Is remote working propagating cyber security issues?
According to our market research report – ‘Under Attack: Assessing the struggle of UK SMBs against cyber criminals‘ – in which we interviewed 500 senior IT decision makers in UK small and medium-sized businesses (SMBs), nearly half (49%) of those decision makers think the deployment of flexible and remote working policies has caused cyber security issues.
There’s no question that work culture has changed; employees today – particularly the younger generation – expect to be able to work flexibly or remotely. However, these initiatives, when not managed correctly, introduce a number of cyber security issues.
Remote working brings with it a host of cyber security issues
The fact is that flexible and remote working are increasing cyber security issues. As employees use both business devices and their own devices on unsecure networks (including their own home network in some instances), or for personal activities, they are exposing crucial business information to cyber criminals.
In this blog, we’ll take a look at how businesses can reduce cyber security issues for remote workers, as well as revise their policies to ensure robust security.
Establish policies for the use of business devices
More often than not, employees use their business device(s) for personal activities. This is not its intended purpose. A business device is meant to allow employees to work wherever, whenever – not to catch up on movies, access Facebook or send sensitive business data to personal devices!
To prevent this kind of activity, businesses need to establish and communicate clear policies on how business devices should be used, including where and when.
For example, a policy could be: “business devices should never be used for personal activities”. These activities could include making phone calls to friends, accessing Facebook or watching videos on Netflix – just a few examples that are outside of the scope of business activities. For repeat offenders, bans and penalties should be imposed.
Establish policies for the saving and transference of sensitive information
Another key consideration for businesses is setting ground rules for saving and transferring sensitive business data. This is particularly important where personal and identifiable information is involved as any breach (under the General Data Protection Regulation) could result in severe fines.
In any instance, businesses should encourage employees to only ever save business data to approved locations – such as the business’ cloud server or public network. Saving data to personal devices (i.e. laptops or desktops) or USB sticks is a recipe for disaster – all it takes is for those devices to be hacked or stolen and the business’ information is at risk.
With regards to sending data, if employees must send any sensitive information from their device and are working remotely, they should have a virtual private network (VPN) installed. If a VPN isn’t installed, employees should avoid using WiFi connections.
Businesses should emphasise the importance of not using public Wi-Fi networks as these are inherently unsecure – meaning anyone can connect and potentially spy on the devices on the network and the information being sent to and from them. If employees have to send information and do not have a VPN, mobile 4G is secure by design and a suitable option (though much slower).
In summary, don’t use WiFi without a VPN!
Password policies and cookie data
More often than not, employees use a password familiar to them: their birthday, their middle name, their secondary school. But while these passwords are memorable, they are also incredibly easy for cyber criminals to guess.
Considering that more than half (52%) of 18-25 year olds regularly use the same password for multiple online accounts and services, the cyber security risk is abundantly clear: if criminals can guess the password to just one account, they have a high chance of accessing the others.
A simple solution for businesses would be to advise employees to use different (but strong) passwords for their business accounts – or acquire a password management solution that provides multi-factor authentication and automates passwords and usernames. This way, employees won’t need to remember their login details or scribble them down on a piece of paper that could easily be lost.
As well as using password management tools, businesses should encourage employees to regularly clear their browser history, cookie data and saved passwords. Many browsers record all of this information, including financial details for quick form fills, so deleting it or changing the browser settings so the information isn’t stored will help to keep sensitive information safe and prevent unauthorised access.
Employees can only work remotely if the right security solutions are installed
Businesses should make it a requirement that in order for employees to work remotely, they must have the right cyber security solutions installed to their business device. In an ideal world, a firewall, anti-virus solution, anti-malware solution, virtual private network, file encryption and some form of monitoring (so that the business’ IT department can ensure employees are following security guidelines) should be installed to each device.
This might seem excessive – but considering the fines that could be imposed under GDPR (up €20 million, or 4% annual global turnover – whichever is higher) it’s an entirely practical approach.
Regularly review and update remote working policies
As cyber threats evolve and become more complex and sophisticated, businesses should routinely review and update their remote working cyber security policies to take these changes into account.
The initial assessment should include an evaluation of how many cyber security issues have occurred as a result of employees working remotely and how those incidents can be reduced in the future. Businesses should also take the time to investigate current security tools to see if they are up to standard and capable of protecting employees against emerging threats.
This kind of routine assessment will allow businesses to plug any potential cyber security gaps, especially in relation to remote working, and update remote working policies accordingly to ensure employees follow best practice advice.
Remote working is only propagating cyber security issues because businesses are failing to devise remote working policies with cyber security in mind. These businesses are neglecting to educate employees on the importance of such policies or actively enforce them.
If businesses take into account the points outlined in this blog and action them accordingly, they will be in a much stronger position to ensure remote workers follow security procedures and are protected online.
Without a doubt, UK SMBs are exposed to a number of cyber security threats – and the security issues surrounding remote working isn’t the only problem.
If you want to find out how best to protect your small business from cyber attack and not become another digit in a cyber security statistics report, download our eBook: Dispelling the cyber security delusion in small businesses and find out how.