This article is a guest contribution by PROLINK - Canada's Insurance Connection.
COVID-19 has drastically redefined how, when, and where work is performed. Since the start of the pandemic, many organizations have gone completely virtual, with interviews, meetings, and even entire conferences being held digitally. From banking to onboarding to e-commerce, more business than ever is being conducted online.
While vaccine rollouts promise a return to normal, we’ll soon be settling into a post-pandemic world where remote work is the expected employee norm. After nearly a year and a half out of the office, employees and employers alike are seeing the benefits of remote work, citing convenience, flexibility, and greater work-life balance as key factors.
But with millions at home, remote work has become a major security concern. The workplace disruptions brought on by COVID-19 have fueled cybercriminals across the globe, with attacks aimed at worried populations, quarantined workers, and struggling businesses. 80% of Canadian organizations have reported experiencing at least one cyberattack that impacted their databases last year; 21% faced more than 10 attacks.
What are the risks? How can you ensure your team continues to work from home safely and efficiently? How will you keep your staff, your clients, and their private information secure? Keep reading to learn more about the biggest remote work security concerns and how you can help your team balance working in a digital world with the threats of cyberspace.
What are the risks of remote work?
1. Increased Entry Points
Inside business networks, devices and data are protected. But with 90% of the world’s office professionals working from home, the concept of a security perimeter has quickly become outdated. With unmonitored and/or inadequately protected personal networks, the millions of remote workers that make up this expanded attack surface open up easy routes for cybercriminals to access corporate systems through domestic PCs, laptops, and routers.
Many people are also taking advantage of work-from-home arrangements and cheap hotel rates to work-from-anymore and travel or escape their homes during the workday. But using unencrypted connections, like hotel or public Wi-Fi, allows hackers to sneakily distribute malware, infiltrate accounts, and intercept corporate data.
2. Security Potholes
In the wake of COVID-19, 92% of global companies had to adopt new technologies, like video conferencing tools, remote systems, third-party applications, cloud computing, online payment forms, and more, seemingly overnight just to be able to work remotely. But in their haste to get up and running quickly, many organizations overlooked the security risks of these applications, inadvertently creating new cyber vulnerabilities and aggravating existing gaps in protection. As a result, IT teams are still struggling, over a year and a half later, to iron out security patches created by the initial switch, keep employees up-to-date on good cyber hygiene, and strengthen protections on third-party apps.
3. Human Error
COVID-19 aside, human error is still the biggest risk factor when it comes to cyber threat. Why? Given the global circumstances, workers might be more anxious or distracted, and thus, likely to ignore unusual site activity, divulge their login credentials, or fall for a phishing attack. Plus, time and distance away from the office and nearby technical support may have weakened employees’ general sense of cyber vigilance. They may be more careless or more inclined to ignore IT policies, reuse passwords, and save confidential data off the VPN.
Alternatively, many employees might be simply unaware of how to handle sensitive data or recognize the signs of a scam, particularly if they’re using a personal device or new software.
What’s the work from home forecast?
The demand for remote work has been building for decades; COVID-19 has merely accelerated this transition. And now that employees finally have a work-from-home arrangement, they might not be inclined to give it up. Prior to the pandemic, approximately 3.6% of employees worked from home on a semi-regular basis. But now, about one-third of Canadian professionals now say they’d be unwilling to work for a company that doesn’t allow telework.
Evidently, remote work isn’t going anywhere—and neither is cybercrime. According to IBM Security’s annual Cost of a Data Breach Study, average breach costs rose 10% between 2020 and 2021 from a total of $3.86 million to $4.24 million USD. In organizations with 61-80% or employees working remotely, the total average cost was higher at $4.39 million USD. For organizations with 81-100% of employees working remotely, that figure jumps to $5.54 million USD. As organizations continue to expand their digital presence, we will likely continue to see a steady and aggressive influx of cyberattacks—and even higher breach costs.
What can managers do?
It is imperative for organizations to strengthen their existing defenses, protect data from exposure, and educate all employees on the potential threats they face. In addition to technical safeguards, here are practical, immediate steps that managers can take to mitigate the impact of heightened cyber risk:
1. Build a cyber-aware workforce.
Education and awareness matter—users are on the front lines and even the most advanced cybersecurity tools in the world won’t make up for poorly trained staff. Everyone who is part of a network should know the basics on how to protect it. At minimum, security awareness training should be clear on:
How to store, handle, and share sensitive data and use software safely;
How to keep software up-to-date (like anti-virus protections) and why it’s important;
The importance of using a secure and encrypted connection;
What cyber threats your organization faces and how to identify them;
How to spot phishing emails and report suspected emails to IT; and
How to recognize and report signs of a data breach.
Be sure to update your employees through weekly or even daily messaging to reduce the potential for misinformation and with it, risk.
2. Adopt strong password policies.
Poor password habits are one of the biggest threats to organizational security since employees tend to re-use weak, common, and easily guessed passwords for multiple platforms. To avoid the risk of compromised credentials, use a password manager to centralize all login information and maintain encrypted passwords across business applications. Schedule forced password changes every 60-80 days. Remind employees not to share login credentials or use work passwords for personal use and to create passwords with 16+ characters and symbols.
3. Apply the principle of least privilege.
Restrict administrative privileges and access to sensitive functions, files, and applications as much as you can; employees should only have the minimum amount of access needed to fulfill their job responsibilities. Ensure that all users are required to confirm any actions that need elevated rights.
4. Manage employees’ use of personal devices.
If employees are using their personal devices for work, ensure all team members are familiar with your organization’s Bring Your Own Device (BYOD) policy and guidance. Caution employees against allowing friends and family to use their personal device so they don’t accidentally access sensitive data or stumble into a phishing scam. Additionally, encourage employees to communicate with colleagues using company-approved instant messaging platforms or email, especially when discussing sensitive information.
5. Implement quality control processes.
If possible, establish policies and procedures that reduce the risk of a data leak, like security checklists or verbal authentication procedures for any email requests involving payment information. For emails, remind employees to verify the authenticity of the sender by checking their email address and the link before clicking on or opening anything.
6. Encourage good document handling practices.
Once they infiltrate your organization, cybercriminals will look for obvious targets so make sure that all documents containing sensitive data are:
Not shared through plaintext email;
Not stored in your email mailbox for an extended period of time unless absolutely necessary;
Not named in a way that announces their sensitive content (i.e. “All Organizational Payroll Information”).
7. Work with a broker.
Brokers play an important role in the cyber risk management process. A licensed broker—like PROLINK—can help you become resilient in the face of attack while you focus on managing your people, clients, and business. Brokers will:
Identify cyber perils, attack scenarios, and any potential losses based on your unique operations and risks;
Share what steps others in your industry are taking and advise you accordingly;
Deliver a specialized solution with clearly defined parameters of coverage for your organization.
About Prolink Insurance
PROLINK—Canada’s Insurance Connection is a national, independent, insurance and risk management firm delivering advice and insurance solutions. Whether you’re part of an association or seeking insurance for your business or yourself, they're all in, all for you.