Coronavirus safety concerns, social distancing and stay-at-home mandates have precipitated a striking surge in the remote workforce: 85% of companies say more than half of their employees are working remotely. “Business as usual” no longer exists in the wake of COVID-19; and often lost in the struggle to maintain operations and solvency is the looming threat of cyberattacks. Businesses of all sizes must recognize new and increasing cybersecurity risks and take immediate measures to mitigate them.
In a recent Threatpost poll, 40% of companies surveyed reported an increase in cyberattacks as they shifted to a remote workforce. Alarmingly, only 30% of those companies said they felt prepared for all employees to work from home. Furthermore, a CNBC poll found that 53% of businesses have never stress-tested their systems for a pandemic situation.
The stakes are high, especially for regulated industries such as healthcare, banking and government that deal with sensitive data. Cybersecurity risks aren’t limited to enterprise businesses, either; even the smallest companies could be undone by ruthless hackers and potentially held liable for customer damages – especially when the average global cost of a data breach is more than $3 million and affects over 24,000 records.
The greatest vulnerability in today’s uncertain climate? Work-at-home employees. Though necessary to combat COVID-19’s economic impact – and perhaps ushering a permanent shift in how companies think about offsite employees – the scramble to remote work presents opportunities for critical oversights that expose sensitive data to cybercriminals. The following details five critical cybersecurity risks associated with a remote workforce and measures businesses can take to minimize threats while maintaining operations.
1. Unsecured home networks and devices
One inevitable consequence of a home-based workforce is that employees must receive and transmit sensitive information over their home networks. That data might also be stored on mobile and BYOD devices. The problem, then, is businesses have little control over the security of home networks and personal devices – creating a new vulnerability that can grant hackers access to financial accounts, confidential customer records and other protected data.
Many employees do not institute robust security measures on their WiFi networks and personal devices. Not only that, but home networks are typically shared: spouses are completing their own work, children stuck home from school are streaming and gaming, and even prying neighbors can take a peek. With all that activity, there’s no telling what vulnerabilities cybercriminals might exploit on a home network.
Aside from network security, or lack thereof, personal devices might not have proper antivirus and antimalware software. An errant phishing email or video click could install malicious software on a personal device that subsequently infiltrates the entire network and grants hackers access to a businesses’ sensitive data.
How to minimize the risk
Though working over home networks is necessary for remote workers, businesses can take the following measures to minimize the potential for data breaches.
Employ a VPN, SaaS or cloud software
Virtual Private Networks (VPNs) provide secure platforms employees can use to remotely access data, documents and other resources. Collaboration tools and other apps can be deployed over VPNs to maintain robust security measures. Software as a Service (SaaS) and cloud software likewise provide ample security that enables employees to work remotely without putting sensitive data at risk.
Companies should require employees to conduct business only over trusted, encrypted VPNs, SaaS and cloud platforms. That includes collaboration and messaging: employees should be prohibited from using their favorite software, apps and social media to communicate with one another, unless they’re approved for use by your company.
Companies that use VPNs should adopt zero trust technology. In a traditional environment, VPNs trust everyone on the internal network. Security disintegrates, however, when employees access VPNs from outside networks if those outside networks are automatically trusted once employees log in. Zero trust allows the network to verify employee identities and access rights even once logged in to mitigate risk.
Require device and network security measures
Some states require employers of work-at-home employees to install vetted and approved antivirus and antimalware software on their personal devices. They can also help them set up robust network firewalls, create strong passwords and institute multifactor authentication.
Such measures add additional layers of security that can thwart cyberattacks and safeguard sensitive data. Businesses would be wise to avoid the assumption that employees already have these measures instituted; rather, they should distribute approved software and create easy to follow guides employees can follow to protect information.
Use secure document services
Secure platforms should be used to share sensitive documents, but a challenge presents when important documents require legally binding signatures. Businesses that have a consistent need to transmit signed documents should consider employing signed document services that offer secure transmission and storage.
Note that VPN apps, SaaS and cloud platforms might already have secure document signing built in.
Identify critical functions and limit access
Business should identify the most critical functions and services for remote employees, then grant access accordingly. In other words, if a given function, app, storage center or service isn’t critical to business operations, employees should not be able to access it remotely. This practice limits opportunities for data exploits.
Moreover, only the employees that need to work with a given resource should have access. Managing and limiting access rights is a powerful way to mitigate risk because it grants permission only to those who need it.
Provide company laptops and mobile devices
If possible, businesses can issue remote employees company laptops and mobile devices, each preloaded with robust security software that blocks and/or monitors and reports personal use. Requiring employees to use only company-issued hardware reduces the risk of data breaches achieved through unsecured devices and helps businesses monitor access and usage.
If it’s not possible to provide each employee with secure devices, companies can consider giving them only to employees who must access their most sensitive data.
Prohibit working in public places
This might be a moot measure given current government mandates, but it’s worth noting that employees who work in public areas expose businesses to risk when others can view their screens and tap into unsecure public networks. Businesses with remote workforces that aren’t compelled to stay at home should consider prohibiting those employees from conducting business outside the home.
2. Lack of employee education
It goes without saying that most employees do not intentionally expose businesses to data breaches. Often, risk stems from a lack of employee education or a need for employees to skirt the rules to get the job done. When employees do not know which activities put a business at risk, they cannot take measures to prevent it. Hackers, then, can exploit this lack of knowledge to infiltrate business networks and gain access to sensitive data.
