Over the preceding number of years, it wasn’t that surprising to see several tech companies, and even a number of non-tech companies reducing their office space and moving to full or partial remote work setups.
Normally considered a major transition, these companies spent months preparing for the switch by training their employees, setting up remote work policies, and ensuring all the necessary infrastructure was in place to deal with the increased exposure to certain types of cybersecurity threats.
That’s pretty much the blueprint for how this sort of change is supposed to be made. Fast forward to March of 2020, and all those old playbooks get tossed out the window. Many companies found themselves with short notice, forced to make the switch practically overnight if they didn’t want to disrupt their relationships with their clients and their staff. They hadn’t had the chance to fully prepare themselves, but their hands were forced and they had to make a move.
In all that tumult, cybercriminals leapt into action, capitalizing while they could on softened networks and a workforce that were looking for answers wherever they could find them. According to the FBI, the daily number of cybersecurity complaints quadrupled from 1,000 to 4,000 during the COVID-19 pandemic. Distributed Denial-of-Service (DDoS), ransomware, malspam and phishing attacks were all ramped up while many businesses were focused solely on keeping their heads above water. It unfortunately left many users as sitting ducks as organizations failed to deploy the resources to secure their newly remote workforce.
Why your old security protocols and training programs might not cut it anymore
The training programs and existing protocols for almost every company were developed in a pre-pandemic world. Unless you’ve done a dramatic overhaul since 2020, there are a lot of changes that haven’t been accounted for. There are more devices accessing your network that are beyond your control, and increased communications along entirely digital channels. Combined, it makes your company more vulnerable to cybersecurity threats at a time when it can least afford further interruptions to its operations.
The failure to address these changes on the technology front can easily lead to the following outcomes:
Decreased employee productivity and morale – If left untrained to identify or deal with the new types of security challenges, they may feel indecisive or abandoned in the face of a threat. Do they know how to seek support if this is their first time working remotely? Are they supposed to figure these things out on their own? Because if so, you can expect to find some creative, but often terrifying solutions.
Impacts on business growth opportunities – Cyberattacks don’t just hurt you today, they leave a mark on your credibility and reputation that will linger long after business has returned to normal. Once the trust in your security practices is broken, existing customers become more likely to leave, and potential customers more hesitant to join.
Business paralysis – As businesses are relying even more on their networks, Distributed Denial of Service (DDoS) attacks have risen tremendously in popularity. These typically lead to website downtime, overwhelmed cybersecurity defenses, and a disrupted business day. DDoS and Ransomware infections can leave your business frozen while the clock ticks closer to important pending deadlines.
Leaking of crucial business information – From trade secrets to client contacts, business plans to payment details, every business has a stack of data that needs to stay secure. Don’t let your competitive advantage slip away through a security leak.
Direct financial costs – The number of ransomware attacks, and the average asking price to theoretically get your data back have both gone up. The average ransomware payment shot up 33% to $111,605, and doesn’t take into consideration any lost revenue. You can also expect the premiums on your Cyber Liability insurance to rise if they’re forced to pay out on your behalf.
Legal implications – A failure to prevent a breach can bring the full force of the law down upon you at the same time as you’re struggling to recover from the attack itself. Government fines, consumer lawsuits, and shutdowns while evaluating your compliance with industry requirements can make recovery exceedingly challenging.
How can you secure your remote workforce?
Standing still is a surefire way to fall behind cybercriminals; you need to always be trending towards a new, higher level of security. It doesn’t happen overnight, and it isn’t fixed once and solved forever. New exploits and vulnerabilities are discovered for the most popular softwares all the time; those updates they’re constantly rolling out aren’t exclusively to interrupt your workday. Vigilance is required, because one instance of accidentally clicking a phishing link, absentmindedly sharing a password on a team chat, or saving some mobile data by downloading that confidential file on a public Wi-Fi connection to put in motion a chain of events with serious consequences.
Your IT policy needs to drive understand the challenges that face a remote workforce, and balance those with a security posture that ultimately keeps the larger business safe and intact. Combining a strong set of policies with a strong training program for your workforce sets up all sides for success.
Personal device security – If your company is allowing employees to work with, or otherwise access business information with their personal devices, extra precautions need to be taken. You’ll need to clearly define what is permissible and what is not – from the types of devices, to the operating systems they run on, and the websites they’ll be allowed to access. You should also have a well defined list of tools that they’ll need to install before they start to look after security, remote access, VPN, and authentication. If you have the ability and requirement to remotely wipe or alter those devices, make sure your employees are aware of that fact, and the other levels of access and control you maintain over those devices.
Network security – Public or home Wi-Fi networks can’t compete with your office network in terms of security. That doesn’t mean though that minimum-security standards can’t be put in place to reduce the risk these other networks introduce to your data. Define everything from Wi-Fi encryption standards to Wi-Fi password complexity (most people don’t even change it from the default on the back of the router), network security software to be installed, and what appropriate devices to share the network are. Using public Wi-Fi should be strongly discouraged, but should it prove absolutely necessary ensure they have a list of essential safety guidelines – secure connection, WPA3 compliance, VPN accessibility, website types to avoid, etc.
Cybersecurity Training Programs – No one wants to be the weak link, but the fact is that many of your staff never prepared for this, and IT teams are getting stretched beyond their limits trying to make up for the shortcomings. Cut off those issues at the root by developing your staff to deal with the most common emerging cyberthreats. You’ll submit fewer support requests, suffer fewer interruptions to your team’s work day, and have less risk of having your digital assets exposed. Training programs should cover a range of topics, from password management, use of multifactor authentication, identifying the telltale signs of a phishing or ransomware attack in progress, why and how to set up a VPN, protecting their own personal devices from attack. It’s a long list of topics, but short directed messaging creates an engaged and responsive staff that can rise to the challenges that are thrown at them.
Time to strengthen your first line of defense
Cybercrime continues to rise in Canada and across the world, and the ongoing economic downturn will only make the situation worse. That’s why now is the time for your organization to pull together as a team, even though they may be many miles apart. By collectively keeping their guards up, your organization can come through these challenges intact. To set them up your team and your infrastructure for success, contacts us now.
Nexusguard Q2 2020 Threat Report
2020 SonicWall Cyber Threat Report