COVID-19 has forced many small businesses to embrace remote work. Now, as restrictions begin to ease in countries such as the United States, a slew of companies are announcing hybrid models that let employees spend at least some of their working week at home or another place outside the office.
If your firm supports remote work or thinking about switching to a hybrid model, you need to think about security. Why? Because policies and culture are your best tools to keep cybercriminals at bay. Without them, there’s a greater chance that you’ll experience a breach, which cost businesses $4.2 million on average last year, according to research by IBM.
Coming up with a new security strategy – one that covers all of your employees and the different places they might be working – can be daunting. But there’s no need to panic. If you’re not sure where to begin, we’re here to help.
Build your own handbook
The first step is to create your own security handbook. All of the guidance should live inside this digital document, adapted and personalized for your business. The goal is to create a resource that every employee can access, regardless of their location and the devices they use for work. It should be the first stop for any team member who has questions or wants to double-check a policy.
Your firm might give everyone a computer and phone, or may rely on everyone supplying their own equipment. Either way, you need to have complete trust in what everyone is using for work. The first step is to make sure that everyone’s devices are up to date. Staff should only use hardware that can run the latest version of Windows, macOS, Linux, iOS, or Android. Nobody should be using an operating system that is no longer receiving security updates, such as Windows 7.
That’s particularly important when employees are working in public spaces. Many people won’t have done this for a while, due to the pandemic. Remind them that work devices should be locked if they need to get up momentarily — for example, to retrieve a coffee order — and never left completely unattended.
As a failsafe, your team should enable any Find My feature on their computer, tablet, and phone. You should also have a clear process for reporting lost or stolen devices to help track them down and remotely wipe any sensitive data.
The first rule of connectivity is simple: Ensure routers are kept up to date. Team members should opt into automatic updates or periodically check for new security patches. The second golden rule is equally straightforward: Protect routers with strong, unique passwords. That includes the router password – which is required to change various settings – and the Wi-Fi password.
Staff should take even greater care outside the home. Attackers can use public Wi-Fi networks with poor security to infiltrate employee hardware and potentially steal sensitive data. To stop this from happening, employees should consider a VPN and avoid networks with suspicious names.
If your business has a corporate network, you’ll need to think about the best way to give employees access. You might feel that cloud-based services such as Google Docs are a safe-enough alternative, provided you’re careful with sharing and permissions. If you have data that needs to be kept on the company network, however, consider setting up a corporate VPN for remote workers.
Everyone at your business needs to protect their accounts with strong, unique passwords. If someone uses the same set of characters to log into everything, they’re putting your company at risk. You can limit the number of passwords that people need to remember with Single Sign-On (SSO). As the name implies, SSO lets staff log into multiple apps and services with the same credentials, reducing the number of unique passwords they need to come up with and manage.
It doesn’t matter, however, if your team needs to remember one or 1,000 passwords. All of them still need to be strong and unique. You can solve this problem by adopting a password manager like 1Password. It will also give you a secure and convenient way of sharing credentials – no more shared spreadsheets or sending passwords insecurely over email.
Staff should also be encouraged to set up two-factor authentication wherever possible. The extra layer of security will protect accounts from attackers who have discovered or deduced a password.
Beyond credentials, you should focus on access and segmentation. Check that only team members and trusted guests can access your chat app of choice, such as Slack or Microsoft Teams. You should also use groups and rooms, each with their own privacy settings, to keep information on a need-to-know basis. Similarly, every video call should be password protected and limited to participants that have been invited beforehand.
Finally, let’s talk about email. Despite being more than 50 years old, e-mail remains the backbone of business communication. It’s also a prime target for social engineering, which was a top three cause of incidents and breaches in 2020, according to research by Verizon. Attackers will often impersonate a reputable company or person, a tactic known as phishing, and encourage employees to click on a link that seems perfectly legitimate, but actually sends them to a site designed to steal their credentials and other sensitive information.
You should teach your employees how to spot and report these emails. They should check the sender’s email address, for instance, watch out for typos, and be wary of any language that suggests they need to take urgent action. If they weren’t expecting the email, you should advise them to check its authenticity by reaching out to the original sender with a new email, Slack message, or phone call.
You can’t track everything your employees do at home, or should you want to. Instead, you should establish a culture of security — a team-wide desire and responsibility to protect your business with good security habits. Changing your company’s culture won’t be easy, but if you listen to your employees, and provide them with the tools and training they need to succeed, you’ll slowly create a different kind of workforce. One that has the knowledge and desire to make smart, secure decisions while they’re working outside of your company’s purview.
The best place to start is with employee onboarding. When someone joins your company, take some time to walk them through your security policies. Show them your security handbook and what’s expected when they’re working from home and in public spaces.
The second stage is training and guidance. You shouldn’t assume that everyone knows how to use a password manager or manually update a router. Set up webinars and informal calls where people can ask questions and deepen their understanding of how to work securely inside and outside the office.
Review and refine
What works today might not work tomorrow. Review your handbook regularly and question whether you have the right policies in place. Make changes when necessary and explain the reasoning to your staff. If you give people the correct tools, training, and knowledge, they’ll do everything you can reasonably expect to keep your business secure, regardless of where they’re working.
Editor’s note: This article was originally published on the Firm of the Future.