Cybersecurity for remote workers is incredibly important given the prevalence of employees working from home.
Cyberattacks are a major threat for which employers need to maintain awareness and constantly be on guard. We’ll explore why work-from-home scenarios enhance your company’s vulnerability and explain what you can do to prevent cyberattacks.
It doesn’t matter whether your company is large, mid-sized or small, and public or private sector – cybercriminals don’t discriminate.
In fact, smaller businesses are attractive to bad actors because they typically have lower IT budgets and weaker cybersecurity measures in place. Smaller businesses may spend less than $500 annually on cybersecurity, yet they appear to be the targets for nearly half of all cyberattacks.
The impact of cyberattacks on businesses can be widespread and devastating:
- Breach of sensitive personally identifiable data, which can lead to identity theft
- Disclosure of proprietary company information, such as intellectual property, which can harm a company’s competitive advantage
- Loss of confidential employee or client information
- Financial and legal penalties, if the company is found to have not properly protected certain data
- Damage to company devices and systems
- Harm to company brand
- Downtime and the associated loss in revenue
- High IT costs to fix issues and improve security measures going forward
11 remote work cybersecurity practices you can implement
1. Provide and only use company-issued devices and applications for work.
It’s extremely risky to allow employees to use their own devices or unapproved applications when working from home.
You may not know anything about – nor do you have any control over – the configuration of those operating systems, firewalls, anti-virus protections, software updates or authentication requirements.
It can be a risky proposition to allow personal devices to access your company network and resources. Do you want to put sensitive company data at risk of exposure if that device or application is compromised?
If your organization is unable to deploy company assets, your IT team should consider how they will evaluate personal devices before they can connect to your company network and resources.
If your employees are going to work from home, a better scenario is to provide them with a company-issued device that’s outfitted with all the necessary protections and vetted to company standards.
2. Physically secure the home workspace.
Chances are, an employee’s home is a more relaxed, casual environment than your office. That doesn’t mean that employees can let down their guard and become lax about security because that would make them especially vulnerable to cyberattacks and perceived as easy to exploit.
Protecting confidential company information is especially important during the wake of a natural disaster or global pandemic such as COVID-19, when entire families are at home together throughout the day and the new workspace may end up in a high-traffic area, such as a kitchen table or living room couch.
10 tips to help employees secure their home workspace
- Avoid using any personal devices for work if possible.
- Avoid using applications or external hardware that aren’t approved by the company (for example, iCloud, Google Drive or external drives for storing documents).
- Prohibit family members from using company-issued devices for personal purposes.
- If you have a dedicated home office, use it. Otherwise, try to set up your home workspace in a quiet, lower-traffic area that can be closed off and, preferably, locked.
- Enable the password-protected lock screen on your devices every time you step away, and store devices securely at the end of the workday – preferably in a place where they can be locked.
- Avoid leaving devices out in the open for prolonged periods or in a spot where they’re visible through a window – and therefore vulnerable to theft.
- Loose paperwork should be secured every time you step away. At the end of the day, lock paperwork in a safe place, such as a file cabinet.
- While videoconferencing, pay careful attention to what other attendees can see behind or around you. Make sure no sensitive work-related information is visible. This could include:
- Unrelated project or meeting notes
- Confidential client information
- Confidential employee information – for which the inadvertent disclosure could violate certain laws
- Be aware of voice-activated, digital home devices while working. These devices can accidentally record the audio of confidential work phone calls or videoconferences.
- You may also want to consider the ability for employees to print work-related documents at home. Paper records in a home office could cause a retention problem or data disclosure issue.
3. Establish a secure connection to company systems.
To prevent outside parties from eavesdropping on their activity or stealing company data, your employees should use a secure, private Wi-Fi connection.
What does this mean?
- The Wi-Fi network should be password protected and the provider of the Wi-Fi is known. Connecting to “Free Public Wi-Fi” is never a good idea.
- Passwords should be unique and not shared.
- Avoid using a default password on any technology.
- Avoid unsecured, public Wi-Fi networks when working remotely but outside the home (for example, coffee shops).
Additionally, a crucial extra layer of security is to use a virtual private network (VPN).
A VPN provides a secure connection between your device and your company network. All data transferred back and forth between these points is encrypted. The encryption provided by the VPN ensures that criminals can’t eavesdrop on authentication or the data being transferred between your device and your company resources.
