As the workforce grows increasingly remote or hybrid, companies face new and different cybersecurity risks. And we're not just talking about employees sending money to faux Nigerian princes or signing up to "get rich quick" schemes. Remote work can expose your company to a greater number of threats, and this means that fixing associated vulnerabilities is more important than ever.
Since October was Cybersecurity Awareness Month, we decided to take a look at how you can keep your company safe from cybercriminals while doing remote and hybrid work.
The pandemic changed everything. Even cybersecurity.
Cybersecurity and protecting companies from data breaches aren't new concepts that arose in a post-coronavirus world. Businesses have been taking care of this for years now by putting security controls in place, training employees on the right way to interact with their devices, and setting clear security policies for all to follow.
So, we're not going to harp on about the general challenges faced by security teams. Instead, we'll just take a look at some of the new considerations companies need to take into account as more and more employees become remote workers either full-time or part-time. What are some of these challenges, then?
Challenge 1: changing your cybersecurity strategy overnight
It really boils down to management and responding to the circumstances you're in effectively. Before the pandemic, IT teams were able to update tools, operating systems, and laptops in-house within the corporate network. In a pre-COVID world, many businesses would have been using what we call “centralized patch management”, linked to the office network.
Then came March 2020. Everyone was sent home and all of a sudden employees needed remote access to company data through their home networks. As we all became remote employees, we needed to rethink our security strategy. The problem with the model we used became that without being on the office network, updates would never be sent to employees’ computers. Even with a VPN to do this, this method isn’t particularly efficient in a remote environment and would cause slow traffic, for example, for users.
At TravelPerk, we adopted a new endpoint detection and response (EDR) service and moved away from traditional antivirus software. The reason for that is pretty simple—antivirus tools are built to detect the most common known malware using known signatures but have notable limitations. They cannot detect previously unseen malware, and for performance reasons, can only search for the main malware variants - despite the fact, there are billions of different malware strains out there. An EDR tool is more focused on detecting suspicious behaviors rather than signatures, so can help detect and prevent a far greater variety of malware. In addition, it allows you to respond remotely to investigate and respond to any potential incident as if the laptop was in the room with you. I wouldn't say we're heroes exactly but...
Challenge 2: slow and steady doesn't win the race here
Security and IT teams haven't necessarily been very quick to respond to these changes. As our tooling becomes more decentralized, we need to shift to cloud solutions. But, if businesses weren't working with them before, then they can be slow to adopt them. That can lead to a number of security risks as employees set themselves up in their home offices.
Challenge 3: getting your people to actually do what you say
I'm sure you've heard it countless times—don't work from cafes, don't connect to public WiFi networks, don't share sensitive information like passwords with anyone... And yet, people still do. We can't delude ourselves into thinking that employees won't work from uncontrolled environments. They will!
But security teams can't be responsible for their employees being in a physically secure environment. It's unreasonable to think otherwise. The ownership to behave in a cyber-safe way and make the right decisions is on the individuals themselves. They have to know whether the network they're connecting to is safe or if there's someone reading what they're doing over their shoulders.
The best thing you can do is educate them by sharing useful, easy-to-follow information on cybersecurity. It just so happens you can download our document outlining the right behaviors for employees working remotely here! Feel free to share it with your team.
What can you and your company do to lower the risk of cyber-attacks?
1. Set clear policies
Make sure your security policies and guidelines are easily accessible and don't take long to read. Don't set impossible tasks and expectations for your colleagues—the simpler it is, the more likely they are to adhere to it. Include information on all of the main cyber risks, how and when to use corporate versus personal devices, and how to protect sensitive data.
2. Educate your users
Help your employees or colleagues understand what cybersecurity is, what threats we face, and how to respond to them. Teach them how to identify phishing, scams, social engineering, and other cyber threats they could encounter. Show them how to set strong passwords (nope, Password1234 is NOT a good password, Janet). That way, you can drive positive behavioral changes, which is the true goal behind awareness training.
3. Don't rely on your users
You have to centrally manage all corporate devices, keeping them securely configured and up-to-date. Apply technical controls to back up your policy rather than relying on your users to always get it right (spoiler alert: they won't!).
4. Get a kicka** security tool
Protect your endpoints properly through anti-virus software. Or, even better for a remote workforce - get an endpoint detection and response (EDR) tool. You can also help employees be safer by implementing multi-factor authentication or two-factor authentication tools.
5. Compliance is boring, but it's everything
Gain an understanding of your compliance requirements and how they are affected or put at risk by your employees working from home. Remember, people are connecting through videoconferencing tools like Zoom or Microsoft Teams which they didn't do before. Analyze how this shift to virtual work affects compliance rates.
6. Set a bat-signal style response plan
You need a comprehensive and efficient incident response plan. Take the fact that people are working from home, from cafes, from hotel lobbies, or what have you, as a requirement. People are not physically in the office so that needs to form the basis of this plan.
7. It's all about metrics
We wouldn't be in this business if we didn't like numbers. But this goes beyond just a love for numbers—you need to track how effective your security strategy is and adjust accordingly. Here are just a few things you can measure:
- How many people attended cybersecurity awareness training? What was discussed?
- How many people have actually read and accepted the policy?
- How are you categorizing incidents that occur?
- How many endpoint protection alerts are you receiving?
- How many respondents have reported a phishing attempt?
- How many successful phishing attacks have there been?
- How often are your employees proactively engaging with your security team to raise issues, concerns, and collaborate?
Make business travel simpler. Forever.
See our platform in action. Trusted by thousands of companies worldwide, TravelPerk makes business travel simpler to manage with more flexibility, full control of spending with easy reporting, and options to offset your carbon footprint.
Find hundreds of resources on all things business travel, from tips on traveling more sustainably, to advice on setting up a business travel policy, and managing your expenses. Our latest e-books and blog posts have you covered.
Never miss another update. Stay in touch with us on social for the latest product releases, upcoming events, and articles fresh off the press.