As COVID-19 stay-at-home orders remain in effect, workers and employers around the world are prepared for the reality that they'll be operating remotely for the foreseeable future. What they may not be prepared for are the cybersecurity risks that come with working from home.
Network security may be the last thing on an employee's mind as they try to figure out how to carry out their daily tasks from home. This is a potentially dangerous oversight: Without the right protections in place, connecting to your home WiFi with your work computer could put your whole organization at risk.
"Just think about all those devices riding on the home network that nobody every tests or patches – laptops, tablets, gaming systems, appliances, light bulbs and much more," said Andrew Rinaldi, co-founder of all-in-one cybersecurity platform Defendify. "Each one of them introduces potential security vulnerabilities … making it easy for hackers, malware and similar to jump around and exploit gaps. If we’re working from home and on the same network as other family members, it's hard to know what they will click – or may have clicked before."
If your business is among the many that have shifted to full-time remote work, there are a few things your should do right now to shore up your security and ensure that you and your team are not inadvertently exposing sensitive business data through your home networks. Here's what security experts recommend.
[Read: Managing From Home? Here’s How to Keep Your Team Engaged During Coronavirus]
Conduct a full cybersecurity audit
As soon as the move to a remote environment has been made, businesses should conduct a full cybersecurity health assessment to clarify where they stand, said Rinaldi.
"We call this a cybersecurity health checkup," he noted. "It identifies all the things you’ve done right, and more importantly, where gaps exist and what to do about fixing them."
Similarly, Mike Quinn, CEO of file security solution Active Cypher, advised running internal phishing tests, since "email is the easiest way and most common avenue for a hacker to penetrate your organization."
It's also important to run vulnerability scans on any new systems, networks or configurations you've implemented, said Rinaldi. This will help you identify any glaring holes or weaknesses, and prioritize remediation.
Finally, Rinaldi noted that businesses should review and update their incident response plan to include remote-work-specific scenarios that may impact your organization, such as lost or stolen devices.
Email is the easiest way and most common avenue for a hacker to penetrate your organization.
Mike Quinn, CEO, Active Cypher
Coronavirus Guide for Small Businesses
CO— is working to bring you the best resources and information to help you navigate this challenging time. Read on for our complete coronavirus coverage.
Discourage the use of personal devices for work
The BYOD (bring your own device) movement and ease of accessibility means many workers already use their personal phones, tablets and laptops to access work files and programs — sometimes against company protocol. Quinn said companies should expect an increase in non-compliant activities like this and enforce the use of dedicated devices for business.
"Too many people will opt for the ease of using an unprotected, extremely vulnerable personal device rather than dealing with the headache of connecting a work computer to a home printer, WiFi or a virtual private network (VPN)," Quinn explained.
[Read: Coronavirus Best Practices for Small Businesses]
Require additional layers of security for work file access
Without in-person access to your company's IT team, personal device use may be inevitable for some employees if their work device stops functioning. Regardless of the physical device being used, Quinn recommended that companies require additional layers of security, such as a VPN connection, password manager, multi-factor authentication and end-to-end encryption, to access business files.
"Only by securing your data at the file level can a business owner truly rest assured that COVID-19’s economic effects won’t be further detrimental, as data breaches and ransomware take hold in their IT infrastructure," Quinn said.
Clearly communicate policies and changes to your team
Your team is likely concerned about their health and safety during this pandemic, but the company's health and safety matters, too — and they must be willing to do their part. Quinn said leaders should provide "refresher" cybersecurity courses with a focus on remote work vulnerabilities and reiterate any new and existing guidelines for securely accessing business files.
Rinaldi agreed, adding that it's essential to share the "why" behind these tightened security protocols. People and their habits play a huge part of cybersecurity, and explaining the context can transform everyone in the organization to a cyber-defender, he said.
"Cybersecurity is about so much more than antivirus and firewalls," Rinaldi told CO—. "It encompasses plans, policies, procedures, education, training, testing, scanning and more. If everyone understands why certain things have to be done and what the related risks are, they will be much more inclined to understand and support new protocols."
CO—is committed to helping you start, run and grow your small business. Learn more about the benefits of small business membership in the U.S. Chamber of Commerce, here.