Eight Cost-Effective Work-from-Home Security Tips for SMBs

The sudden shift to work from home at the start of the COVID-19 pandemic was a shock to most small and medium businesses. Many employee laptops and smartphones did not have even the basic antivirus and firewall. Employees working from home risked violating data privacy regulations as they exposed sensitive data over public networks. Businesses had to abandon several time-tested and cost-effective security protocols, such as denying access to sensitive databases from outside the corporate network.

Large enterprises can make heavy investments to mitigate the shock. But small and medium businesses, already under financial strain because of the lockdowns, find such measures unviable. This tech blog offers eight tips for secure remote work, relevant to small and medium businesses.

1. Be Wary of Social Engineering Attacks

About 90% of the successful cyber-attacks start with a user error or mistake. The single biggest user mistake is clicking on inflected links or downloading malware-infested attachments.

Phishing emails are ever-persistent threats, and more so during the time of the pandemic. Phishing attacks jumped by 40% as the COVID19 crisis heightened between March and August 2020.

The phishers exploit the rapid change, confusion, and fear of at-home employees to entice them to click on the poisonous link. The relatively weak controls at the home networks aid them.

Many attackers disguise attacks as updates from CDC or WHO, or fake notifications from the government. Other attackers fake the display name in emails to impersonate as the company owner or manager. They offer fake links to download software, updates to collaboration solutions, or anything else.

To overcome such hustles:

Communicate with employees only through specific, or still better, dedicated channels. Set up corporate services for email, messaging, and other official communication mediums. A corporate email, Microsoft Office 365 or its equivalent, and a corporate messenger such as Slack or HipChat, are basic.

Invest in an email security and management tool. Email security gateways protect against phishing, malware, and spams, adding a layer of defence.

Reinforce employee behaviour to make sure they click only on web links they know for sure is authentic. Spread awareness of common signs of phishing emails. Phishing emails typically come with:

  • Typos
  • Generic greetings such as ‘Dear Customer’ or ‘Dear Sir/Madam.’
  • Threats
  • Urgent deadlines

Assume all file attachments as dangerous. Attackers often use common file types such as DOC, XLS and PDF. Download only solicited attachments.

Offer periodic training to employees on how to identify cyber-threats and what to do if detected. Develop modules on each type of cyber threat, security options, what to watch for in emails, social media, and so on. Rope in external help, even freelance, if the internal talent is lacking, to develop the training modules.

2. Focus on the Basics

Shifting the business practice overnight is a daunting task even for the tech-savvy. Rather, adopt an incremental approach to securing remote work. Take care of the basics first, and build up the security layers.

Protect devices used by remote employees with antivirus software and firewalls. Make sure enterprise-grade antivirus protects the OS, applications, emails, and sensitive data. Advanced firewalls prevent unauthorized intrusion. It enables deep packet inspection, website filtering, and other intrusion prevention methods.

Enforce strict access control on critical systems and data. Apply the principle of least privilege by default, and allow access only for users with a genuine business need.

Create and enforce clear policies on secure remote work. Make sure the policy covers:

  • How to connect to the corporate network, including remote access protocols.
  • The mandate for remote employees to hide the work computer from other computers in the home network. While-list applications, and restrict access to dubious online resources.

Have clear documentation to make these policies unambiguous.

Never underestimate physical security. Encourage employees to lock devices or the workstation when not in use.

3. Secure the Employee’s Home Networks

Remote workers do not enjoy the security deployments set around the enterprise network. It is in the best interest of the business to strengthen the security of the employee’s home network. Hackers may infiltrate the employee’s low-security home wi-fi, and from there breach the corporate network.

  • Make at-home workers adopt the security measures and protocols found in the workspace, to the extent possible. At the very least, make sure employees change the default home router password to a strong password, or still better a passphrase.
  • Offer remote employees a dedicated wi-fi connection and company laptops for the at-home employee. Alternatively, convince the at-home employee to offer access to the home network only to trusted people. Kids and others unaware of the dangers of malware, ransomware, and other cyber threats pose enormous risks to other users of the same network. A single click on a malicious link or game download could end up infecting the company network.

4. Update and Patch Systems

Up-to-date systems, with the latest patches installed, are one of the best defences against common viruses and malware.

Cybercriminals seek vulnerabilities in popular software. The Trustwave 2019 Global Security Report estimates the vulnerabilities patched in the five most common database products at 148, up from 119 the previous year. With COVID-19 lockdowns increasing work-from-home numbers, cybercriminals target video conferencing tools and other workplace applications.

Many of these vulnerabilities receive patch fixes promptly. But employees who do not update their systems remain vulnerable. 

  • Make sure employees patch and update systems regularly to reduce security vulnerabilities. 
  • Enable auto-updates on operating systems, including smartphone OS.

5. Opt for Multi-factor Authentication

Enable multi-factor authentication (MFA) or two-factor authentication (2FA).

Many cybercriminals breach networks by cracking the login credentials of legitimate users. They use a variety of techniques from brute force attack to social engineering tactics, from dumpster diving to device theft, and more. MFA, which verifies the user through an additional device, thwarts such plans.

  • When a remote employee logs in, enable access to the company network only with the correct password and the OTP sent to his mobile phone. 
  • Have the same level of protection for other critical assets such as software or databases.

6. Invest in Encryption

Conventional perimeter security is ineffective if the attacker intercepts traffic. The stock of encryption rises in proportion with the prevalence of remote work.

  • Encrypt the connection to protect the traffic from prying eyes. But not all encryption is equal. Outdated wi-fi encryption standards do not protect against sophisticated attackers with AI-powered tools. WPA2 Encryption is still a good option for SMBs.
  • Configure the network connection well. Often, attackers exploit misconfigured systems to make their entry.

7. Have a Disaster Recovery Plan

A disaster recovery plan to understand the type and nature threats is essential for all business, regardless of the size or nature of operations. For instance, while most enterprises backup critical data, ransomware may overwrite incremental and other online backups.

Have a disaster recovery plan, co-opting:

  • A threat and business impact analysis. Determine the level of risk from human error.
  • Policy for full system backups, including servers, databases, and file stores.
  • Archive copies of key servers and data sets stored off-line, out of bounds from a hacker with domain administrator rights.
  • A list of personnel who steps up a critical response team if disaster strikes. Specify responsibilities for each person in the team. The team may comprise in-house employees or external consultants.

8. Have Security Champions

Gartner estimates 24% of midsize enterprises do not have a dedicated IT security specialist. SMBs may not afford one either.

Security champions, or team, members who take up advocacy for cyber-security,  fill the void to some extent.

Security champions:

  • Keep up-to-date with cybersecurity best practices and the cyber threat landscape.
  • Help the IT team: 
    • Analyze operations and ongoing projects, to identify threats in business processes. They ask probing questions and prompt team members to evaluate the security of their processes.
    • Arrange for the end-user training and awareness on cyber threats.
    • Offer quizzes and tests to gauge cyber awareness.

SMBs have limited funds to invest in cybersecurity. But they can emulate the best practices of the best-in-breed companies, to ensure a strong security framework. Also, consider these strategic IT investments to succeed in the post-pandemic work.

Tags:
Email
Twitter
LinkedIn
Skype
XING
Ask Chloe

Submit your request here, my team and I will be in touch with you shortly.

Share contact info for us to reach you.
Ask Chloe

Submit your request here, my team and I will be in touch with you shortly.

Share contact info for us to reach you.