It has been more than six months since companies were pushed to switch to remote work, and it seems that many of them plan to adopt remote work as a long term business optimization. However, a remote workforce allows for an increased number of cybersecurity vulnerabilities. In this article, we will talk about how management teams can plan ahead to prevent security vulnerabilities.
How big is the cybersecurity threat?
Several security reports indicate that 80% of companies have seen an increase in cyber attacks since March 2020. In case you’ve missed them, here are some of the statistics which were published in May 2020:
- The FBI reported a 300% increase in reported cyber crimes as of May 2, 2020. (Source: IMC Grupo)
- Phishing is up 600% and experts say online threats are six times higher than normal. (Source: WPXI)
- Ransomware attacks (an attack that encrypts your files and asks for a payment in order to restore access to your data) have increased 148% in March 2020. (Source: VMware)
- 51% of companies experienced an increased number of phishing attacks due to employees working remotely (Source: Barracuda)
The US Department of Homeland Security also warns companies using cloud collaboration tools of an increase in malicious attacks targeting “organizations whose hasty deployment of Microsoft O365 may have led to oversights in security configurations and vulnerable to attack.”
Cyber security risk is one of the main threats in working environments, so what should you plan for, as a manager or member of a remote team, in order to protect sensitive data?
We spoke with Jennifer Rendon, an IT expert at Logically (previously known as Carolinas IT), who has been working closely with clients in the past months to mitigate the security risks and deploy the necessary infrastructure to enable a productive and secure environment for remote teams.
Does your team have clear security procedures and policies?
Many companies are unprepared for remote work conditions and do not have security procedures and policies in place for working outside of the office. Now is a great moment to dedicate time to document procedures and train your team. Even simple steps like keeping your browsers, applications, and operating systems up-to-date provide a critical path to avoid many cyber threats. (How often do you see on a virtual meeting with screen share that your team member has an out of date browser or pending updates for their operating system?)
“Only 41% of cyber security professionals said their companies are utilizing best practices to ensure a secure remote workforce (Source: Security Magazine)."
Here are some of the must DOs that Jennifer recommends for a multi-layered security strategy
Jennifer Rendon’s Top 5 Security Best Practices for a multi-layered security strategy
- TRAINING: The first thing you must realize is that “Your people are going to be the biggest breach in security”( if you have seen the TV series “Mr. Robot” you already know that). To address the human element of cybersecurity, you must invest time in educating all team members on how to recognize phishing attacks, as well as what websites, links, and downloads to avoid. If you do not have such expertise within your IT team, we recommend that you hire professionals to create security training for your team. It’s the middle of the financial year, so you may not feel you have a budget for such expenses. But in reality, this cost is irrelevant compared to the cost a cyber attack could cause to your business. According to Jennifer, malware attacks could cost $50k for a week of work to fix the problem, up to $150k, and in some cases in the US even up to $1M.
- SECURE CONNECTIONS: If you plan to establish remote work as the way to go for your team, you must invest in company laptops for each team member. Personal devices are often shared between family members which means an increased risk of sensitive information leaks. If you do not have the budget to switch all your team members to laptop devices, Jennifer recommends providing employees with a teleworker device which will create a very specific VPN tunnel and will segregate the work connection from the rest of the family connection. She expects that the market for secured connection devices will grow in the next years as a result of the COVID-19 situation.
- SECURE ACCESS: Multi-factor authentication is a must when accessing any company-related information and files. There is no password complex enough so it cannot be cracked, thus the only way to protect your data is via two-factor authentication.
- TOOLS and SOFTWARE: Invest in cybersecurity tools. In remote work conditions, we recommend that your IT team plans a strategy of deploying and updating antivirus software for all your remote workforce. Some of the tools Jennifer finds useful are the Cisco umbrella or OpenDNS or similar tools that do not allow for end-users to go to malicious websites. You must deploy an anti-virus program but keep in mind that standard antivirus programs cannot detect viruses that have not been identified and recorded in their database as such. In such cases, Jennifer recommends deploying tools that regularly scan the computer for some pieces of code that if put together might allow for a security threat to be activated. She has been using Huntress but any similar tool will do the job. In addition, you can look into some software solutions that troubleshoot if they detect a lot of traffic hitting the firewall.
- COMMUNICATION CONTINGENCY PLAN: Last but not least, make sure that you have a way to contact your employees other but email, which you could use in the case of an attack or outage. It could be as simple as asking people to provide a personal email and mobile number that could be used to send instructions if a security breach occurs.
If you still do not have an established IT security role within your team, you should start thinking of either bringing someone onboard or training a member of your current IT team to take over the role and to create and implement a long-term security strategy.
What we can recommend as a remote-first team is that you partner with your IT security person to establish data security as a core value for your team. In order to build such a mindset, emphasize how important security is for the team and dedicate time and budget for security training. Include discussions about security risks in every decision that you take including solutions that you build, internal processes, or client communication. As we feel that security is such an important topic for everyone, we will follow up in the future with more best practices on data security for remote teams.