An extra benefit of a VPN is continuity of operations. When employees log into the VPN, if configured correctly, they can access information and perform functions as they normally would in the office but from any location.
4. Ensure operating systems and all software, including anti-virus protection, are updated to the latest version.
Because the nature of cyberattacks is always shifting, operating systems and software become exposed to vulnerabilities as flaws are discovered by hackers. Updates, or patches, are designed to fix those vulnerabilities.
Organizations should keep company devices up to date on patches. A commonly used best practice: in order to access company systems, the computer must run a scan to ensure all software is up to date.
This technique keeps high-risk devices from connecting to company systems.
When it’s time to update your operating system or software, make sure employees download legitimate, approved patches. To remove any ambiguity, you or your IT department should send a direct link to download the patch.
Despite the more independent working environment at home, under no circumstances should employees scour the internet to identify software. Unapproved software or applications could contain viruses or other malicious code.
5. Don’t permit users to have administrative privileges.
Administrative rights need to be controlled. Users of company-issued devices – your employees – shouldn’t enjoy administrative privileges on those same devices.
In other words, they shouldn’t be able to download software or otherwise alter the operating system without the approval of you or your IT department.
This ensures that the company issued devices operate in an approved fashion. Otherwise, your systems and devices could be vulnerable to viruses. Instead, all software updates should be initiated on your end.
6. Set up user authentication on devices.
Strong authentication, including a username and password, should always be required to log in to company devices and access company networks.
To avoid employees using passwords that can be easily compromised, set a standard for good password etiquette:
- A combination of upper- and lower-case letters
- Contain numbers
- Contain special characters
- A length of at least 10 characters
- A mandatory rotation of passwords after a set time period (example: 30 days)
- Passwords should be unique and complex and should not be shared
Whenever possible, deploy multi-factor authentication for an added layer of security during log in. Multi-factor is commonly referred to as something you have (password) and something you know (token, SMS pin, digital certificate, fingerprint, badge).
SMS messages have become very popular to organizations because of the popularity of cellphones. Other factors can be utilized, but the most important part is to have some form of multi-factor when possible.
For example, if an organization is using Google’s G-suite software, ask your administrator to turn on multi-factor verification to add an additional layer of security to users accessing your systems. Without multi-factor, a user that has been phished will allow an attacker to access your systems.
7. Beware of phishing scams and viruses.
A phishing attack is when a bad actor disguises themselves as a legitimate source to obtain sensitive data from your company and employees or infect your devices and systems with malware.
These attacks have become increasingly sophisticated.
Here are some tips for how your employees can avoid problems:
- Have a healthy skepticism about every email that enters your inbox.
- Watch out for email senders who use suspicious or misleading domain names, or unusual subject lines. If you’re suspicious about the sender, don’t open the email.
- Never open attachments or click on links embedded into emails from senders who you don’t recognize.
- Report a suspicious email to your IT department – don’t respond to it.
- Reach out to your IT help desk with questions or concerns.
- Be very careful about entering passwords when being directed by an email. Be confident you know the destination is legitimate.
- These sites may provide encryption to enhance the appearance of legitimacy.
- Pay careful attention to website links to confirm that you’re visiting the correct site. Cybercriminals will subtly misspell website links, so they’re close enough to the site they’re imitating to appear legitimate and fool you.
- Enable multi-factor authentication for every account login you can.
- Don’t follow links from within an email. Open your browser and enter the correct link to where you want to go. Don’t trust that the email is taking you to the correct destination.
- Some form of anti-virus software should always be activated.
- Purchased or free anti-virus software is acceptable.
- Don’t allow users to disable the software.
- Keep the software up to date – similar to patching. If your subscription has expired, obtain or renew your subscription.
8. Stop outsiders from crashing your videoconferences.
In addition to inadvertently exposing confidential information, other security concerns associated with videoconferencing include:
- Avoid downloading unapproved videoconferencing applications, which could be infected with viruses.
- Place controls that disallow cybercriminals access to your videoconferences to block their ability to eavesdrop or create mayhem.
Cybercriminal hacking into conferences has become a major problem, especially with the mass movement toward remote work because of the COVID-19 pandemic. As a result of this shift, videoconferencing platforms have become incredibly popular – and, with this rise in popularity, an escalation in criminal mischief.
