Hybrid and remote work arrangements remain popular. Companies of all sizes are allowing work-from-anywhere options as they fine-tune ways for employees to be happy and productive. One major downside, however, is that working remotely can increase the risk of cyberattacks, particularly for small businesses. To minimize risk and keep your company’s assets safe, follow a three-point plan to create a cybersecurity strategy for hybrid and remote workers.
Addressing the risks
Small businesses are at particularly high risk of cyberattacks. Enabling work-from-anywhere employees to access company files remotely only adds to the risk. That’s why it’s imperative to create an effective cybersecurity strategy. Here are three steps to take: First, create or update your security policy and practices. Your policy should include protocols for the use of company computers and other devices and how they are allowed to access company data. Second, provide regular and frequent training to help employees (1) learn to recognize and avoid cyberattacks and (2) follow security protocols while still working efficiently. Third, make sure you have the right cyber insurance coverage to protect personal information, company data and other assets.
First: Create or update your security policy and practices to include hybrid and remote workers
What is your company’s policy for accessing and sharing files and using your email system? If you don’t have a policy, it’s time to get started on one. Your policy should include two main efforts: managing employee devices and controlling access to company systems and data.
Managing employee devices
Secure devices — The safest way to operate is to issue company computers and devices to all employees, whether they are remote, hybrid or in-office workers. Allowing a “bring your own device” (BYOD) work culture puts your company at greater risk of cyberattack. The reason is that people’s personal devices are much more vulnerable to online threats because they are not being monitored by the company’s IT service provider and they don’t have the company’s security software and protocols in place. It is neither practical nor in the company’s interest to have the information technology department or provider support people’s personal devices. Additionally, any security efforts enacted could be easily or accidentally undone by the employee.
Company-owned devices can be set up properly by the IT provider with all the best security practices and then monitored to verify continued compliance by hybrid and remote workers.
All devices need to follow best practices for security. That means enabling automatic software updates, enabling device encryption, installing strong antivirus and web-content filtering software, enabling a firewall, requiring passwords on all devices, and much more. Enlist the help of an IT service provider to make all of this happen.
Secure networks — Do you allow employees to work from anywhere, such as a local café or other public spaces? If so, the safest practice is to direct employees not to use public Wi-Fi. Employees should only use trusted, secure, nonpublic networks. Public Wi-Fi allows their computer to be “seen” by everyone else on that network. One way to make public Wi-Fi safer is to implement a virtual private network (VPN) tunnel with a service provider. Another option is for workers to use their mobile phone as a hotspot. Your IT professional can address these and other options to help employees access company systems securely.
Controlling access to company systems and data
Working in the cloud — IT service providers generally agree that working in the cloud — accessing apps, files and email via a secure online portal, rather than connecting to systems back at the office — is the safest strategy to keep company data safe. Using a webmail portal to manage your inbox, sharing documents through encrypted cloud-based tools such as Microsoft SharePoint, and using web-based applications are the most secure ways to implement work-from-anywhere. A virus residing on someone’s personal computer generally can’t infect a web portal.
VPNs — If data and apps are not in the cloud but are instead stored on company servers at the office, a VPN can allow remote access. The problem here is that while VPNs create a secure connection, if a remote employee’s computer or device becomes infected with a virus or is hijacked by ransomware, that virus or ransomware will be unleashed across the company’s network, with devastating effects.
Secure passwords, multifactor authentication and levels of access — Whether connecting to a web portal, using a VPN, or accessing email, secure passwords should always be required. Ideally, two-factor or multifactor authentication (enabling SMS [text to your phone] or using an authenticator app or a secure token) should be implemented. Additionally, employees should only be granted access to the information and systems they really need to perform their job. Consult with your IT professional on how to grant specific levels of access.
Second: Provide frequent employee training
The second key to protecting your company from cyber threats is to provide regular and frequent training for hybrid and remote workers (and all employees!) on secure practices.
Outsmarting scammers — A top priority is identifying phishing attacks, which comprise the majority of cyberattacks today. Employees need training to recognize and avoid becoming ensnared by these attacks, whether it’s clicking on links or files in uninvited emails or even falling for phone scams from imposters prompting employees to give up sensitive company information or login to bogus websites. Likewise, training should include learning to avoid ransomware attacks. The threats are always evolving. That’s why regular training is necessary. Get your training program started with these free cybersecurity quizzes from the Federal Trade Commission. Your IT provider can help.
Following security protocols — Having lax security protocols is also a significant threat. So-called insider threats rarely come from disgruntled employees. In reality, the more probable risk is simply carelessness — including leaving laptops unattended in public spaces, allowing family members and others to use work computers and devices, and using unsecured public networks to do company business (as explained above). Your IT security policy should address each of these areas and more. Provide the device setup and training employees need to work securely both in the office and remotely. Add the practice of requiring regular device checkups, including employee retraining as needed.
Finally, be sure security protocols are not too burdensome. Employees need training on how to access devices quickly and safely. Keep the process as streamlined as possible and communicate the risks (and possible consequences) of not following the protocol.
Third: Get the right insurance coverage
A variety of cyber insurance options exist, based on your company’s needs. Coverage generally is designed to help you prevent — and recover after — a data breach and can include liability protection for a variety of cyberattack scenarios. (Learn more here.) Call your Bradish agent for help determining your company’s risks and needs.
Options break down into four basic types of coverage, as outlined by Hanover Insurance:
- Data security — covering the personal information of employees and customers as well as sensitive data, plans, trade secrets, and financial information about your business.
- Networks and devices — protecting IT infrastructure (network, servers and systems); computers and mobile devices such as tablets and cellphones; manufacturing tech and systems; payment card systems (such as mobile card readers); and other internet-connected tools and devices.
- Network access — covering unauthorized access resulting from careless or disgruntled employees or phishing scams.
- Third-party organizations — providing liability protection for businesses such as IT service providers, which have access to the data or systems of other companies or organizations.
If your company allows employees to work off-site at least part of the time, it’s time to revisit your IT security policy and practices. Consult with your IT service provider to make sure your protocols are up to snuff. Be sure to include regular training in your toolbox. Your employees are the front line of defense against hackers and scammers. Finally, securing the most effective insurance coverage for your employees, data and systems is the final step in building a strong cybersecurity plan. It’s the right move to ensure you are doing all you can to protect your employees, your customers and your company’s assets.
by Kris A. Mainellis
