Cybersecurity for remote workers: A business leader’s guide
When employees work from home, new security risks are introduced into your business. Here’s what you need to know about cybersecurity for remote workers.
Cybersecurity
for remote workers is incredibly important given the prevalence of employees working
from home.
Cyberattacks
are a major threat for which employers need to maintain awareness and
constantly be on guard. We’ll explore why work-from-home scenarios enhance your
company’s vulnerability and explain what you can do to prevent cyberattacks.
It
doesn’t matter whether your company is large, mid-sized or small, and public or
private sector – cybercriminals don’t discriminate.
In
fact, smaller businesses are attractive to bad actors because they typically
have lower IT budgets and weaker cybersecurity measures in place. Smaller
businesses may spend less than $500 annually on cybersecurity, yet they appear
to be the targets for nearly half of all cyberattacks.
The
impact of cyberattacks on businesses can be widespread and devastating:
- Breach of sensitive personally identifiable data, which can lead to identity theft
- Disclosure of proprietary company information, such as intellectual property, which can harm a company’s competitive advantage
- Loss of confidential employee or client information
- Financial and legal penalties, if the company is found to have not properly protected certain data
- Damage to company devices and systems
- Harm to company brand
- Downtime and the associated loss in revenue
- High IT costs to fix issues and improve security measures going forward
11 remote work cybersecurity practices you can implement
1. Provide and only use company-issued devices and applications for work.
It’s
extremely risky to allow employees to use their own devices or unapproved
applications when working from home.
You
may not know anything about – nor do you have any control over – the
configuration of those operating systems, firewalls, anti-virus protections,
software updates or authentication requirements.
It
can be a risky proposition to allow personal devices to access your company
network and resources. Do you want to put sensitive company data at risk of
exposure if that device or application is compromised?
If
your organization is unable to deploy company assets, your IT team should
consider how they will evaluate personal devices before they can connect to
your company network and resources.
If
your employees are going to work from home, a better scenario is to provide
them with a company-issued device that’s outfitted with all the necessary
protections and vetted to company standards.
2. Physically secure the home workspace.
Chances are, an employee’s home is a more relaxed, casual environment than your office. That doesn’t mean that employees can let down their guard and become lax about security because that would make them especially vulnerable to cyberattacks and perceived as easy to exploit.
Protecting
confidential company information is especially important during the wake of a natural
disaster or global pandemic such as COVID-19, when entire families are at
home together throughout the day and the new workspace may end up in a
high-traffic area, such as a kitchen table or living room couch.
10 tips to help employees secure their home workspace
- Avoid using any personal devices for work if possible.
- Avoid using applications or external hardware that aren’t approved by the company (for example, iCloud, Google Drive or external drives for storing documents).
- Prohibit family members from using company-issued devices for personal purposes.
- If you have a dedicated home office, use it. Otherwise, try to set up your home workspace in a quiet, lower-traffic area that can be closed off and, preferably, locked.
- Enable the password-protected lock screen on your devices every time you step away, and store devices securely at the end of the workday – preferably in a place where they can be locked.
- Avoid leaving devices out in the open for prolonged periods or in a spot where they’re visible through a window – and therefore vulnerable to theft.
- Loose paperwork should be secured every time you step away. At the end of the day, lock paperwork in a safe place, such as a file cabinet.
- While videoconferencing, pay careful attention to what other attendees can see behind or around you. Make sure no sensitive work-related information is visible. This could include:
- Schedules
- Unrelated project or meeting notes
- Confidential client information
- Confidential employee information – for which the inadvertent disclosure could violate certain laws
- Be aware of voice-activated, digital home devices while working. These devices can accidentally record the audio of confidential work phone calls or videoconferences.
- You may also want to consider the ability for employees to print work-related documents at home. Paper records in a home office could cause a retention problem or data disclosure issue.
3.
Establish a secure connection to company systems.
To prevent
outside parties from eavesdropping on their activity or stealing company data,
your employees should use a secure, private Wi-Fi connection.
What does
this mean?
- The Wi-Fi network should be password protected and the provider of the Wi-Fi is known. Connecting to “Free Public Wi-Fi” is never a good idea.
- Passwords should be unique and not shared.
- Avoid using a default password on any technology.
- Avoid unsecured, public Wi-Fi networks when working remotely but outside the home (for example, coffee shops).
Additionally,
a crucial extra layer of security is to use a virtual private network (VPN).
A VPN
provides a secure connection between your device and your company network. All
data transferred back and forth between these points is encrypted. The
encryption provided by the VPN ensures that criminals can’t eavesdrop on authentication
or the data being transferred between your device and your company resources.
