Remote work has changed the way employers hire and manage employees in significant ways – and research shows the remote trend is only rising. According to Gallup, telecommuting for work in the U.S. climbed to 37% by 2015, with no signs of slowing down.
More companies are leveraging talent all across the U.S. – and the world – making their companies stronger and more diverse as result. Sean O’Brien of PGi told CIO in an interview, “To think that a company can only be successful by drawing on a pool of talent that’s geographically local is just not accurate — it’s almost obsolete.”
But while attracting top talent through remote work can revolutionize your business, it also leaves your sensitive data and assets highly vulnerable to hackers. 46% of employees admit to transferring files between work and personal computers when working from home.
Meanwhile, 13% of those who work from home admit that they cannot connect to their corporate networks, so they send business email to customers, partners, and co-workers via their personal email instead.
And there’s more bad news when it comes to remote workers and your business data: more than 75% of employees don’t bother with privacy measures when working remotely in a public place. That makes it easy for hackers or anyone else to see what they’re doing and compromise your company’s security.
These sobering statistics just scratch the surface of the security issues surrounding remote work. Not knowing exactly how all of your workers are accessing and using your files also leaves your business open to an attack. In fact, IBM’s 2016 Cyber Security Intelligence Index found that 60% of all attacks were executed by insiders of a company.
A combination of poor security protocols and rogue workers can make your business a prime candidate for hacking, with the potential for high-profile disaster and plenty of financial damage. Some companies have halted remote work policies altogether due to issues with hacking. In 2014, the U.S. post office suspended its telecommuting policy after suffering a data breach.
It’s possible to find a compromise within your virtual workplace that ensures remote access security, while still allowing you to recruit and employ top talent from around the world. But it will take a dedicated culture of security in your business to make remote access security a top priority.
It starts with ensuring you have strong authentication to ensure accurate identification before a worker is allowed access to corporate data and assets. Access to data for the right person is what organizations should be worried about, as opposed to the physical location from which it is accessed.
It starts by identifying the remote Worker to be given access to the data. From this, you can build audit trails of the actions against the identity, *not* intending to police the worker, but for forensics in case, an incident happens. Plan this process to proactively prevent any security incidences.
Once Strong authentication is in place to enable remote workers, here’s a look at how to maintain security with a remote workforce – and keep your company safe.
Get started with remote access security by monitoring what your remote workers are doing online, and how they’re doing it. While part of the appeal of remote work is limited distractions and the ability for employees to work autonomously, there are cloud-based tools that can make monitoring seamless and unobtrusive.
Time Doctor keeps track of remote workers’ hours, what projects they’re working on and when, and can even take screenshots of their computers. Hive Desk is another option that will give you a glimpse into which apps your team are using, and how much time they’re actually spending on different projects. Both tools give business owners better insights into what their employees are doing while maintaining accountability and ensuring that everyone is adhering to best practices for remote access security.
Business owners can also consider using monitoring or surveillance tools to see when employees are searching for vacation rentals, hopping on social media or trying to access restricted data. The surveillance tool sends a message to employees about workplace accountability, while ensuring employer data is safe from hacking and malware.
However, it’s important to brush up on local laws before you get up and running with your virtual monitoring tools. Some areas in the U.S. require consent before monitoring employees remotely.
Even if you’re on solid ground from a legal standpoint, it’s also wise to be upfront with employees about any monitoring or surveillance taking place. It could ultimately help your remote team stay more productive if they know they’re being watched, and will also deter them from wandering to websites that could put your files at risk through malware and hacking.
Employees can’t follow remote access security protocols if they don’t know what they actually are. Document and outline your specific security policy, and hold periodic training, workshops or meetings to ensure they are fully understood, followed and executed.
A written policy may work for your business, but it’s advantageous to customize the policy to cater to different departments with different responsibilities. For example, training videos on how to access files and graphics may be appropriate for highly visual learners in your graphic design department working on marketing pieces. Meanwhile, case studies and simulations on how to spot email phishing may work well for customer service representatives who regularly respond to email complaints and comments.
Once your security policy is in place, make sure all employees have easy access to it with the freedom to ask questions. Your security policy should also be an integral part of your employee onboarding process. Before remote workers transition into their workplace responsibilities, make sure they have read and acknowledged the policy. To start off on the right foot, consider requiring an in-person meeting, training session or hacking simulation during the remote worker’s first week on the job.
Bring Your Own Device (BYOD) policies are increasingly becoming the workplace norm, but they also create more weaknesses and points of entry for hackers intruding in your business. You could consider eliminating BYOD policies altogether and instead mandate that all work be done on employer-supplied equipment and devices. Regardless of your take on BYOD in the workplace, take the time to scrutinize the technology and devices used by your team members and make sure all operating systems are completely up to date.
Wendy’s found out the hard way that continuing to use outdated technology and POS systems opens the door to hackers. Thousands of franchises were accessed and customers’ credit card information was stolen and used to rack up fraudulent charges. Wendy’s is currently in litigation with customers, banks and other financial institutions over the data breach. The chain’s reputation has also taken a catastrophic hit as it continues to deal with the fallout.
