The lockdown forced businesses of all sizes to transition to remote work models or shutter until it ended. Previous to 2020, there had been a growing shift towards remote work, but no one thought that the pandemic would last so long or that remote work would be quite so popular with both employees and employers. Even as we are reopening, it seems that a degree of remote work is here to stay.
Studies show that only 8% of remote employees want to return to work full time, and 87% of all workers say they want to work from home at least one day a week. Overall, productivity is up, absences are down, and morale is high. Not that in-person work is going away, instead, it seems that many companies are adopting a hybrid remote work model where employees come into the office some days and work remotely on other days.
With benefits to employee health, work-life balance, easing traffic in many areas, and smaller office space requirements, it works for massive corporations down to tiny startups. The rapid evolution of collaboration tools and the necessity to learn them during the pandemic jumpstarted what would have otherwise taken years of adjustment.
But this quick evolution has had a cost.
We’ve all heard about the increase in cybersecurity attacks during the pandemic. Between an increase in phishing and malware exposure, no one has been spared attack from cybercriminals. And yet, many organizations, especially small businesses, still have the same remote security they had to piecemeal together when the pandemic began. Because most of the concern at the time revolved around functionality, security became an afterthought.
Currently, the average data breach costs nearly $4 million, and almost 60% of small businesses that experience a breach close their doors within six months. With this in mind, it’s critical for companies with remote workers to develop a remote security plan.
“But we have a VPN.”
During the pandemic, VPNs were by far the most popular security solution implemented for remote workers. But that’s not enough. Whether it’s poor cybersecurity practices or an employee clicking on the wrong thing, a breach is only one mistake away without a remote security plan. A prime example is the Colonial Pipeline hack that went through a VPN account, costing the company $4 million in ransom and instigating panicked gasoline buying on the east coast.
So how do you protect your business from cybercriminals?
The Unmanaged Vulnerability
Most current cybersecurity strategies assume that employees are connecting onsite using business devices. With remote users, security models assume they log through a corporate VPN when connecting to work systems, again using business devices. Except in the small business world, cloud-based services like Office 365, GSuite, and DropBox make it possible for employees to do their work through these tools without logging into a VPN. If users aren’t logging into them, they won’t know if there is a problem. A VPN account without multifactor authentication that is not monitored regularly or managed as employee roles and statuses change is a significant liability.
In addition, this potentially gives employees access to sensitive information on unmanaged devices.
If that thought is not keeping business owners awake at night, there’s a problem. In today’s evolving cybersecurity landscape, there are new threats every day. Unmanaged devices may not have security updates, antivirus protection, basic access security, or other requirements to secure sensitive data.
Instead of crafting a strategy to prevent a breach, it’s time to assume a breach is inevitable and adopt a zero-trust security policy.
For the past year, cybercriminals have been focusing on home networks and automated attacks. This means that attacks are much less targeted and more opportunistic – a combination puts small businesses directly in the crosshairs. The best way to defend against this is to assume that employees are the weakest link in any security strategy.
Establishing Zero-Trust Security begins with treating everyone with access to your network as a potential threat and:
- Implement policies that require employees to use only business issued devices to access sensitive information systems
- Provide users with the minimum privileges and access required to do their jobs
- Require strong passwords and multifactor authentication on every system where it’s available
- Monitor access logs to look for potential threats before they evolve into breaches
- Train employees to recognize cybersecurity threats
These best practices will help small businesses to develop a long-term remote work security plan and provide some peace of mind in an increasingly dangerous digital world.
I’ve always had a love of working with technology, being fortunate enough to have grown up with a grandfather who taught me how to fix things for myself and not be afraid to jump in and get my hands dirty. Over the last three decades, I’ve worked as a technician, trainer, technical writer, and manager in small business, enterprise organizations, and government. In addition, I’m an author, having published multiple works available online and in print. You can find my creative work at https://WritingDistracted.com