Protecting business data in the age of remote work: Security best practices during (post) Covid-19

Protecting business data in the age of remote work: Security best practices during (post) Covid-19

The average data breach costs a company $1.42 million in lost business and takes nearly 206 days to identify (IBM). That means we haven’t yet seen or understood the cost of data breaches during the coronavirus pandemic.

Unfortunately, security practices and early signs indicate that we should expect the number of breaches to rise significantly compared to last year, and average costs, too. Why? Remote work has created enormous security challenges for organizations and most were not ready with a plan in place to adapt to the new reality when it arrived.

Every new threat and vulnerability will be capitalized on by criminals. Uncertain times for teams like yours mean more mistakes in security practices. Remote work means fewer layers of established security, making malware and phishing more likely and often more profitable.

It’s time to protect your network and data. So, let’s look at the current rise in remote work and 5 things your IT team can do to protect yourself in the age of COVID-19.

The future is remote work

How many people worked remotely for your company in December 2019 compared to May 2020?

The COVID-19 pandemic has been a catalyst for mass remote work policies, as companies try to keep generating revenue amid an exodus from traditional offices. While you might have experienced some remote work support in the past, this “new normal” pushed adoption forward at warp speed.

For a small or an unprepared IT team, this can make it near impossible to protect business data outside of the corporate network perimeter without some significant changes. External risks not only threaten customers and reputation, but falling out of regulatory compliance can compound the dangers and costs significantly when you’re utilizing sensitive data.

Remote work has wide-ranging implications, and we can expect many of them to become permanent. Tech leaders like Twitter are now saying they’ll offer remote work permanently. New studies indicate you could save up to $11,000 per employee annually by having teams work remotely — and the average employee may save up to $7,000 due to clothing, childcare, and commuting reductions.

The COVID-19 response is daunting for IT teams and tantalizing for finance departments. So, it’s best to prepare your network and data security to tackle new risks now because of the growing possibility that this will become your team’s new normal.

Why is it more challenging to protect data when staff is working remotely?

Before the pandemic, few businesses were designed to support large remote teams. The reliance on staff in specific locations with equipment and access you could control means most operations have had to make significant changes to every aspect of work and daily tasks.

Unfortunately, that can push some IT concerns to the background, especially when leadership is narrowly focused on margins and maintaining revenue. That leaves you open to plenty of risks.

Primarily, the concern is that remote staff are no longer behind corporate firewalls — the ones you paid so handsomely to protect network traffic and reduce the risk of attack. Now, company devices are being used in home networks alongside a host of other family devices. You may have faced similar threats with smartphones and computers, but now are at risk from TVs, game consoles, and even baby monitors.

Network vulnerabilities are complicated by the host of always-on/listening devices powered by Alexa and other virtual assistants. You can “harden” company devices all you want, but it only takes one family machine infected to create a quick path to corporate devices and data.

Home risk is complex

Working from home and in other new environments comes with new distractions, family obligations, and other vulnerabilities IT must address. Only strong policies, proper training and enforcement can help you safeguard against the times when home distractions cause us to lower our guard — those are perfect opportunities for a phishing attack or scam to slip through.

Dangers are as simple as a family member merely the wrong website, downloading infected files from P2P, or turning off a firewall or anti-malware program to speed up a game or improve video streaming quality.

Your employees are going to be accessing resources on personal devices and access personal content on company devices. There’s also a good chance that someone in their family will use a device you provide. It’s a temptation you should consider, too.

Securing the network as a whole, not just individual devices, must be your priority. Unfortunately for in-house or outsourced corporate IT and security teams, there’s going to be a lot of effort to protect your company from new threats and mistakes that can even extend beyond direct staff.

5 best practice areas to protect business data and minimize the risk of a breach

There’s no single solution or plan that will generate 100% protection and security for your network, especially with today’s volume of remote access and work. Don’t take anything as a one-size-fits-all approach — find a partner or employ a team to build something specifically for your operations.

However, there are some best practices you should employ to reduce risks and create barriers for bad actors and malicious intent.

At the heart of the five we’re discussing is one truth: the philosophy guiding remote work security isn’t much different from in-house efforts, but it does require a stronger process and vigilance on foundational layers.

1.     Safeguard the home network

Your new vulnerability is the home network, and it is an exponential risk. Each employee with all of their devices and family devices at home compounds your risk. So, build out a specific plan to protect these networks and share it with employees. You may need to assign IT security staff to help finalize some setups.

Here are a few items to ensure you include:

  • Change home networks away from default passwords
  • Create guest networks and restrict them to company-issued devices
  • Adjust device passwords, from routers and streaming devices to company laptops

It’s important to note that an employee’s Internet Service Providers (ISPs) may also be able to help them with changing home network passwords and settings like the guest network setup.

Compliance will be outside of your control at some levels, but giving people tools and help implementing these practices can increase it. If you’re worried about compliance, consider making it part of a standard remote work policy.

