How to maintain your organization’s cybersecurity and safeguard intellectual property in a remote work environment.
For many organizations, the pandemic-driven shift to working from home proved to be a success — so much so that 82% of employers intend to make remote work a permanent fixture, according to a 2020 Gartner survey. However, it hasn’t come without challenges. The abrupt shift to virtual environments ushered in a dark renaissance of cyber threats and vulnerabilities that many senior leaders are continually working to confront. In the wake of COVID-19, ransomware attacks rose by 148% within a month, and phishing attacks rose 600% within seven months. Perhaps unsurprisingly, attacks on remote workers were five times higher in 2020.
Prior to the pandemic, few organizations had planned for such a challenge in their cybersecurity or business continuity plans. Many companies were understandably underprepared to adapt roles and processes that were designed for secure office environments for less-secure remote environments. As virtual tools become more prevalent, equally sophisticated threat actors continue to take advantage of common technological and infrastructure weaknesses — especially in their efforts to target corporations, governments, and critical infrastructure.
Guarding against these attacks centers on processes as well as people. First, leaders need to understand where these new risks originate to address security vulnerabilities. Then, they need to empower a culture of security, in which everyone — from executives to junior associates — has the tools and resources they need to evade a breach.
Addressing Key Risks
While a multitude of factors can contribute to poor cybersecurity and a subsequent rise in cyberattacks, a study from Deloitte points to several key factors that have made organizations more vulnerable during this period:
- Nonsecure working environments. From compromised privacy to nonsecure wireless connections, remote work can present a variety of data security risks. For instance, home environments in which multiple devices are connected to the internet can present unique issues with confidentiality and intellectual property protection, particularly when employees have no choice but to work in the presence of others.
- Rapid adoption of new business tools. As the use of video-teleconferencing (VTC) platforms, cloud-based communication systems, VoIP, and nonsecure wireless networks become more prevalent, so do cyberattacks. The rapid shift to remote work prevented many organizations from properly vetting new business tools, leaving them unprepared to deal with the vulnerabilities. For example, during the early days of the pandemic, reports of VTC hijacking skyrocketed. Cybercriminals also took advantage of the rapid adoption of such platforms by registering for look-alike domains to use for phishing attacks (imitating Zoom with a URL like yourcompany-zoom.com, for example).
- Ad hoc processes. While most roles and responsibilities were able to transition fairly seamlessly to a remote working arrangement, some organizations — particularly those responsible for processing sensitive data — have certain roles and processes that were designed exclusively for a secure in-office work environment. In the rush to adapt these processes for a remote working environment, many became prime targets for cybercriminals.
- Greater use of personal devices. The flexibility of work today has blurred the distinction between the office and home, leading many remote employees to rely on personal devices more heavily. But given that personal devices are often the first way threat actors try to gain access to your system, even these small transgressions can carry massive risks.
Implementing Proper Protocols
Regardless of how a threat may manifest, prevention and awareness initiatives remain the best precautions. Even organizations with fastidious cyber protocols should conduct an audit and update their cybersecurity plan for remote workers. Further, after months away from a formal office, good habits may have fallen by the wayside, making now the time to reaffirm cybersecurity basics among all employees. Basics include:
- Ensuring that data is regularly and securely backed up and that company devices are running up-to-date software and virus protection
- Requiring all employees to use strong passwords — at least 12 characters with a mix of numbers, symbols, and capital and lowercase letters
- Promoting the use of two-factor authentication when available
- Encouraging all employees to connect to their home networks with encryption WPA-2 and to use encrypted access (such as VPNs) when logged in remotely
- Training all employees on how to safely access confidential information or sensitive data when working remotely
- Teaching all employees how to safeguard employee-issued hardware, such as through password protection and not leaving equipment unattended
Maintaining a controlled ecosystem of an organization’s communications and data can ultimately help reduce many cybersecurity risks. As a result, many organizations now choose to provide employees with secure, company-provided hardware. Although the upfront costs of dedicated computers or smartphones may be steep, the added protection of network equipment is worth the investment. Likewise, should a cyberattack occur, teams will be able to nimbly track data transfers, effectively identify potential security issues, and speedily resolve those issues.
Protecting Intellectual Property
In addition to growing phishing and ransomware attacks, IP theft is becoming more frequent. While technology and medical research are most commonly targeted by private and state-sponsored threat actors, all organizations regardless of industry must remain mindful of the fact that in a remote working environment, confidential or propriety information is at an increased risk for exposure.
To first address IP risks and threats to confidentiality, organizations should work with their legal counsel to develop clear documentation that outlines rules regarding everything from the usage of trademarks and copyrighted content to identifying, using, or sharing any information deemed a trade secret. In particular, organizations should consider providing guidelines surrounding these common issues:
- The discussion or sharing of proprietary company information on social media
- Protocols for participating in confidential meetings when working remotely
- Accessing sensitive documents via personal devices
In reviewing employee confidentiality agreements, it may also be prudent to consult your legal counsel to review employment contracts for full-time and contract employees. How will new remote work conditions affect the language and possible consequence of some of these documents? Are you now hiring more freelancers or contractors? Are your noncompete and IP clauses up-to-date and relevant? Answering these questions can offer serious protection for the future.
Of course, documents do not protect organizations — people do. As with data security, organizations must incorporate established rules and procedures into ongoing training programs and should ensure that everyone reads, understands, and is following these.
Building a Cybersecure Culture
While an organization’s technical or IT executive may be tasked with spearheading cybersecurity initiatives, resting the entirety of a safety initiative exclusively in their hands could be a fatal mistake. Rather, effective cybersecurity best practices must be promoted from within the IT department up to the C-suite — changing not only processes but also mindsets.
Getting every senior leader on the same page is crucial to ensuring everyone within a dispersed organization is trained and prepared. Consider the following questions:
- Is your executive team or corporate board regularly updated on current and emerging cyber threats?
- Do your business leaders understand the basics of good remote security hygiene?
- Do all department leaders have access to the resources and information they’ll need to effectively relay cybersecurity protocols to their teams?
- Is a formalized training process for educating leaders and employees on cybersecurity best practices in place?
- Does your business continuity plan account for the most common cybersecurity risks?
- Does your organization have a data breach response plan in place?
Even the most well-trained organization fail if employees don’t feel comfortable raising the alarm or taking action. Organizations should educate all staff members to report suspicious activity and empower them to do so comfortably, even in cases where the employee made an error themselves.
To reduce some of the pressure associated with reporting suspicious activities, many companies find it helpful to establish anonymous tip lines or mailboxes for employees to report cybersecurity or fraud issues without exposing their identities.
Any internal initiative or organizational transformation requires constant work to help it flourish. Building a cybersecure remote culture is no different, especially with a dispersed workforce. Reaching these employees and evaluating whether or not they are following best practices becomes even more difficult when oversight is limited. That is why any changes or internal initiatives around cybersecurity should aim to remove barriers to adoption and to reinforce good practices.
For more cybersecurity insights, explore our corporate fraud prevention resources.