Posted on Oct 8, 2020
Due to the COVID-19 pandemic, more companies are managing remote workforces than ever before. According to an IDG survey released in April, 78% of employees were working from home more than 60% of the time during the quarantine.
That trend is likely to continue; although some workplaces are opening back up, many companies plan to keep their workforces remote for a while; research from Brandon Hall Group found that one-third of companies believe more than half of their workforce will continue to work from home even after the pandemic ends. For example, many companies are deliberately hiring remote workforces, with the understanding that their newest hires will be working from home indefinitely.
While remote work is an important way to keep the workforce safe and healthy, it may pose a cyber risk for your organization. Ponemon’s latest Cost of a Data Breach report found that 76% of the companies with remote employees worried that remote work would increase the time to identify and contain a breach, while 70% believe remote work will increase the cost of a data breach.
Those concerns are reasonable. Remote employees increase an organization’s attack surface, are more difficult to monitor than those who work on-site, and — feeling secure at home – may cut corners when it comes to cybersecurity. So how do you keep your remote workforce safe from attack and your data secure?
When employees work from home, they tend to use their own devices. These devices tend to be less secure than those issued by a workplace; software may not be updated, security applications may not be updated (or even installed), and passwords may be weak. If possible issue devices to your team that have been purchased by the workplace and are provisioned by your IT team. If that isn’t possible, however, ask IT to do what it can to tighten the security around each team member’s personal devices.
When you ask IT to make personal devices more secure, chances are, most IT departments will want to use RDP to get in, get the job done quickly, and get out. But although RDP sessions are a useful tool, they can be hijacked by bad actors, who scan the Internet seeking out open RDP ports. Consider enabling RDP on only the devices that need them, and tighten your own security by using strong passwords, multi-factor authentication, and lockout policies.
Your security team should be rethinking its management of your virtual private network; it’s probably not possible (or practical) to extend VPN connections to every employee, so think about which employees really need access to specific sensitive data in order to do their jobs. Such a reorganization of VPN connections will ensure that most employees only have access to the information they need. Should one team member suffer a breach, the attackers won’t be able to access all your sensitive information.
IT can’t come to everyone’s home and segment every employee’s router, so it’s important to educate your employees about network security in their own homes. Train your workers to set up their network so data is safe, creating one network for personal use, a second one for personal devices, and a third for work devices. By doing this, employees can prevent cybercriminals from hacking work devices by targeting family members.
Even your most tech-averse employee has probably noticed that their apps aren’t secure. They may mention a product in conversation and then see an ad for it in their social media. Open mics and cameras can also offer bad actors a way into your data. Offer training to your team so that they can lock down their apps and the apps used by family members. Your team should also take a hard look at your own applications — if one application gets hacked, is your entire network exposed? Consider using X.509 certificates and integrating them with a passwordless solution. Not only will an application-centric approach to security make your applications more secure, but it will also reduce your organization’s reliance on VPNs.
Your team may be tempted to store work data on their own devices at home, but due to the insecure nature of home wi-fi networks and personal devices, that should be discouraged. Keep your data stored in a secure cloud, or use applications that support a virtual desktop space for team members when they’re working. And of course, make sure that the cloud provider is secure and doesn’t have a history of breaches.
Usernames and passwords are hard to manage at the best of times. Now, when your workforce is working on whatever devices and apps are available to them at home, the username-password system is increasingly fraught (when you’re signing into a suite of tools, it’s hard to remember every unique, secure, 8-character password) and unreliable (what if someone is just using the same password over and over.) To manage this and make things simpler, use a single sign-in tool that allows users to easily and securely sign on to the apps they need for work.
What will you do if there’s a data breach? What happens if a worker’s physical device is stolen? Are backup systems in place to ensure productivity continues even if your systems and networks are breached? No one likes to consider that a breach might happen, but if one does, it’s best to have a plan.
Security is always everyone’s job, but if your team is remote, you must make sure that everyone on your team knows the basics of security. Training can help your workers spot phishing attempts, for example, and can also help your employees set up their devices so that they are as secure as possible.
Ponemon’s Cost of a Data breach report recommends organizations tighten up security by using tools that offer security teams “deeper visibility into suspicious activity on the company and bring your own (BYO) laptops, desktops, tablets, mobile devices, and IoT, including endpoints the organization doesn’t have physical access to.”
SecurityScorecard’s risk ratings can help you monitor your own organization’s safety, as well as the safety of important third parties — cloud storage vendors, for example. Our ratings easy-to-understand security ratings continuously monitor your organization’s information security across 10 groups of risk factors, including endpoint security and application security. Our tools also allow you to monitor the cyberhealth of your vendors, so that you’ll be able to quickly investigate and respond if you or a vendor falls out of compliance.
By continuously monitoring your security, you’ll be able to better protect your remote team and your data.
Check out our list of 3 top third party risk management (TPRM) challenges, and the actions you can take to bolster your program. Learn more.
Performing cybersecurity risk assessments is a key part of any organization’s information security management program. Read our guide.
Templates and vendor evaluations are needed to level that playing field, in a time efficient and fair way, so that the best vendors are chosen.
Co-founder and CEO, Alex Yampolskiy, speaks about the importance of measuring and acting on key indicators of cybersecurity risk.
You’ve invested in cybersecurity, but are you tracking your efforts? Check out our list of 20 cybersecurity KPIs you should track. Read more.
No waiting, 100% Free
Get your free scorecard and learn how you stack up across 10 risk categories. Answer a few simple questions and we'll instantly send your score to your business email.