2.     Issue laptops with layers of security

Give as many of your staff as possible a company laptop that you’ve controlled and setup yourself. While your policies and needs will vary based on devices, network, and roles, there are a few things to consider for each:

  • Install a reputable anti-virus system in addition to Windows Defender and have it paid for by the company.
  • Verify DNS protection at the machine-level to prevent access to malicious sites. In the event a device is compromised, this prevents any “callback” from transmitting data. Think Cisco’s Umbrella.
  • Keep machines up-to-date and notify employees about potential updates. Encourage employees to turn machines off a few times each week to ensure the latest updates take effect.
  • Ensure devices and practices can be remotely deployed and security policies automated by internal IT. Notify employees of this.
  • Disable the ability to add unauthorized software. Make them use personal devices for Spotify.

And at the heart of this is a new company policy that must be made crystal clear: company devices should not be shared or used by anyone else in the home. If that occurs, employees can be responsible for risks.

3.     Use industry tools

Beyond built-in tools for managing your network and advanced cybersecurity monitoring, you have a host of options to control data better, protect passwords, and minimize the ability for a threat to intercept information. Here are three that your team would benefit from employing immediately:

  • Multi-factor authentication (MFA): Critical company resources can be protected by ensuring someone has access only when they can verify their identity in multiple ways. It’s a standard feature for email, online tools, and Microsoft 365. Typically, this means knowledge of a username/password and then access to a separate device that can be a phone, hardware tokens, or Web Authentication support (like Apple’s Touch ID). Systems such as Cisco Duo can be useful for large-scale MFA management.
  • Password managers: These tools store all of your passwords in a digital vault, unlocked with a master password. This allows your team to have incredibly strong passwords for every account — many can automatically generate complex passwords — without your team having to reset passwords constantly. These services prioritize their own security, and most have incredibly positive reputations within the cybersecurity industry. We generally recommend Dashlane as a good option for password management.
  • Email security gateways: These tools limit threats from hackers, viruses, and spam content. Many come with admin panels to track individual and global threats, plus looking for patterns that may indicate risks. Built-in URL defenses, content filters, and integration with tools like Microsoft 365 can make them a smart option. And, you’ve got a lot of great options from industry powerhouses.

4.     Train your team to be on the lookout for scams and phishing

One of the most significant changes for your remote team is something that occurs independently of technology. It’s essential to train your staff on what to do and what to look out for when it comes to new social engineering threats. Busy home lives are colliding with work, increasing distractions and making it easier for us all to make a mistake.

Social engineering threats are increasing significantly due to the ongoing pandemic. One report notes that there has been a 30,000% increase in detected phishing, malicious websites, and malware attacks using COVID-19 content since January of this year. It covers everything from fake company responses and information to sales of masks, kits, and “news” about China and the virus.

Tackle this threat by first implementing a cybersecurity awareness training program for all staff. Thankfully,  companies like KnowBe4 provide cost-effective, engaging on-demand training and phishing simulations. You want your team to learn how to use new systems, what protocols to follow for accessing data, and what other team members should do.

You can help reduce successful phishing attacks when Stacy knows that Tim should reach out to IT instead of to her for access to a shared drive. Or by training finance to know that the CEO will not email them to wire funds because the proper protocol requires a phone verification.

If something like this occurs, your team should also have clear protocols of how they can communicate with each other to verify if a request is valid, and how to report suspicious activity to IT. Address advanced risks as well as changes in the office, because something as simple as not being able to access a work phone directly can create a risk.

In our work, a client recently had a user who received an email with a link to an alleged voicemail of a recent company call. Company virtualization made the employee think this was legitimate, and a phishing scam ensued.

5.     Put everything under a reputable, cloud environment

Our final suggestion concerns your business processes and tools. Among the safest things you can do is to put all of your corporate files on a password-protected, cloud-based central repository. We recommend only using reputable vendors and services, which include Microsoft 365’s OneDrive or SharePoint.

If your information isn’t collected in that single repository, you’re facing a variety of risks. Information and files can get lost or people can work on outdated versions, leading to duplicate work. From a security perspective, there’s also greater chance of data loss and leakage. If employees are transferring documents to physical devices or personal cloud services (e.g. Dropbox, Google Drive, etc.), it’s impossible for you to completely control data and prevent theft or loss.

So, your IT team and employees need specific capabilities for access, manipulation, and sharing data. Use specific roles and permissions to make access simple while reducing risks. A single repository makes it easy to accomplish this and eliminates many emails back and forth, unauthorized sharing (such as through Facebook Messenger or Google Drive links), or phishing attempts masquerading as requests to access a file.

While other solutions like Amazon’s AWS are useful and popular among some security professionals (we have in the past implemented this solution with many of our clients), we often recommend Microsoft 365 Business. That recommendation is due to the security capabilities it provides:

  • Built-in data encryption
  • Ability to grant, restrict, or block access to company resources based on specified criteria (e.g., user location, device, application)
  • Centrally restrict access to documents and emails by applying pre-configured classification labels
  • Protect and prevent disclosure of financial data or personally identifiable information (PII) such as credit card numbers, social security numbers, or health records
  • Central management of company devices remotely, including the ability to wipe a machine clean. That’s useful if a device is lost or an employee let go
  • Integrated data storage within the Microsoft ecosystem, including the Office suite, email, Teams, and more.

Data management and control in the remote work era is becoming increasingly complex. There’s always something to check and protect, making it difficult for IT to manage other mission-critical projects. Envision Consulting is working with companies like yours right now to help put out IT fires and prevent them. Reach out today to learn more best practices and policies you can use, or to get a complete plan customized for your business security.