Working from home became far more prevalent because of the pandemic. Although many employees have returned to the office, either full- or part-time, many workers still work exclusively from home.
Unfortunately, many companies haven’t secured the computers and internet connections of their remote workers. If you haven’t already developed protocols, now is the time. (If you haven’t done the same for your office, now is definitely the time.)
To make sure your data is as safe and secure as possible, use these seven security recommendations as a guide.
- Make sure you have adequate cyber liability insurance coverage.
- Invest in cybersecurity training.
- Implement a VPN (Virtual Private Network) for remote access use.
- Regularly review and audit data access policies and procedures.
- Use a password manager to store and share passwords.
- Don’t forget to secure access for mobile devices.
- Give remote employees incentives to create a dedicated home office space.
1. Make sure you have adequate cyber liability insurance coverage.
This applies to your office employees as well as remote workers. Every business is doing work online, especially with employees working from home. So having solid cyber liability insurance is an absolute must.
A lot of insurance companies offer cybersecurity or data breach insurance, sometimes as an add-on to your business insurance policy. If that’s the case, be careful to understand the coverage thoroughly as it may not be enough, especially for businesses with complex requirements.
Potential coverages include:
- Litigation/regulatory expenses
- Business interruption
- Extortion
- Investigation
- Crisis management expense
Most insurance companies also have resources available as part of the coverage to help you recover from the aftermath of a data breach.
2. Invest in cybersecurity training.
A joint study by Stanford University and security firm Tessian found that 88% of data breaches are caused by employee mistakes. Research done by IBM Security discovered employees were responsible for 95% of data breaches. Either way, the number is incredibly high…and frightening.
While there are some employees who act maliciously or willfully ignore cybersecurity protocols, most of the problem is due to employee mistakes. That’s why cybersecurity training — and retraining — is incredibly important.
Training will help your workforce be more aware of and able to respond appropriately to both internal and external security threats, including both unintentional and intentional threats.
For example:
- Unintentional data sharing from sending an email and/or attachment to the wrong party.
- Lost or stolen devices can expose sensitive company data.
- Sending sensitive data over unsecured methods such as a regular email chain.
But how do employees fall victim to dangerous intentional threats from malicious actors and hackers? The most common causes are phishing/social engineering schemes designed to coerce sensitive information from your employees. This often comes in the form of emails, text messages, or phone calls that can look and sound exactly like a legitimate communication. Employees then click on links or provide information that allows criminals to access data or plant malware to hold the organization hostage.
Remote employees could be even more prone because they may not have the same familiarity with their co-workers and may only communicate electronically. Threats from inside the company could find an easy audience with remote workers because they may not know their colleagues well.
This is why you must talk about cybersecurity with your entire workforce, especially remote workers. Train them and then continually train them as some information may need updating and it also reinforces the protocols.
Make sure all employees understand how key leaders communicate, including their style. This could help limit the possible success of phishing attempts that try to impersonate key personnel.
Where do you find cybersecurity training? The US government has cybersecurity training materials and information available at cisa.gov/cybersecurity-training-exercises.
And there are companies that provide cybersecurity training modules and certifications. It’s well worth the effort to find one that suits your needs.
3. Implement a VPN (Virtual Private Network) for remote access use.
A VPN will create a safe, encrypted “tunnel” for your data to travel in and out of the company or your remote workers’ computer.
A properly configured VPN will protect data anywhere your employees are connected to the Internet — office, home, or wherever wi-fi can be accessed. This will go a long way towards protecting company data even if your remote employees are working from home on their personal network.
Most personal home networks are not set up with the same level of stringent security measures as business networks, so the VPN helps to fill those gaps. For example, many people don’t change the default settings of their router, including the password to it. A VPN will help protect data even if every other security measure is lacking.
Another potential problem is that consumer grade electronics don’t have the same security capabilities as those created for business use. They also don’t have regularly maintained firmware updates which can help address security vulnerabilities.
If your policy doesn’t allow employees to work remotely on public networks, is it enforceable? Your businesses’ private data could still be accessed on a public network by even one rogue employee or a cyber-criminal. A VPN could protect you.
If your policy is to allow employees to work remotely on public networks, a VPN is a must. Otherwise, you’re opening your business to significant risks.
4. Regularly review and audit data access policies and procedures.
Creating policies and procedures for cybersecurity is the first step. You’ll need to communicate them to your office and remote employees as well as reviewing them on a regular basis to make sure they’re still applicable and effective.
Here are the basic items you should include in a policy and procedure document:
- Have strong password complexity requirements, complete with special characters, numbers and letters.
- Audit user lists to see who has access to any of your systems and data.
- Immediately remove former employees.
- Limit who has access to an “as needed” basis by instituting role-based access controls.
- It is a mistake to give remote workers more access than they should to make access easier.
If you own your servers, do you have qualified technology professionals on staff or as part of a managed service provider (MSP) to maintain those servers and their security? If you have an MSP, make sure they are up to security standards and have a strong reputation.
Be sure you have a well-defined remote access policy and that it is well communicated to your staff. Items to consider include:
- Where will you allow your data to be accessed? Only on private networks (remote employee home networks or your business office network) or are you going to allow access on public networks (coffee shops, libraries, etc.) as well?
- What devices will you allow your data to be accessed on? If all devices are company managed, that makes it much easier to control the security protocols in place on those devices.
If you allow remote staff to access data via personal devices (personal computers or, even worse, cell phones) additional security measures are strongly advised.
Personal devices should have requirements for basic security measures to be in place, including anti-virus software, password requirements, and more.
Consider adding multi-factor authentication for your systems, which adds an extra layer to the log in process. Requesting a code number in addition to passwords can provide a potentially critical step if you are going to allow personal devices to access your data.
Do you have consequences in place for non-compliance to your data policies? Have those been defined, communicated and enforced? A policy won’t be effective if you’re not willing to stand behind it and enforce it.