The pandemic has opened the door to a new norm, employees working remotely. Unbeknownst to employers, these remote employees may be unknowingly putting the company at risk of cyber-attacks. 71% of organizations are concerned about remote workers being the cause of a data breach, with 42% or organizations reporting they don’t know how to defend against cyber-attacks**.
If you are single threaded with an internal IT employee or you haven’t yet migrated to an external Managed IT service provider, look at the most likely security risks and what to do about them as a bare minimum.
Personal Devices
Working from home creates a sense of freedom for some employees. They may be moving around the home where they are now using a personal cell phone to conduct business, be it replying to emails, taking phone calls or logging into work accounts. While this provides flexibility, these devices are now a security risk to cyber-attacks. Employees thought process is on doing their job, not what damage can be done to the business based on the device they are using.
Personal Device Solution:
If asking your remote employees to refrain from using their personal cell phones isn’t enough, it’s best to educate them on these best practices.
– Ensure your personal mobile phone has a password.
– Only download an app, open emails/files or click on links from trusted sources.
– Wipe data on your phone before it’s sold, donated, or recycled.
– Download a mobile security app that scans for malware, spyware and protects from unsafe websites.
Phishing Schemes
One of the most popular cyber-attacks is a phishing scheme where an employee willingly but unknowingly gives hackers access to your company’s data. A phishing scheme is where a cybercriminal posing as a person or entity that appears to be a legitimate source. These attempts are carried out over email to trick the employee into providing login credentials or other sensitive information. Once obtained, these credentials are used to wreak havoc on accounts and sensitive company data to carry out fraud or malicious acts. As the years have passed these phishing attempts have grown in sophistication and varying attempts.
Phishing Solution:
Training employees how to detect these emails will greatly reduce the risk of mistakes. These training programs should be implemented company wide and should begin when a new employee is hired. A culture of cyber security best practices through education, tests and trainings is your best resource to defend these threats.
Passwords
If your employees are like most people, their passwords protecting your companies’ sensitive data are likely weak or repetitive. Regardless of if your company has firewalls and a VPN in place, hackers know that human error is easier to exploit then your security software. Your employee’s repetitive password could have been compromised in a large data breach from a popular online service and used at your company. A brute force attack is another method attempted to gain access to sensitive company data, where a hacker will guess a password based on relevant clues an employee has posted online on various social media sites with online profiles. Sometimes hackers will continuously attempt to crack a password with code they have written to do the job. There is no sleep for the wicked and small businesses aren’t safe from cyber criminals, they are low hanging fruit.
Password Solution:
Education is the first step for any company to its employees. Helping employees understand the serious nature of a data breach and its impact on the company and its customers is paramount. The safest route is using a password manager like LastPass or Bitwarden. These tools are created specifically to defend against password cracking in the cyber-attack world. They require a single master password from the employee, and they do the heavy lifted of creating a secure password for any login the employee accesses be it professional or personal.
If a budget isn’t in place for these tools, educating employees on strong passwords is your next best bet. Avoid using personal information related to birthdays, cars, sports teams, birth year, etc. Try selected 3-5 random words and string them together mixing in caps, numbers or symbols. These words should not be relatable to the person but should be something you can remember. Winter, snow and freezing is an example of something that shouldn’t be hard to remember. Power this combination together and add some flavor and you could get something like winTersnOwfr3Ezing%. We simply combined the words, capitalized the T, O and E to spell toe. Then we changed an e to a 3 and added a symbol at the end. What is easy to remember is next to impossible to crack.
To recap, remote workers are a new avenue that is a focus of cyber-criminals. Weak passwords, personal devices and phishing schemes are only three of many routes your remote workforce is being targeted through. Ask yourself what is the cost in downtime and a breach of your sensitive data or client data to your business? Is it something that could tarnish your reputation costing you customers? We hope this article has provided the knowledge and resources to address the potential liability your remote workers are posing on your business.
PCG Systems is a Denver based managed IT service provider specializing in end-to-end managed IT services & support, cybersecurity, and IT consulting. Our goal is to be our client’s greatest asset while protecting your sensitive data. To learn more please visit https://www.pcgsystems.com/.
** Source: Ponemon Institute Remote Work Era Report.