According to the , 96% of the claims for losses due to cyberattacks made between 2014 and 2018 were made by SMBs. Still, small businesses continue to ignore cybersecurity issues, assuming hackers are interested in much bigger companies.
Now, the COVID-19 pandemic has exacerbated this situation, sending employees home to work on unsecured household computers, further extending a business’s “attack surface.”
“Firms that put their money on firewalls to ‘keep the bad guys out,’ have been left struggling with a business now in the hands of employees connecting through consumer-grade internet services,” says at , and author of "No Safe Harbor — The Inside Truth About Cybercrime."
“Many of those ISP-supplied routers were left in factory mode, with default administrative settings and credentials — a boon for criminals to harvest exposed corporate assets like financial information, healthcare records, manufacturing recipes, and more.”
There are very basic precautions even the smallest business can take to protect precious business assets when employees are logging in with home computers and personal mobile phones.
The human factor
Once you’ve secured your desktops, networks, and database with your firewall, VPN, antivirus software, and similar solutions, it’s time to turn your attention to the weakest link in your cybersecurity plan: you and your employees.
There are many tools and programs you could deploy here, but carrying out all of them may be cost-prohibitive to smaller businesses with just a handful of employees.
However, whenever it is possible and wherever it makes sense, protecting remote workers and training them in cybersecurity best practices will significantly lessen the likelihood of a cyberattack brought on by poor “cyber hygiene.”
1. Manage BYOD
In situations where your remote employees are using personal devices for work functions (known as BYOD, or bring your own device), you must take extra precautions.
BYOD at smaller businesses
For smaller businesses, your remote employees probably use personal phones and laptops to connect with you. Those devices may not be as protected as the devices in your onsite workplace. While your VPN secures their internet connection, it doesn’t protect your data if employees access it through personal devices.
Bill DeLisi, chief executive officer at , recommends that companies develop strict BYOD (“bring your own device”) policies, no matter how few employees they may have. Clearly communicate the policy to employees and enforce the restrictions.
“Strong BYOD plans determine a range of parameters, such as where BYOD data is stored and how much data access is allowed through personal devices,” he says.
“Companies need to balance employee privacy with protecting the company. Make sure every phone and laptop are free from infections and talk with staff to restrict certain activities.”
BYOD at larger SMBs
For slightly larger SMBs, an additional layer of protection may be necessary.
Longtime cybersecurity professional and author Greg Scott warns that VPNs may not be enough if a number of employees are accessing sensitive data on home computers: “When employees connect their home computers — full of unknown software — to the company network, it makes sense to introduce a remote access layer,” he says.
The easiest way, on short notice, is allowing RDP (remote desktop) into employees’ desktop computers at work. Over the intermediate and longer term, it makes sense to set up virtual workstations for remote employees.
With this in place, no company data needs to leave the company’s walls, even though people are accessing it remotely.
Another suggestion for larger SMBs is a single sign-on (SSO) solution. Available in on-premises and cloud-based versions, these solutions allow your employees to access all the data and applications in your systems after a single login, reducing the number of passwords they need to remember (and keep secure).
Some SSO solutions are bundled with access control, centralized authentication, and multifactor authentication, so you are able to use multiple layers of security through one product.
These solutions don’t make sense for sole proprietors or businesses with just a handful of employees. However, if your employees now work from home, at the very least you need to be sure they secure the typical hacker entry points on their home devices.
2. Secure hacker entry points
Dominic Holt, CTO of , recommends remote workers configure the router for their home wireless network with a password other than the default (you’d be surprised how many people don’t do this), and turn on any firewalls and other security features it offers.
Don’t assume the router came factory-ready to optimize these features. “It's also a good idea to set up a MAC filter, which basically lets you whitelist the devices that are on your network,” he says.
“The MAC filter, however, will be annoying if you regularly have visitors who want to use your Wi-Fi, but security is a bit of a trade-off.”
Additionally, Holt recommends employing disk encryption, which is fairly easy to install and set up on a laptop. It will encrypt all the data on your machine, making it more difficult for someone to extract value from the laptop if it is ever stolen.
Finally, employers should grant access to files and systems only to employees who need them. Maintain strict control of your system’s admin privileges (if you don’t have an IT person on staff who handles all things tech-related). Does every employee need access to your accounting software?
Doubtful. Do they all need to handle the customer financial data input through your online store? No. Being prudent about who needs access to applications and systems and significantly decreases the potential for breaches.
3. Cover the bare minimum
If most of what we’ve discussed here isn’t feasible for your business, there are brass tacks that can be affordable, easy to implement, and effective.
Issue two-factor (2FA) or multifactor (MFA) authentication
You’ve probably encountered this at some point: You log on to an account and input a password, then they text you a code to enter? That’s two-factor authentication. These solutions are often free with other software you’re already using (such as Microsoft Office 365). The purpose of MFA is to ensure that a hacker can’t gain access to an employee’s login info to access your sensitive data. The likelihood of a hacker having your employee’s user name and password, as well as their phone, is almost zero.
Use password managers
Password managers protect you from employees who naively use the same password for every device they own, forever. The password manager is a software application that saves all of a user’s passwords for every site, account, or system they access, so they only enter their “master” password no matter where they visit.
If they log in to a new site and need to create a password, the password manager will generate a complex series of letters and numbers for them to use. They also don’t have to write the password down (another dicey security move) because the manager stores it. The password manager can also “audit” all existing passwords and identify those that are too simple, overused, or too old, and recommend new ones.
You’ll need to install a password manager for each employee, but the apps are affordable, so don’t use the free versions that come with browsers. They don’t encrypt passwords, which leaves them accessible to hackers.
Don't skimp on employee training
Train your staff immediately, and train them often. This is not a one-and-done scenario. Employees need to be made aware of your cybersecurity plan, what they can and can’t do with their home computers, and the evolving threats on the horizon. Don’t assume they know how to identify a phishing scheme or that they understand why they should sign into the VPN every time they log in to work systems. Remind them often. It’s easy for security measures to take a back seat to daily tasks, so make training part of your weekly team meetings, monthly company updates, or quarterly financial overviews.
“Regardless of company size, one of the best ways to mitigate cybersecurity risk is to practice good cyber hygiene,” says CEO and cofounder of a cybersecurity company specializing in vulnerability remediation.
“As is the case with personal hygiene, most cyber hygiene practices are not complicated, they just require consistency. Just as you’re more likely to get cavities if you stop brushing your teeth, the more you reuse the same passwords, fail to update the software you use, or click on unfamiliar links, the greater the chance of an exploit or breach.”
Remind your remote workers about the risks
Keep your remote employees and your business safe by educating your workers on the potential risks.
- Teach them how to identify a phishing scheme, with details of the latest versions currently making the rounds.
- If you’ve issued them a company laptop and/or phone, they should be the only people using them. Their laptop is not the family’s laptop.
- Be prudent in printing out business files. If there’s no real need for a print copy, don’t create one. It’s one of the easiest ways to protect confidential information.
- Require employees to change their passwords at least every three months.
- Regularly update software and applications to ensure they have the latest security patches available.
- Don’t “attend” business-related conferences or video calls in public spaces.
- Browse safely: Only visit websites that begin with “HTTPS” (rather than HTTP) or that show a padlock icon next to the web address.
If you take time to educate your workforce and implement best practices, you can keep everyone — and your business — safe from virtual threats.