How cyber-secure is your working from home workforce?

Seven important security must-dos to make sure your data is safe.

Image

Seven important security must-dos to make sure your data is safe.

Working from home became far more prevalent as a result of the pandemic. Although many employees have returned to the office, either full- or part-time, many workers still work exclusively from home.

Unfortunately, many companies haven’t secured the computers and internet connections of their remote workers. If you haven’t already developed protocols, now is the time. (If you haven’t done the same for your office, now is definitely the time.)

To make sure your data is as safe and secure as possible, use these seven security recommendations as a guide.

  1. Make sure you have adequate cyber liability insurance coverage.
  2. Invest in cybersecurity training.
  3. Implement a VPN (Virtual Private Network) for remote access use.
  4. Regularly review and audit data access policies and procedures.
  5. Use a password manager to store and share passwords.
  6. Don’t forget to secure access for mobile devices.
  7. Give remote employees incentives to create a dedicated home office space.

1. Make sure you have adequate cyber liability insurance coverage.

This applies to your office employees as well as remote workers. Every business is doing work online, especially with employees working from home. So having solid cyber liability insurance is an absolute must.

A lot of insurance companies offer cybersecurity or data breach insurance, sometimes as an add-on to your business insurance policy. If that’s the case, be careful to understand the coverage thoroughly as it may not be enough, especially for businesses with complex requirements.

Potential coverages include:

  • Litigation/regulatory expenses
  • Business interruption
  • Extortion
  • Investigation
  • Crisis management expense

Most insurance companies also have resources available as part of the coverage to help you recover from the aftermath of a data breach.

2. Invest in cybersecurity training.

A joint study by Stanford University and security firm Tessian found that 88% of data breaches are caused by employee mistakes. Research done by IBM Security discovered employees were responsible for 95% of data breaches. Either way, the number is incredibly high…and frightening.

While there are some employees who act maliciously or who willfully ignore cybersecurity protocols, the great majority of the problem is simply due to employee mistakes. That’s why cybersecurity training — and retraining — is incredibly important.

Training will help your workforce be more aware of and able to respond appropriately to both internal and external security threats, including both unintentional and intentional threats.

For example:

  • Unintentional data sharing as the result of sending an email and/or attachment to the wrong party.
  • Lost or stolen devices can expose sensitive company data.
  • Sending sensitive data over unsecured methods such as a regular email chain.

But how do employees fall victim to dangerous intentional threats from malicious actors and hackers? The most common causes are phishing/social engineering schemes designed to coerce sensitive information from your employees. This often comes in the form of emails, text messages, or phone calls that can look and sound exactly like a legitimate communication. Employees then click on links or provide information that allows criminals to access data or plant malware to hold the organization hostage.

Remote employees could be even more prone because they may not have the same familiarity with their co-workers and may only communicate electronically.  Threats from inside the company could find an easy audience with remote workers because they may not know their colleagues well.

This is why you need to talk about cybersecurity with your entire workforce, especially remote workers. Train them and then continually train them as some information may need updating and it also reinforces the protocols.

Make sure all employees understand how key leaders communicate, including their style. This could help limit the possible success of phishing attempts that try to impersonate key personnel.

Where do you find cybersecurity training? The US government has cybersecurity training materials and information available at cisa.gov/cybersecurity-training-exercises.

And there are companies that provide cybersecurity training modules and certifications. It’s well worth the effort to find one that suits your needs.

3. Implement a VPN (Virtual Private Network) for remote access use.

A VPN will create a safe, encrypted “tunnel” for your data to travel in and out of the company or your remote workers’ computer.  

A properly configured VPN will protect data anywhere your employees are connected to the Internet — office, home, or wherever wi-fi can be accessed. This will go a long way towards protecting company data even if your remote employees are working from home on their personal network.

Most personal home networks are not set up with the same level of stringent security measures as business networks, so the VPN helps to fill those gaps. For example, many people don’t change the default settings of their router, including the password to it. A VPN will help protect data even if every other security measure is lacking.

Another potential problem is that consumer grade electronics don’t have the same security capabilities as those created for business use. They also don’t have regularly maintained firmware updates which can help address security vulnerabilities.

If your policy doesn’t allow employees to work remotely on public networks, is it enforceable?  Your businesses’ private data could still be accessed on a public network by even one rogue employee or a cyber-criminal. A VPN could protect you.

If your policy is to allow employees to work remotely on public networks, a VPN is a must. Otherwise, you’re opening your business to significant risks.