Unwanted attendees often interrupt videoconferences for harmless, albeit annoying disruption, but occasionally it’s for the purposes of stealing information.
How you and your employees can avoid videoconference intruders:
- Don’t use the same personal meeting ID for all meetings. Instead, use a randomly generated meeting ID exclusive to each specific meeting.
- Enable a waiting-room feature when available, which will allow you to grant access to each participant.
- Require a meeting password.
- Once the meeting begins and all participants are present, lock the meeting to outsiders.
- Don’t publish the meeting ID on any public platform, such as on social media.
9. Have a disaster recovery plan
When employees work from home, you just don’t have the same level of control over the security of your devices as you do when they work in the office.
What will you do if any of these scenarios impacts your devices?
- A fire that destroys hardware, paper records or data backups
- Floods and other natural disasters
- Employee loses a device
- Damage associated with downloading a virus-affected application or resulting from other malicious activity by cybercriminals
- Some other type of preventable damage associated with the home environment (for example, someone spills their drink on a laptop or drops a device)
When any of these events happen, valuable company data can be exposed to outside parties or is lost. This is known as a technology disaster.
Some practices to include in a disaster-recovery plan:
- Create a system that will backup or sync data from remote users’ device to a centralized repository such as a file server or collaboration site.
- If there’s no central repository, ask employees to regularly back up the content on their devices to company servers.
- Force data and content into a central repository that’s VPN accessible and/or cloud based.
- Don’t permit employees to save data to external drives or even restrict where data can be stored on their company-issued devices.
- In the cases of misplacement or theft, consider implementing a functionality that can remotely wipe the device of all company data and software. Failure to follow this step may lead to a data disclosure and legal action.
- Have employees contact their IT helpdesk as soon as an issue occurs.
- Obtain cybersecurity insurance to mitigate the effects of a cyberattack on your company.
10. Have work-from-home and data-protection policies
These policies are important and offer valuable guidance to your employees. Clearly written security policies can reduce the risk and uncertainty during an emergency event.
The cybersecurity issues and prevention tips addressed in this blog could be formalized in a written work-from-home policy and data-protection policy. Both could be documented in your employee handbook.
11. Leverage IT expertise
Your company’s sensitive data and the integrity of your company’s IT infrastructure are at stake.
If you don’t have in-house IT resources continually managing this for you, you should strongly consider hiring an IT consultant to help optimize your cybersecurity efforts and promptly resolve attacks when they happen.
This is a highly technical, complex area that calls for the involvement of experts. And it’s a full-time job on its own to keep up with the latest cyberattack techniques and stay on top of cybercriminal efforts to infiltrate your company.
If your cybersecurity strategy is left to an unskilled resource, you will find that you have a poorly defended infrastructure. Seek out, when possible, a qualified cybersecurity resource to help build an in-depth defense.
The impact of the COVID-19 pandemic on cybersecurity
As a result of the COVID-19 pandemic and stay-at-home orders, many companies have shifted to fully remote operations. Unprecedented numbers of workers in the U.S. now telecommute from home. Because of this, companies rely heavily on the software, platforms and systems that enable working from home and communicating online.
The IC3 has reviewed thousands of complaints related to COVID-19 scams:
- Phishing campaigns against first responders
- Distributed denial-of-service attacks against government agencies
- Ransomware attacks targeting hospitals
- Fake COVID-19 websites that download viruses when accessed
- New business email compromise (BEC) scams, which direct people to visit unknown websites or install “free” software
Furthermore, the Internal Revenue Service (IRS) has alerted taxpayers to be on the lookout for a surge of phishing attempts via phone calls and emails. These fraudulent contacts will mention stimulus checks or stimulus payments. The goal of the scam is to collect sensitive information that can lead to tax-related fraud and identity theft.
If you are uncertain about any phone calls or emails you receive about this topic, report it to firstname.lastname@example.org.
Summing it all up
No business is immune from cyberattacks. If your employees are working from home, there may be new attacks and vulnerabilities for your business that you must consider.
But by adhering to the tips outlined here and educating your employees, you can reduce the risk to your remote workers’ efforts. As a result, you’re less likely to fall victim to bad actors and can significantly lessen the impact of cyberattacks.
To learn more about how you can anticipate and mitigate the business challenges associated with having a remote workforce, visit the ‘Take Care of Your Employees’ section of the Insperity COVID-19 Resource Center.