When the COVID-19 pandemic hit, businesses of every size had to pivot to a work-from-home model for non-essential employees. While larger firms typically had some infrastructure in place to enable remote work, small businesses were left wondering exactly how to handle the situation.
While cybersecurity has always been essential, the increasing number of remote employees has made it mission-critical for business of all sizes. Fortunately, there are steps every small business can take to step up its cybersecurity game. Regardless of how long remote work lasts, here are some tips that will help shore up any security protocol.
Set up VPNs Correctly
Virtual Private Networks (VPNs) are internet tunnels that allow access into companies’ internal networks. While VPNs were initially intended for letting employees access company resources from any location, they are also a prime target for hackers.
A VPN is a standard measure for remote employees, but a hastily implemented network will pose problems. These VPNs are widely available, but you need to do more than download an app to truly secure your company’s data. You'll want to identify a VPN with secure communication protocols that can keep you and your employees safe. While there are free VPN services out there, it's best to find a safe, secure solution even if it's an added cost.
Another key step is to make sure employee access is controlled – you don’t want one login to access the whole network. Configuring access on an application level means employees can get to files and web applications without allowing root-level access. If one connection is hacked, the hackers won’t get the keys to the entire kingdom.
Set Password Policies
Employees must also use a password to access the VPN, as well as many other company resources. Weak passwords are one of the biggest security threats to anyone connected to the internet.
While you can’t stop your employees from using their cat's name as a password on their personal computers, you can set password policies on your company’s software and hardware. Those policies should require a minimum length, a combination of characters, and other requirements that create a harder-to-hack password. You should also require passwords to be changed at specified intervals.
Use Two-Factor Authentication
Passwords – even strong passwords – aren’t necessarily good enough anymore. Two-factor authentication (2FA) is an extra precaution that can make a massive difference if somebody's password is compromised.
2FA requires two different factors to allow access into a device or program. There are generally three factors recognized as authenticators – something you know (usually a password or PIN), something you have (a smartphone or key), and some form of identity confirmation (fingerprint or face ID).
The most familiar form of “something you have” is the text message sent to your cell phone – but hackers can steal SIMs and easily gain access, so it’s not necessarily the best. More secure methods include authenticator apps and security keys. Finally, as more hardware devices come with biometric sensors built in, “something you are” fingerprint and face ID authentication are becoming more commonly used factors. Regardless of the approach you use, 2FA adds another step that hackers must figure out in order to access your sensitive information.
Keep Software and Systems Updated
Out-of-date software is one of the biggest security threats to any company. The cyberthreat landscape is constantly evolving, and software manufacturers must continuously update their products to keep up with those threats. “Patches” are often issued to fix areas of vulnerabilities. Failure to apply these patches can be a massive issue for your company.
A notable example of this is 2017’s WannaCry ransomware attack. These cyber attacks resulted from hackers exploiting unpatched Microsoft systems. Although Microsoft had issued a patch just before the attack, many organizations had not applied it, leading to mass data breaches. Additionally, some of those systems attacked were using older systems that had passed end-of-life, meaning Microsoft was no longer issuing patches or updates for those systems. This is why it is essential that your organization keep up with any changes for your software and update it regularly.
Educate Employees About Cyber Threats
Hackers depend on non-tech-savvy users to welcome them into systems through phishing or social engineering schemes. The growing trend of remote employees has only made this more apparent, as hackers fed on the double-whammy of a remote workforce and a concerned population.
A joint alert from the U.S. Cybersecurity & Infrastructure Agency (CISA) and the U.K.’s National Cyber Security Centre warned of “a growing use of COVID-19-related themes by malicious cyber actors.” This included phishing and malware attempts such as emails with “coronavirus update” subject lines or SMS messages about COVID relief packages. These cyber attacks encouraged recipients to open a malicious file or visit a phishing site that asks for credit card numbers and other personal information.
Social engineering is another scheme that has become more prevalent. This involves a technique in which a hacker manipulates a victim to get information about a company. In a high-profile example, hackers took over several celebrity Twitter accounts as a result of social engineering – hackers gained access to these accounts by manipulating Twitter employees for information.
While security audits, penetration testing, and other high-level security testing are important to ensure total security, small attacks can terrorize small business owners everywhere. Take some time to teach employees how to recognize phishing emails or social engineering attempts to protect your small business.
Secure Home Offices
When employees were safely on your company network and behind the firewall, some of their risky behaviors were slightly less threatening. Once they're at home, your company is more reliant on their home Wi-Fi networks.
These networks can be incredibly insecure. Often, default passwords haven’t been changed – if there is one at all. Do a home audit of work-from-home staff to make sure they have configured settings on their home Wi-Fi correctly. This is perhaps the most basic security measure, but one of the most necessary.
Protect Your Business from Remote Cyber Threats
As companies like Google and Twitter set the stage for remote work to become permanent, many smaller companies will follow suit. If your business relies on remote employees, it's essential to have a remote cybersecurity setup that will work for the long term.
Cybersecurity is just one of many responsibilities small business owners bear that can take time away from one key goal – to grow their business. Between security concerns to administrative efforts, it's hard to focus on ways to build your business. Fortunately, you don’t have to carry the latter burden alone.
As a Professional Employer Organization, GMS has the experts and means available to help simplify your various administrative needs. We can help you identify ways to protect your company while also managing payroll administration and other time-consuming tasks. Contact GMS today to talk to us about how we can help you protect your business through professional HR management.