reduced office costs and happier staff. Plus, it’s good for the planet. But there are challenges.

One of the biggest issues facing businesses is cyber security. In this guide, we’ll look into some of the biggest cyber security threats with home and co-working. We'll also provide simple tips to help protect your business.

Why is it important to protect devices?

When employees are in the office, business leaders are in control. Leaders can take steps to protect IT networks. They can ensure software is up to date. When the office is locked at night, leaders know everything is safe. But with home working, this all changes.

Devices are much more likely to be breached at home. Since home connections are less secure, cyber criminals find it easier to hack into them. And once crooks gain access to devices, they can access your entire business network. This could lead to sensitive data being stolen among other things.

Steps to take to protect devices

While home working presents plenty of risks, these can be mitigated. By taking simple precautions, your staff can protect their devices – and your company.

Secure environment

Before we get to the technical stuff, it’s essential that employees secure their home or co-working environment. Here are some steps staff can take:  

Hide screens from view: Shield screens from passersby and people on neighbouring desks. This includes seeing through windows and doors.

Enable automatic locking: Staff should lock devices when not in use. In case they forget, automatic locking should be enabled. Devices should lock within five minutes.

Store devices safely: Employees should put devices somewhere safe at the end of the day. Ideally in a locked drawer. 

Clear procedure for reporting stolen devices: Make sure staff know what to do if their device is lost or stolen. This means who to report it to and how. Encourage a blame-free culture. The faster staff report an issue, the less likely a breach will occur. 

Strong passwords

Ensuring that staff use strong passwords is vital. Passwords should be at least 16 characters long. They should include letters, numbers, and symbols.

Avoid anything that’s easy to remember. This includes things like repeated numbers and patterns. Staff must not include anything that relates to them. This includes things like date of birth and address. Passwords should look random.

Two-Factor Authentication

Two-factor authentication means staff need two pieces of evidence to access your network.

A strong password is usually the first factor. Once the employee enters this, they receive a one-time code. This usually happens through a third-party app or text message. Access is only granted with the correct password and one-time code.

Two-factor authentication can reduce the risk of cyber-attacks. Even if criminals access a password, it can be much harder to get the one-time code.

That said, SMS is not a good choice for the second factor. Attackers have learned how to switch the phone number to another sim card. Google Authenticator and Duo are popular apps for two-factor authentication.

Device encryption

Encryption is a great way to help protect devices. Device encryption is the process of scrambling data into an illegible code. This makes it unusable to anyone without a password or a recovery key. Most devices have an option to enable encryption.

Virtual Private Networks (VPNs)

VPNs help staff to access IT resources safely. VPNs confirm devices before granting access to your business network. They also encrypt data. This means data is scrambled so that third parties can't understand it.

Secure internet

One of the easiest ways for scammers to hack into a network is through unsecure WiFi. Staff should change their home WiFi password from the original one. WiFi passwords should be at least 25 characters long. They should include letters, numbers, and symbols. Passwords should appear random. 

Removable media  

USB drives are easy to lose, which can be a problem if they contain sensitive data. USB drives can also introduce malware into your IT systems. Tracking which external drive caused the problem can be difficult. Here are some steps to reduce the chance of infection: 

  • Disable removable media

  • Only allow USB drives from your company

  • Encrypt USB drives

  • Encourage staff to share files in different ways. This could include websites like WeTransfer, Google Drive, or internal systems

Maintain devices

Well-maintained devices can offer the best protection. Here are some steps staff can take to help keep devices safe:

Ensure the operating system is up to date: Apply security patches as soon as possible. Automatic updates are the best way to achieve this.

Ensure software is up to date: Apply software updates as soon as possible, too. This includes applications such as web browsers. Software usually updates on its own. But staff should still check for updates.

Use antivirus software: This can help protect your device from viruses and other types of malware. Software like Norton is a popular choice.

Teach staff about online security

Cyber security training for staff is more important than ever. If your employees know what to look out for, they are less likely to fall victim to a scam. Google has compiled a useful guide on protecting devices from malware. Here are some top tips to stay safe:

  • Think twice before clicking links or downloading anything

  • Be careful about opening email attachments or images

  • Don't trust pop-up windows that ask you to download software

  • Limit your file sharing

Find My Device and Remote Wipe

Most devices have a feature which lets you identify its location by GPS. If a device is lost, this can help you find it. Remote Wipe is for worst case scenarios. If your laptop is stolen, this feature lets you wipe its contents remotely. Wiping a device can make it much harder for criminals to access data.

Separate work and personal devices

Employees should use work devices for work alone. Activities like social networking should be done on personal devices. Employees face the most risk of cyber-attack on personal tasks. For example, online shopping or watching video content.

Bring Your Own Device (BYOD)

For some companies, it might not be possible to supply staff with devices. In this case, employees will be required to use personal devices for work. This practice is known as Bring Your Own Device (BYOD).

Security challenges include:

  • Making sure staff follow company rules

  • Making sure devices comply with company rules

  • Data protection

  • Making sure networks are safe

  • Staff privacy

  • Making sure staff and devices do not break the law

A BYOD scheme must work for your employees. If the system makes life difficult or leads to a poor work/life balance, staff might reject your approved approach. This could increase the security risk. Read the latest government advice on BYOD here.


This article was written and originally published by The Productivity Group (trading as Be the Business). Be the Business is an independent, not for profit organisation set up to help business owners and leaders improve the performance of their business. © Copyright 2021 The Productivity Group.  All rights reserved.

Everything we publish on Business Talk is provided as general information only. It isn’t advice or an insight into the views of TSB or any of our Partners. This is for information only and should not be relied upon as offering advice for any set of circumstances.

Please think about getting independent financial advice if you want help with your personal situation.

While we make every effort to make sure the content is accurate and up to date, no liability is accepted by TSB Bank for any loss or damage caused by relying on any statement or omission. 

Links to external content are provided for information purposes only and not a TSB recommendation of any brand or service.