Do you have a hybrid workforce? These days almost every business can answer in the affirmative. Unfortunately, the same goes for the follow-up question: do remote workers pose a risk to the security of your organisation?
It doesn’t have to be that way. You may be so small that you think you don’t have the resources to properly secure your data and devices with expensive tools and complex processes, but the truth is that some relatively simple changes can make a huge difference.
Let’s start by acknowledging the elephant in the small-business cybersecurity room: no, you are not invisible to attackers, nor are they only interested in bigger fish. According to penetration testing experts Qualysec (qualysec.com), more than 40% of cyberattacks target small businesses. Sure, some of those will be using your business as a potential stepping stone to a more profitable victim, but that’s no consolation. Being breached for any reason is disruptive, costly and potentially hazardous to your operations and your reputation.
Qualysec also confirmed that 75% of small businesses with a hybrid workforce have at some point experienced a cyber incident. This should come as no shock to anyone, especially in the context of remote work. As the workforce moves beyond the office, new vulnerabilities are exposed – often in environments where IT staff have minimal visibility or control. And yet amazingly, at the same time, 80% of small businesses don’t have a formal cybersecurity policy of any kind.
On these pages I’ll suggest a cybersecurity checklist for small businesses that’s aimed particularly at mitigating the risks associated with remote work. Although without a properly thought-out and regularly audited cybersecurity policy for the whole business you are – and I’m sorry to have to tell you this – screwed anyway. If you need to start drawing up a policy then some of what I’m about to say below can be part of it, but you should also consider granular access to systems and data, passwords and authentication requirements, data protection at rest and in transit, hardware and software updates, security software and/or outsourced services, incident response and reporting. See “Writing a remote work cybersecurity policy” overleaf for more recommendations.
The security nightmare
Most of us welcome a flexible working environment, but what makes life more pleasant for workers can be a huge challenge for employers. The very idea of giving people freedom to work how and wherever they want pulls in the opposite direction to securing systems and data. This most sharply affects the smaller end of the business spectrum – after all, the bigger you are, the more resources you have, and the easier it is to properly secure the increased attack surface that a remote workforce brings to the office data protection party.
But that, dear reader, is not to suggest that a small organisation can’t mitigate the risks they are faced with, nor that doing so has to involve enterprise-scale expenditure. Getting the basics right will put you in a strong position, much more so than throwing money at expensive “security solutions” that you’ll rarely use a fraction of.
And getting the basics right pays for itself. I’m not saying there’s no upfront cost to securing your business from remote work cybersecurity risks, but failing to make the appropriate investment of time and, yes, some cash in the issue will cost you dearly should the almost inevitable security incident hit you down the road. Just look at ransomware: yes, it’s the large enterprise incidents that make the headlines, and often lead to big payoffs for the criminals involved. But small businesses are attacked just as often – and with a greater success rate for the bad guys. That’s partly because they tend to be easier to infiltrate, but also because they’re more likely to pay up without fuss, since even a temporary outage could shut down a small operator for good.
Unfortunately, there are lots of ways for an attacker to get into your systems. Unpatched vulnerabilities, misconfigured software, Remote Desktop Protocol abuse, a lack of multifactor authentication or poor password management policy can all lead to successful phishing exploits, ransomware and more. And these potential vectors are, of course, all harder to manage when you have to think not only about a tightly managed office network, but also personal devices used outside of the workplace. So what, realistically, can you do?
Hardware decisions There’s no doubt that remote working makes your attack surface larger and where possible, managed endpoint security or antivirus at the very least, separate user accounts for all employees and, importantly, remote data wiping capability.
Unfortunately, even if you’re in a position to do all this, it’s not the end of the argument. Remote work risk mitigation cannot, and must not, stop there; people being people will always try to find the least intrusive, easiest option to get work done, and whether you like it or not, some of them will find a way to use personal devices, personal cloud storage, unlicensed software and unencrypted email. Sadly, the vast majority of these you want to call it is now the number one threat when it comes to remote working. Why should this particular threat be more problematic when it involves a remote workforce? One big reason is that remote workers are more likely to expect their work colleagues to contact them via email or instant message. Speaking as someone who uses Signal to talk to his partner when she is just downstairs, I appreciate that everyone has their own communication style, but in an office people do generally talk to each other in person. An unexpected message out of the blue is going to seem unusual, and might well prompt people won’t have the necessary knowledge and experience to properly secure their systems and tools for a working environment – and particularly not for the specifics of your working environment.
