5 Ways the Shift to Remote Work Has Impacted Business Security
Even if your company promotes a remote-first work environment, your team needs to actively take steps to prepare for security risks related to COVID-19. Businesses can adapt to the new “normal” of remote work and respond to evolving threats. When regional lockdowns and organizations prepared for employees to quarantine by working remotely, most companies had little advanced preparation to make the change. Even with this work-from-home pivot, business security should remain a top priority.
Cyber criminals haven’t been idle, exploiting employees’ lax cyber security practices while working at home, producing new phishing scams. The Internet Crime Complaint Center at the FBI reported a 75% increase in daily digital crime since the start of lockdown. A main method of attack involves criminals impersonating real companies to convince people to divulge login credentials, passwords, or financial information. Some go as far as purporting to be from government or healthcare organizations with information about COVID-19.
Risks of remote work and ways to mitigate
Employees’ working at home may not have knowledge of cyber security best practices, as well as a reduced level of protection on their networks at home. Employees working from home or in new remote locations may use less secure passwords or be more likely to reply to a phishing email than they would when they were in the office, granting hackers easier access to their information.
In April, 1Password surveyed 1,000 desk-based knowledge workers in the United States (half of those surveyed were IT professionals) about the massive shift to remote work. About one-third of IT respondents said their companies have strengthened some security protocols, and a third said they have relaxed some. It poses an interesting question about the size of the firms they work for, as well as the security procedures they may have already had in place prior to the switch to remote work. That said, it’s been a big change for everyone.
Here are 5 old and familiar business security considerations companies need to address with employees working from home.
Phishing schemes
Whether pretending to be a coworker or client with a dupe email address or purporting to be a financial institution, hackers are exploiting employees by obtaining their log-in credentials through phishing attacks and asking for other private, personal information. Businesses may see an increased frequency in business email compromise claims, which can lead to data breaches, cybercrime losses, and ransomware attacks.
Tip: Flag suspicious emails. Remember that most legitimate companies will never ask for private information or passwords via email. If an employee receives a suspicious email, ask them to notify IT staff immediately. Do not click on any links and verify the sender’s email address.
Use of personal devices on home networks
Many businesses provide company-issued devices to employees, but while they’re working from home, there’s an increased comfort level when it comes to personal phones, laptops, and tablets. Unfortunately, personal devices often lack the more robust security protocols built into many work devices. If a personal device is compromised, they can provide hackers with an open door into company’s network and data—which can be accessed and exploited without IT even noticing.
Tip: Create a robust Bring Your Own Device (BYOD) policy and update security for internal devices. Company-provided devices are typically protected by internal safety measures, but with employees at home, they may not have their security updated. IT staff should have employees install the latest software on their personal devices to patch any bugs or software vulnerabilities that can be exploited by hackers.
Open networks and “free” WIFI
Most remote workers are playing it safe by working in their home offices, but other employees may opt to venture out to public venues, such as a coffee shop or library. However, employees shouldn’t treat public spaces as secure environments. Remind workers that connections made to the business should be performed through a Virtual Private Network (VPN) to encrypt communications.
Tip: Stay aware of your surroundings. While employees may be exposed or electronically vulnerable on public networks, they should also be mindful of where they are. Screens are easily visible, or people may overhear sensitive information while an employee takes a conference call while they’re out. Employees should exercise caution about what they expose or share inadvertently in public spaces.
Two-factor authentication and password management
Without regular security checks or reminders, employees may become lax when it comes to changing or choosing strong passwords. Companies may be utilizing extra software services to allow teams to work remotely and collaborate, creating a need for additional log-in credentials. And that’s when workers may start to repeat passwords to avoid remembering new ones, making company information more susceptible to a breach.
Tip: Use a password manager or single sign-on (SSO) software. A password manager and service allows companies to share passwords and other important information securely while working remotely. Do not share passwords in plain text via email or saved openly on a cloud-based sharing site. When possible, use two-factor authentication to verify users and reduce vulnerabilities. Also, SSO software prevents employees from remaining logged into programs to limit risks.
Risk management and cyber training
Without regular check-ins or training, employees’ knowledge of company cyber practices can lapse—especially while working from home. Additionally, despite the pandemic, many companies are still hiring and training new employees that are beginning work remotely. These new employees may have difficulty assessing the credibility of supposed company emails when they’re unfamiliar with colleagues’ names or roles in the company.
Tip: Create a cyber risk management training program. Once you’ve created a program for employees, keep them regularly updated and informed with monthly or quarterly training on potential security threats and best cyber practices. Develop a security handbook for employees to easily reference, if needed. Also consider the specific needs to individual teams or departments that may experience different security risks. For example, HR and finance typically has more access to personal employee data, or a sales team that may have access to proprietary client data.
By addressing these five key considerations, businesses can effectively manage the cybersecurity risks associated with remote work and protect their sensitive data.
