Cybersecurity for remote workers is incredibly important given the prevalence of employees working from home.
Cyberattacks are a major threat for which employers need to maintain awareness and constantly be on guard. We’ll explore why work-from-home scenarios enhance your company’s vulnerability and explain what you can do to prevent cyberattacks.
It doesn’t matter whether your company is large, mid-sized or small, and public or private sector – cybercriminals don’t discriminate.
In fact, smaller businesses are attractive to bad actors because they typically have lower IT budgets and weaker cybersecurity measures in place. Smaller businesses may spend less than $500 annually on cybersecurity, yet they appear to be the targets for nearly half of all cyberattacks.
The impact of cyberattacks on businesses can be widespread and devastating:
- Breach of sensitive personally identifiable data, which can lead to identity theft
- Disclosure of proprietary company information, such as intellectual property, which can harm a company’s competitive advantage
- Loss of confidential employee or client information
- Financial and legal penalties, if the company is found to have not properly protected certain data
- Damage to company devices and systems
- Harm to company brand
- Downtime and the associated loss in revenue
- High IT costs to fix issues and improve security measures going forward
11 remote work cybersecurity practices you can implement
1. Provide and only use company-issued devices and applications for work.
It’s extremely risky to allow employees to use their own devices or unapproved applications when working from home.
You may not know anything about – nor do you have any control over – the configuration of those operating systems, firewalls, anti-virus protections, software updates or authentication requirements.
It can be a risky proposition to allow personal devices to access your company network and resources. Do you want to put sensitive company data at risk of exposure if that device or application is compromised?
If your organization is unable to deploy company assets, your IT team should consider how they will evaluate personal devices before they can connect to your company network and resources.
If your employees are going to work from home, a better scenario is to provide them with a company-issued device that’s outfitted with all the necessary protections and vetted to company standards.
2. Physically secure the home workspace.
Chances are, an employee’s home is a more relaxed, casual environment than your office. That doesn’t mean that employees can let down their guard and become lax about security because that would make them especially vulnerable to cyberattacks and perceived as easy to exploit.
Protecting confidential company information is especially important during the wake of a natural disaster or global pandemic such as COVID-19, when entire families are at home together throughout the day and the new workspace may end up in a high-traffic area, such as a kitchen table or living room couch.
10 tips to help employees secure their home workspace
- Avoid using any personal devices for work if possible.
- Avoid using applications or external hardware that aren’t approved by the company (for example, iCloud, Google Drive or external drives for storing documents).
- Prohibit family members from using company-issued devices for personal purposes.
- If you have a dedicated home office, use it. Otherwise, try to set up your home workspace in a quiet, lower-traffic area that can be closed off and, preferably, locked.
- Enable the password-protected lock screen on your devices every time you step away, and store devices securely at the end of the workday – preferably in a place where they can be locked.
- Avoid leaving devices out in the open for prolonged periods or in a spot where they’re visible through a window – and therefore vulnerable to theft.
- Loose paperwork should be secured every time you step away. At the end of the day, lock paperwork in a safe place, such as a file cabinet.
- While videoconferencing, pay careful attention to what other attendees can see behind or around you. Make sure no sensitive work-related information is visible. This could include:
- Unrelated project or meeting notes
- Confidential client information
- Confidential employee information – for which the inadvertent disclosure could violate certain laws
- Be aware of voice-activated, digital home devices while working. These devices can accidentally record the audio of confidential work phone calls or videoconferences.
- You may also want to consider the ability for employees to print work-related documents at home. Paper records in a home office could cause a retention problem or data disclosure issue.
3. Establish a secure connection to company systems.
To prevent outside parties from eavesdropping on their activity or stealing company data, your employees should use a secure, private Wi-Fi connection.
What does this mean?
- The Wi-Fi network should be password protected and the provider of the Wi-Fi is known. Connecting to “Free Public Wi-Fi” is never a good idea.
- Passwords should be unique and not shared.
- Avoid using a default password on any technology.
- Avoid unsecured, public Wi-Fi networks when working remotely but outside the home (for example, coffee shops).