An extra benefit
of a VPN is continuity of operations. When employees log into the VPN, if
configured correctly, they can access information and perform functions as they
normally would in the office but from any location.
4. Ensure operating systems and all software, including
anti-virus protection, are updated to the latest version.
Because the nature of cyberattacks is always shifting, operating systems and software become exposed to vulnerabilities as flaws are discovered by hackers. Updates, or patches, are designed to fix those vulnerabilities.
Organizations should keep company devices up to date on patches. A commonly used best practice: in order to access company systems, the computer must run a scan to ensure all software is up to date.
This technique keeps high-risk devices from connecting to company systems.
When it’s time to update your operating system or software, make sure employees download legitimate, approved patches. To remove any ambiguity, you or your IT department should send a direct link to download the patch.
Despite the more independent working environment at home, under no circumstances should employees scour the internet to identify software. Unapproved software or applications could contain viruses or other malicious code.
5. Don’t permit users to have
administrative privileges.
Administrative
rights need to be controlled. Users of company-issued devices – your employees
– shouldn’t enjoy administrative privileges on those same devices.
In other
words, they shouldn’t be able to download software or otherwise alter the
operating system without the approval of you or your IT department.
This
ensures that the company issued devices operate in an approved fashion. Otherwise,
your systems and devices could be vulnerable to viruses. Instead, all software updates
should be initiated on your end.
6. Set up user authentication on
devices.
Strong authentication,
including a username and password, should always be required to log in to
company devices and access company networks.
To avoid
employees using passwords that can be easily compromised, set a standard for
good password etiquette:
- A combination of
upper- and lower-case letters - Contain numbers
- Contain special
characters - A length of at
least 10 characters - A mandatory
rotation of passwords after a set time period (example: 30 days) - Passwords should
be unique and complex and should not be shared
Whenever possible, deploy multi-factor authentication for an added layer of security during log in. Multi-factor is commonly referred to as something you have (password) and something you know (token, SMS pin, digital certificate, fingerprint, badge).
SMS messages have become very popular to organizations because of the popularity of cellphones. Other factors can be utilized, but the most important part is to have some form of multi-factor when possible.
For example, if an organization is using Google’s G-suite software, ask your administrator to turn on multi-factor verification to add an additional layer of security to users accessing your systems. Without multi-factor, a user that has been phished will allow an attacker to access your systems.
7. Beware of phishing scams and
viruses.
A phishing attack is when a bad actor disguises themselves as a legitimate source to obtain sensitive data from your company and employees or infect your devices and systems with malware.
These attacks have become increasingly sophisticated.
Here are
some tips for how your employees can avoid problems:
- Have a healthy skepticism about every email that enters your inbox.
- Watch out for email senders who use suspicious or misleading domain names, or unusual subject lines. If you’re suspicious about the sender, don’t open the email.
- Never open attachments or click on links embedded into emails from senders who you don’t recognize.
- Report a suspicious email to your IT department – don’t respond to it.
- Reach out to your IT help desk with questions or concerns.
- Be very careful about entering passwords when being directed by an email. Be confident you know the destination is legitimate.
Fake websites
- These sites may provide encryption to enhance the appearance of legitimacy.
- Pay careful attention to website links to confirm that you’re visiting the correct site. Cybercriminals will subtly misspell website links, so they’re close enough to the site they’re imitating to appear legitimate and fool you.
- Enable multi-factor authentication for every account login you can.
- Don’t follow links from within an email. Open your browser and enter the correct link to where you want to go. Don’t trust that the email is taking you to the correct destination.
Anti-virus software
- Some form of anti-virus software should always
be activated. - Purchased or free anti-virus software is
acceptable. - Don’t allow users to disable the software.
- Keep the software up to date – similar to
patching. If your subscription has expired, obtain or renew your subscription.
8. Stop outsiders from crashing your videoconferences.
In
addition to inadvertently exposing confidential information, other security
concerns associated with videoconferencing include:
- Avoid downloading unapproved videoconferencing applications, which could be infected with viruses.
- Place controls that disallow cybercriminals access to your videoconferences to block their ability to eavesdrop or create mayhem.
Cybercriminal hacking into conferences has become a major problem, especially with the mass movement toward remote work because of the COVID-19 pandemic. As a result of this shift, videoconferencing platforms have become incredibly popular – and, with this rise in popularity, an escalation in criminal mischief.
Unwanted attendees often interrupt videoconferences for harmless, albeit annoying disruption, but occasionally it’s for the purposes of stealing information.
