Today, half of U.S. workers hold jobs that allow them to work remotely at least part of the time, according to a 2016 study from Global Workplace Analytics. Additionally, the number of people who work from home full-time, not counting those who are self-employed, has grown by 115 percent since 2005.
It's no secret that cybersecurity threats are on the rise across the board, and according to the American Statistical Association, the financial burden of cyberattacks will rise from $400 billion a year to $2.1 trillion by 2019. It's not uncommon now for companies of all sizes, even large corporations that invest millions in data protection, to be compromised. As more employees log on to servers and networks outside the office, it's even more imperative than ever that they be protected—and for employers to enforce cybersecurity protocols.
It's not unusual for an employee to enjoy a latte at a local bistro while working on a company laptop. The worker might log onto the public Wi-Fi, which is wide open to hackers. There are several common ways hackers take advantage of open Wi-Fi networks, including creating their own public Wi-Fi network that looks legitimate. The fake Wi-Fi is a way to monitor users' online activity. So, if the employee joins, a hacker can view credit card numbers, passwords, emails, and other sensitive company data. Human error unfortunately leads to many lapses in security and may put the company at significant risk of a cyberattack.
Here are five steps businesses can take to mitigate the security risk posed by a remote workforce.
1. Use and continually update anti-virus and anti-malware software. Some anti-virus software companies use independent test laboratories, like ICSA Labs or West Coast Labs, for certification. Check for these labels when considering a purchase. Independent lab tests and reviews from technology magazines can help you choose software.
Once the platforms are in place, run updates or patches as they are released to ensure that company data stays safe.
2. Train employees on proper security protocols. When working remotely and logging on to the company's private network, the first thing to remember is to use a Virtual Private Network (VPN). VPNs function much like a firewall for online information, allowing users to securely access and share data remotely through public networks.
Additionally, teach employees to recognize system vulnerabilities and threats to business operations from email communications, internal platforms, and external websites. Train employees to be alert for suspicious activity on their digital devices. If they believe they have accidently revealed sensitive information about your company, make sure they are comfortable reporting it to their supervisor immediately, as well as to network administrators or the IT department. The sooner IT can investigate and clean the computer, the better are the chances to prevent damage to the infected device and others on the network.
3. Establish and enforce a strict password policy. Make sure passwords are strong, and ensure that employees use different passwords across platforms.
What makes a password strong? Historically, best practices have included using complicated passwords with numbers, special characters, and random letters, and using different passwords for each application and website. That is not necessarily today's password protocol, as discovered in the latest research done by The National Institute of Standards and Technology (NIST), which revised its guidelines on creating passwords in June 2017.
The good news is NIST aims to make everyone's digital life easier while keeping security threats at bay. NIST's advice? Make passwords obscure, unexplainable, and as long as possible, but memorable. Phrases, lowercase letters, and an unexpected combination of typical English words work well and confound automated systems. One humorous example is cartoonist Randall Munroe's password, "correct horse battery staple," all written as one word. He calculated it would take 550 years to crack—and The Wall Street Journal reported this to be true and verified by computer security specialists.
Perhaps most surprisingly, passwords never need to expire, according to NIST. The organization's new guidelines are based on finding that previous password tips negatively affected users and did not do much to boost security. And most people don't change their passwords very drastically when it's time to do so, often changing only one or two characters to better remember the new entry.
4. Protect communications by setting up a secure server to encrypt and decrypt communications within the company.
Consider using encryption software to safeguard files. There are several options to choose from. One type of encryption software processes files and folders, creating impenetrable encrypted versions of each. Another is like a virtual disk drive that, when unlocked, functions like any other type of system drive. However, when locked, files are ultrasecure and inaccessible.
Other products are cloud-based. While this is most convenient for remote workers, the risk is much greater and more susceptible to an attack than when housed physically onsite on a company server.
However, additional safety measures can be used. Cryptographers have come up with a security feature called Perfect Forward Secrecy (PFS). PFS automatically and frequently changes keys used to encrypt and decrypt information, so if a device is stolen or hacked, only a small portion of the user's sensitive data is exposed.
5. Finally, be sure you have adequate cyber liability insurance coverage. A lot of business owners don't realize that cybercrime isn't covered by their general business liability policies. A general liability policy covers against any third-party claims of things like bodily injury or property damage, but it doesn't extend to things like workers' compensation claims or cyberattacks.
In the unfortunate event of a data breach, cyber liability insurance covers risks such as extortion and theft of data. It also covers crisis management in the immediate aftermath, including tech support and public relations. The average cost of an attack is $3.62 million, according to Ponemon Institute, so this safeguard is one of the most important tactics for protecting a company's financial health.
It's also smart to develop a detailed action plan that your team working remotely can implement immediately in the event of a cyberattack. This will ensure that the company is prepared to take actionable steps, such as communicating details of the breach to employees and implementing required action to minimize further damage. Include various breach scenarios, and provide answers to questions like "Who will deal with the technology aftermath?" and "Who will inform clients?" Test the plan and revisit it regularly—at least annually—to make sure it's up to date.
It's impossible to eliminate every risk involved in working remotely, but proper precautionary measures can greatly reduce exposure to cyberattacks and other liabilities. Stay abreast of the latest recommendations and advice from experts in the field to be prepared.
Parker Rains is senior vice president and head of Fisher Brown Bottrell's Nashville regional office. A wholly owned subsidiary of Trustmark National Bank, Fisher Brown Bottrell Insurance is a publicly traded financial services company with more than 200 locations in Mississippi, Florida, Tennessee, Alabama, and Texas. Contact Rains at [email protected] or 615-761-6332, and visit Fisher Brown Bottrell Insurance online at www.fbbins.com.