How to minimize the risk
Businesses should educate employees on how to avoid being victimized by cybercriminals.
Avoid malicious coronavirus websites and apps
A plethora of new websites and apps offer coronavirus information and resources. Such sites are helpful because they keep the public informed about new developments and safety protocols; however, some criminals are hiding malicious software behind innocuous-looking sites and apps designed to attack networks and devices. For example, one COVID-19 tracking map application was used to install spyware on mobile devices.
Though it can be difficult or even impossible to tell which sites and applications are malicious, steering employees toward trusted sources of coronavirus information can help them avoid inadvertently opening the gates to secure networks.
Be wary of phishing scams and malicious links
Cybercriminals make emails look as though they’re sent by legitimate sources in an attempt to gain sensitive information. Malicious email, video and website links can install malware, spyware and keystroke loggers on computers and mobile devices. In one case, ransomware wreaked havoc on a hospital’s surgical scheduling. Companies should education employees about how to recognize, avoid and report potential threats.
Implement verification and reporting protocols
Businesses can institute a verification system to help employees avoid falling prey to malicious websites and scams. Employees who are uncertain about the source of an email or the legitimacy of a website can use secure messaging or call a phone number to ask IT or other personnel to verify authenticity before they reply or click.
If an employee is worried a data breach might have occurred, the same system can be used to alert IT so it can take immediate measures to mitigate the damage.
3. Lack of monitoring and enforcement
The efficacy of security measures is dependent on employee adoption. Security protocols are useless if employees do not follow them, so businesses must take steps to monitor conformity and enforce policies.
How to minimize the risk
Businesses must dedicate resources to monitoring and enforcement to protect sensitive data.
Monitor employee behavior
Employers should monitor network access so they’re alerted if an employee logs in from an unsecured network. If a company issues laptops, smartphones, tablets or other devices, software should monitor usage to ensure employees do not use them for personal activities. Businesses can keep track of employee activities and verify that communication and file sharing only take place via approved platforms.
Scan networks for malware and vulnerabilities
VPNs and other platforms should be consistently scanned for vulnerabilities and malware. IT personnel should receive immediate alerts for red flags. Suspicious incidents must be thoroughly investigated so they can be addressed and damages minimized.
Businesses should adopt a tough approach to policy enforcement. Educating employees about the potential risks and how to mitigate them is critical to avoiding data breaches. Those who wantonly ignore protocol or consistently fail to follow policies must be dealt with accordingly to minimize risk for the entire organization, its customers and its partners.
4. VPN vulnerabilities
Many VPNs are designed for intermittent use, not the full-time workload they’re currently tasked with. However, ZDNet reports a 66% increase in VPN usage since the coronavirus outbreak. That kind of surge can overwhelm systems and create potential for data breaches.
How to minimize the risk
Businesses should work to preserve the integrity of their VPNs or consider using other platforms to protect sensitive data.
Maintain VPN security patches
Cybercriminals can exploit weaknesses in VPNs, especially when networks are overloaded. It’s critical for businesses to keep VPNs up to date with the latest security patches to avoid vulnerabilities. VPN vendors should be consulted to ensure systems are updated with the latest patches, especially those released since the coronavirus epidemic – and subsequent cyberattacks – began. The aforementioned zero trust technology should also be implemented to bolster security when internal networks are accessed from outside sources.
Consider alternative platforms
If VPN maintenance proves challenging, or if a VPN can’t stand up to the workload, businesses can consider alternative platforms for collaboration and data sharing. Some SaaS and cloud platforms might have the tools and applications needed to weather the coronavirus storm without the need for ongoing, in-house security maintenance. Businesses might consider adopting such platforms, even if temporary, to manage security risks until employees return to the office.
5. Lack of emergency planning
Many businesses were caught unprepared by the coronavirus pandemic, having never envisioned a situation when most – or all – employees would need to work remotely. The need to maintain business continuity forced companies to act fast; in doing so, it was easy to overlook important security processes and place companies at risk.
How to minimize the risk
Now is the time for businesses to evaluate emergency response, shore up existing vulnerabilities and help ensure they’re well-prepared the next time disaster strikes.
Plan for emergencies
Businesses should create a plan for emergency situations. The plan should include how sensitive data will be accessed, transferred, stored and managed. It should dictate protocols for employee access rights, network security and device management. With a plan in place, companies can minimize the risks associated with taking immediate, unprecedented action during emergencies.
Develop and test disaster recovery systems
Data backups are a given, but businesses need to ensure backups are stored in separate and inaccessible locations so they can be recovered in the event of disaster. If such measures are not currently in place, this critical component should be addressed immediately. Existing systems should be tested to verify their efficacy in case they’re ever needed.
Practice for emergencies
Though difficult to do when all employees are working remotely, businesses should plan to practice for future emergencies once remote staff returns. Each employee should know the steps they need to take to mitigate risk. Companies can think of it as a fire drill for disaster, where the company physically practices its response. In doing so, businesses can identify and address vulnerabilities before cybercriminals can exploit them in a real-world emergency.
The coronavirus pandemic has disrupted the business community and put a strain on both companies and employees – but the situation isn’t dire. With a strategic and dedicated approach to remote work, employers can address cybersecurity concerns and strike a balance between risk management and maintaining business continuity.
The information provided in this blog does not, and is not intended to, constitute legal or financial advice.
Toolkit: Coronavirus (COVID-19)
Stay up-to-date on ways to advance your business during the outbreak.
Subscribe to the Toolkit
Get tips to keep you, your employees and your business going