Additionally, a crucial extra layer of security is to use a virtual private network (VPN).
A VPN provides a secure connection between your device and your company network. All data transferred back and forth between these points is encrypted. The encryption provided by the VPN ensures that criminals can’t eavesdrop on authentication or the data being transferred between your device and your company resources.
An extra benefit of a VPN is continuity of operations. When employees log into the VPN, if configured correctly, they can access information and perform functions as they normally would in the office but from any location.
4. Ensure operating systems and all software, including anti-virus protection, are updated to the latest version.
Because the nature of cyberattacks is always shifting, operating systems and software become exposed to vulnerabilities as flaws are discovered by hackers. Updates, or patches, are designed to fix those vulnerabilities.
Organizations should keep company devices up to date on patches. A commonly used best practice: in order to access company systems, the computer must run a scan to ensure all software is up to date.
This technique keeps high-risk devices from connecting to company systems.
When it’s time to update your operating system or software, make sure employees download legitimate, approved patches. To remove any ambiguity, you or your IT department should send a direct link to download the patch.
Despite the more independent working environment at home, under no circumstances should employees scour the internet to identify software. Unapproved software or applications could contain viruses or other malicious code.
5. Don’t permit users to have administrative privileges.
Administrative rights need to be controlled. Users of company-issued devices – your employees – shouldn’t enjoy administrative privileges on those same devices.
In other words, they shouldn’t be able to download software or otherwise alter the operating system without the approval of you or your IT department.
This ensures that the company issued devices operate in an approved fashion. Otherwise, your systems and devices could be vulnerable to viruses. Instead, all software updates should be initiated on your end.
6. Set up user authentication on devices.
Strong authentication, including a username and password, should always be required to log in to company devices and access company networks.
To avoid employees using passwords that can be easily compromised, set a standard for good password etiquette:
- A combination of upper- and lower-case letters
- Contain numbers
- Contain special characters
- A length of at least 10 characters
- A mandatory rotation of passwords after a set time period (example: 30 days)
- Passwords should be unique and complex and should not be shared
Whenever possible, deploy multi-factor authentication for an added layer of security during log in. Multi-factor is commonly referred to as something you have (password) and something you know (token, SMS pin, digital certificate, fingerprint, badge).
SMS messages have become very popular to organizations because of the popularity of cellphones. Other factors can be utilized, but the most important part is to have some form of multi-factor when possible.
For example, if an organization is using Google’s G-suite software, ask your administrator to turn on multi-factor verification to add an additional layer of security to users accessing your systems. Without multi-factor, a user that has been phished will allow an attacker to access your systems.
7. Beware of phishing scams and viruses.
A phishing attack is when a bad actor disguises themselves as a legitimate source to obtain sensitive data from your company and employees or infect your devices and systems with malware.
These attacks have become increasingly sophisticated.
Here are some tips for how your employees can avoid problems:
- Have a healthy skepticism about every email that enters your inbox.
- Watch out for email senders who use suspicious or misleading domain names, or unusual subject lines. If you’re suspicious about the sender, don’t open the email.
- Never open attachments or click on links embedded into emails from senders who you don’t recognize.
- Report a suspicious email to your IT department – don’t respond to it.
- Reach out to your IT help desk with questions or concerns.
- Be very careful about entering passwords when being directed by an email. Be confident you know the destination is legitimate.
- These sites may provide encryption to enhance the appearance of legitimacy.
- Pay careful attention to website links to confirm that you’re visiting the correct site. Cybercriminals will subtly misspell website links, so they’re close enough to the site they’re imitating to appear legitimate and fool you.
- Enable multi-factor authentication for every account login you can.
- Don’t follow links from within an email. Open your browser and enter the correct link to where you want to go. Don’t trust that the email is taking you to the correct destination.
- Some form of anti-virus software should always be activated.
- Purchased or free anti-virus software is acceptable.
- Don’t allow users to disable the software.
- Keep the software up to date – similar to patching. If your subscription has expired, obtain or renew your subscription. Read more here…