It’s not enough to simply update your operating systems to strengthen your remote access security. Your data and devices should also be encrypted from the start. Mandate that workers only used encrypted devices like iPhones. iPhones can be difficult to crack and offer some added built-in protections, while only 10% of the world’s Androids are encrypted.
Cloud-based tools are also an issue for businesses and remote workers. It may not practically be to ban cloud-based storage and file transfer services, but you can require the use of secure, encrypted cloud-based tools like Mozy Enterprise, as necessary. For finances, use apps like Quickbooks that encrypt data to keep your numbers and sensitive information safe.
One of your biggest remote access security issues could be your email system. Investigate what services your remote workers are using to send and receive correspondence, files and sensitive information from clients, and upgrade their services if needed.
For example, G Suite Message Encryption (GAME) offers email encryption service for G Suite customers that could help keep your correspondence safer. You can also get your remote workers set up with a VPN to encrypt all of their business communications.
Your biggest security risk may not be your cloud-based providers, devices, or even the growing knowledge base of sophisticated hackers. More than likely, it’s your remote workers themselves – and how they conduct business. Even without intentionally creating data breaches and backdoors for hackers, remote workers could be putting your business in jeopardy. Here’s what to look out for.
Almost three-quarters of those polled use the same passwords for multiple accounts, and a high percentage of people haven’t changed duplicate passwords in over five years. And it’s not just consumers using old passwords on personal email accounts. Even Facebook founder Mark Zuckerberg once used a terrible password that was revealed in a hack: a hacker group that called themselves “OurMine Team” publicly shared that Zuckerberg’s Twitter and Pinterest password was “dadada.”
Fortunately, the OurMine Team hackers only seemed interested in humiliating the billionaire and didn’t compromise his bank accounts and business matters. But your own company may not fare quite so well in a hack.
Research shows hackers rely on weak passwords when brute-forcing PoS terminals.
Crackdown on weak passwords and require remote and in-office workers alike to regularly update their login information. Use an automatic password generator to create safe and secure passwords companywide.
Remote workers unknowingly invite hackers to access their files by using unsecured systems. Uploading sensitive information directly into an email, stashing it away in unencrypted storage or leaving data on devices without password protection is just a few ways your business data can be readily compromised.
Meanwhile, leaving systems open for employees to upload files freely can also lead to remote access security issues. Hackers could potentially upload their own files with malicious code that can be executed directly on your server. This could consequently lead to system-wide malware or ransomware attacks, or the creation of phishing web pages that could put your company – and your clients – at risk.
The U.S. Department of Homeland Security (DHS) states that 90% of security incidents are caused by exploited software defects. That number can seem staggering in a world where we rely on apps and cloud-based tools to run our entire business and personal lives.
Using a combination of open-source content management systems and cloud-based apps compromises your remote access security. Make it part of your security policy to approve web app purchases and free downloads. Your business also needs a security company like Indusface to continuously scan web applications and work in tandem with a robust web application firewall. Otherwise, your remote workers are just inviting hackers in by using poorly-secured apps.
Granting unlimited data access to workers leaves your business open for hacking and ransomware attacks, or other malicious activity from a third-party source. Limiting data access for nonessential purposes gives your security a boost and cuts off dangerous hacking vulnerabilities. Only allow remote employees to access the data they need, and automatically revoke access to programs and files when they leave your company, finish a project or move on to a different position.
Remote access security training probably won’t evoke much enthusiasm around the office. But keeping your business secure doesn’t have to be a dry exercise in compliance. Instead, turn remote access security training into a competition.
Start by getting your team engaged in the training by setting up phishing email simulators so they can see the potential dangers in action. Encourage ongoing research about current hacking trends and malware to keep your team alert and in-the-know.
But to really get your team engaged and invested in remote access security, offer prizes. Keep a tally of employees who continuously report suspicious emails and other online activity. Offer monthly or quarterly prizes ranging from gift cards to lunch with the executives. Make it fun, and employees will want to participate in keeping company data secure.
At the end of the day, there’s no one way to keep your data safe. That’s why it’s crucial to make remote access security an integral part of your employees’ ongoing training and workplace culture. Think of your staff as a cohesive unit – and your company’s first line of defense. After all, these days it takes a unified team dedicated to security to aggressively monitor, prevent and combat security breaches.
Do you expand your talent base by hiring remote workers? If so, what methods and tools do you use to keep your business data safe? Let us know by leaving a comment below.
Founder & Chief Marketing Officer, Indusface
Venky has played multiple roles within Indusface for the past 6 years. He was instrumental in building the product/service and technology team from scratch and grew it from ideation to getting initial customers with a proven/validated business model poised for scale. He has proven experience (10+ years) in the security industry and has held various mgmt/leadership roles in Product Development, Professional Services, and Sales during his time at Entrust Data card.