How you and your employees can avoid videoconference intruders:
- Don’t use the
same personal meeting ID for all meetings. Instead, use a randomly generated meeting
ID exclusive to each specific meeting. - Enable a waiting-room
feature when available, which will allow you to grant access to each
participant. - Require a meeting
password. - Once the meeting
begins and all participants are present, lock the meeting to outsiders. - Don’t publish the
meeting ID on any public platform, such as on social media.
9. Have a disaster recovery plan
When
employees work from home, you just don’t have the same level of control over the
security of your devices as you do when they work in the office.
What will
you do if any of these scenarios impacts your devices?
- A fire that
destroys hardware, paper records or data backups - Floods and other
natural disasters - Burglary
- Employee loses a
device - Damage associated
with downloading a virus-affected application or resulting from other malicious
activity by cybercriminals - Some other type
of preventable damage associated with the home environment (for example,
someone spills their drink on a laptop or drops a device)
When any
of these events happen, valuable company data can be exposed to outside parties
or is lost. This is known as a technology
disaster.
Some practices
to include in a disaster-recovery plan:
- Create a system
that will backup or sync data from remote users’ device to a centralized repository
such as a file server or collaboration site. - If there’s no
central repository, ask employees to regularly back up the content on their
devices to company servers. - Force data and
content into a central repository that’s VPN accessible and/or cloud based. - Don’t permit
employees to save data to external drives or even restrict where data can be
stored on their company-issued devices. - In the cases of misplacement
or theft, consider implementing a functionality that can remotely wipe the
device of all company data and software. Failure to follow this step may lead
to a data disclosure and legal action. - Have employees
contact their IT helpdesk as soon as an issue occurs. - Obtain cybersecurity
insurance to mitigate the effects of a cyberattack on your company.
10. Have work-from-home and
data-protection policies
These
policies are important and offer valuable guidance to your employees. Clearly
written security policies can reduce the risk and uncertainty during an
emergency event.
The
cybersecurity issues and prevention tips addressed in this blog could be
formalized in a written work-from-home policy and data-protection
policy. Both could be documented in your employee
handbook.
11. Leverage IT expertise
Your
company’s sensitive data and the integrity of your company’s IT infrastructure
are at stake.
If you don’t
have in-house IT resources continually managing this for you, you should strongly
consider hiring an IT consultant to help optimize your cybersecurity efforts
and promptly resolve attacks when they happen.
This is a highly technical, complex area that calls for the involvement of experts. And it’s a full-time job on its own to keep up with the latest cyberattack techniques and stay on top of cybercriminal efforts to infiltrate your company.
If your
cybersecurity strategy is left to an unskilled resource, you will find that you
have a poorly defended infrastructure. Seek out, when possible, a qualified
cybersecurity resource to help build an in-depth defense.
The impact of the COVID-19 pandemic on cybersecurity
As a result of the
COVID-19 pandemic and stay-at-home orders, many companies have shifted to fully
remote operations. Unprecedented numbers of workers in the U.S. now
telecommute from home. Because of this, companies rely heavily on the software,
platforms and systems that enable working from home and communicating online.
The FBI’s Internet Crime Complaint Center (IC3) has issued a warning about an increase in cyberattacks that exploit this situation and the vulnerabilities in these systems.
The IC3 has reviewed thousands of complaints related to COVID-19 scams:
- Phishing
campaigns against first responders - Distributed
denial-of-service attacks against government agencies - Ransomware
attacks targeting hospitals - Fake
COVID-19 websites that download viruses when accessed - New
business email compromise (BEC) scams, which direct people to visit unknown
websites or install “free” software
Furthermore, the Internal Revenue Service (IRS) has alerted taxpayers to be on the lookout for a surge of phishing attempts via phone calls and emails. These fraudulent contacts will mention stimulus checks or stimulus payments. The goal of the scam is to collect sensitive information that can lead to tax-related fraud and identity theft.
If you are uncertain about any phone calls or emails you receive about this topic, report it to phishing@irs.gov.
Summing it all up
No business is immune from cyberattacks. If your employees are working
from home, there may be new attacks and vulnerabilities for your business that
you must consider.
But by adhering to the tips outlined here and educating your employees,
you can reduce the risk to your remote workers’ efforts. As a result, you’re
less likely to fall victim to bad actors and can significantly lessen the
impact of cyberattacks.
To
learn more about how you can anticipate and mitigate the business challenges
associated with having a remote workforce, visit the ‘Take Care of Your
Employees’ section of the Insperity COVID-19 Resource Center.