Now, you might have picked up on the phrase “whether you like it or not” back there, and kudos to you if so. Because this is where the cybersecurity policy I mentioned 640 words ago comes in. As far as personal devices are concerned, this should mandate separate user profiles for work use; strong local-device security, including managed passwords; passkeys where possible and biometrics where not; and two-factor authentication for all accounts. Your policy should completely ban shared use of the device with other family members or friends, and software updates must be mandatory as well. Your workers may not be happy about this, but once you have these things clearly set down in writing they can’t say they don’t understand what’s expected of them, and they’ve no excuse for unsafe behaviour.
Phishing defences
Viruses are old hat. That’s not to say they’ve gone away – certainly don’t get that idea – but phishing, social engineering, scamming or whatever you to stick your head over the partition and check in with the purported sender.
Remote teams, who rarely see each other face to face, are much more vulnerable here, especially when you take into consideration the isolation and the potential for home workers to be distracted by any number of domestic goings-on. Distraction is the enemy of cybersecurity and a great ally of attackers, as it makes a potential victim much more likely to act without thinking – such as clicking on a link without carefully checking the destination address, and entering a password without thoroughly inspecting the site.
Things get even worse now that AI is coming into the mix. An attacker using AI can create highly believable, highly manipulative emails and text messages, and respond interactively to the victim’s responses and questions. They can also create convincing account login sites in minutes, personalised to each target or business. AI can even be used to create deepfake audio and video, moving the threat out of the email and text message arena.
The solution has to start with education. Every small business needs to conduct regular phishing awareness training sessions with its remote staff. Don’t treat this as a disciplinary matter, where getting something wrong gets employees into trouble – it should be an educational, enlightening and empowering experience for all. There are some great free resources around you can draw on, such as Google’s “anti-scam workout” (tinyurl.com/377scam). This works on so-called inoculation theory – by exposing people to a little of something, you can increase their resistance to falling prey to attacks.
Of course, the threat calls for more than just awareness. As a matter of course you should be following the principle of least privilege for remote workers, so they have access only to the resources, systems and data that are necessary for their job and nothing more. “Users and administrators should not regularly operate under their administrative accounts,” Michael Tigges, senior security operations analyst at Huntress, told us.
“Preventing the spread of compromise often starts with dissuading a simple adversarial path to privileged access,” Tigges management software used to create both strong and unique credentials.
Incident response
If you’re wondering what that has to do with remote working then it’s time to give your head a wobble, matey. Your incident response planning must extend to the home office environment, or it’s already failed. This is particularly true when it comes to the small business sector, as it doesn’t take much service disruption before there’s no coming back from the bottom-line consequences.
So ask yourself: If you were working from home, how would you respond to a suspected security incident unfolding in front of you – be it a phishing attack, an apparent data leak, a virus infection or anything else? If you don’t know – and “sending the boss an email” is not the correct answer – then that’s something you need to address right now. Seriously, right now. When it comes to almost any kind of attack, continued. Cloud-native platforms, for example, will often come with the option to require re-authentication by the end user to escalate privileges – which “effectively shuts down numerous compromises we’ve observed”. Another simple mitigation might be to apply a trust-but-verify policy to all requests for financial or data access, requiring confirmation over two different communications channels before it can be agreed.
Talking of cloud services, these are generally pretty secure, until they’re not. Misconfiguration is as big a danger as phishing itself: a single unchecked sharing link can expose sensitive client data to the internet. Don’t let remote employees have this level of administrative access unless they absolutely need it to do their job properly. And – this should go without saying – all password reuse should be banned, with password the clock is already ticking, and allowing for a delay while someone tries to figure out the right person to report it to, using a method that hasn’t already been compromised, wastes precious time.
Incident response should in fact be part of your remote cybersecurity policy, and your security training. There’s no point having a response plan at all if your employees don’t know that it exists, or how to use it. Including it in your phishing awareness materials makes perfect sense, because such incidents will need to be reported anyway if someone has fallen for the ruse.
Be sure to make your process simple and easy to understand, with a single point of contact for reporting incidents – so nothing can be misinterpreted or fall through the cracks. Ensure your plan also spells out the precise
Where to from here?
Clearly what I’ve set out above isn’t a fully inclusive, all-you-can-eat, nothing-left-out cybersecurity solution for remote workers. If anyone tells you such a thing exists, run away, fast. Hopefully, though, it’s a starting point that sets the tone for a more secure business, wherever employees happen to be based. And it finishes pretty much where it started: pinpoint the basics, your business security fundamentals, and the rest will follow. That means knowing where your data is, who has access to it and how that access is granted.
Basic security controls will go a long way toward protecting your organisation, but only if you communicate those controls to remote staff in a way they will both understand and appreciate. A final word from another wise head: good security does not erect barriers. In other words, employees will readily accept rules and processes if they’re introduced with clarity and empathy for the role of the remote worker. People don’t dislike security; they dislike friction. Let your policies be the oil, not the grit.
.png)
0 Comments