4. Regularly review and audit data access policies and procedures.

Creating policies and procedures for cybersecurity is the first step. You’ll need to communicate them to your office and remote employees as well as reviewing them on a regular basis to make sure they’re still applicable and effective.

Here are the basic items you should include in a policy and procedure document:

Have strong password complexity requirements, complete with special characters, numbers and letters.

Audit user lists to see who has access to any of your systems and data.

  • Immediately remove former employees.
  • Limit who has access to an “as needed” basis by instituting role-based access controls.
  • It is a mistake to give remote workers more access than they should to make access easier.

If you own your servers, do you have qualified technology professionals on staff or as part of a managed service provider (MSP) to maintain those servers and their security? If you have an MSP, make sure they are up to security standards and have a strong reputation.

Be sure you have a well-defined remote access policy and that it is well communicated to your staff.  Items to consider include:

  • Where will you allow your data to be accessed? Only on private networks (remote employee home networks or your business office network) or are you going to allow access on public networks (coffee shops, libraries, etc.) as well?
  • What devices will you allow your data to be accessed on? If all devices are company managed, that makes it much easier to control the security protocols in place on those devices.
  • If you allow remote staff to access data via personal devices (personal computers or, even worse, cell phones) additional security measures are strongly advised.
  • Personal devices should have requirements for basic security measures to be in place, including anti-virus software, password requirements, and more.
  • Consider adding multi-factor authentication for your systems, which adds an extra layer to the log in process. Requesting a code number in addition to passwords can provide a potentially critical step if you are going to allow personal devices to access your data.

Do you have consequences in place for non-compliance to your data policies?  Have those been defined, communicated and enforced?  A policy won’t be effective if you’re not willing to stand behind it and enforce it.

5. Use a password manager to store and share passwords.

A password manager eliminates the need to remember or record all of the different passwords your staff will need to use. This can encourage the usage of more complex passwords, as the manager will remember them for the employee. Most password managers allow password sharing between employees without concern.

But make sure any password manager you employ has strong encryption to prevent access to your saved passwords. They can still be a security threat if they don’t encrypt the data.

Remember, giving a cyber-criminal access to passwords is like providing them the keys to the kingdom.

6. Don’t forget to secure access for mobile devices.

Allowing remote employees to access data on their mobile devices presents another security challenge you need to address. Mobile devices, such as smartphones and tablets, often don’t have the same built-in capabilities or secure software in place. They also “bounce” from one public network to another, often on unsecured connections.

Mobile devices are also far more prone to being lost, which then puts your data at further risk.

So, unless it is absolutely necessary for remote workers to use smartphones or tablets to communicate or work, it is best to not have them access data through mobile devices.

If it is necessary, you can ensure more security by doing the following:

  • Use strong passwords/biometrics
  • Ensure that public or free wi-fi is protected
  • Create and use a VPN
  • Encrypt the device
  • Install Antivirus application
  • Update to the latest software
  • Keep backups
  • Don’t work from a coffee shop or other location where wi-fi isn’t protected and where prying eyes can see the work or the data

7. Give remote employees incentives to create a dedicated home office space.

Along with creating policies and procedures, consider providing reimbursement for some home office expenses to encourage remote workers to establish a dedicated home office space. This will not only encourage productivity, but it will also reduce the potential risk of physical loss of company assets.

Reimbursements can be relatively minor for simple home office purchases such as a monitor, docking station, necessary peripherals, specific software, and more.

Keeping your data safe is good business.

We’ve given you some basic insight into how lack of security for remote workers can damage your business and what you can do to ensure security. If you’d like to know more — or if you have questions — please contact us at hello@accountinuity.com. Spend an hour with our team of experts. No charge and no obligation.

Accountinuity is the financial and accounting team for growth-minded entrepreneurs seeking to profitably scale their business. We deliver complete flexibility for how businesses use our services and because we can manage every aspect of their accounting operations, they can focus on growing their business.

Related articles.

No items found.

4 Types of Artificial Intelligence and How it Can Support your Accounting Department!

It is no secret that artificial intelligence (also known as AI) is a hot topic these days — and it’s here to stay. While it may be tempting to think of AI as futuristic robots taking over our lives, you are already using AI in your everyday life in small and significant ways, even if you don’t yet realize it.

Read More
News

Accountinuity Announces Chad Guillory as it's Chief Revenue Officer - Accountinuity

Accountinuity is thrilled to announce the appointment of Chad Guillory as its new Chief Revenue Officer (CRO), effective February 5

Read More
Security

How cyber-secure is your working from home workforce?

Seven important security must-dos to make sure your data is safe.

Read More

Pick our brain.

Get an hour with our team of experts. No charge. No obligation.