Even after the pandemic ends, many small and midsize businesses that were forced to send their employees home to work may choose not to bring some or all them back. Unfortunately, the ongoing transformation of American office life has presented a golden opportunity for cyber criminals.
Hackers have taken advantage of businesses that weren't able to provide laptops for their workers or offer them tools to secure their home networks. As a result, last year saw an unprecedented wave of ransomware attacks, malware, and high-profile corporate data breaches. Small businesses were already especially vulnerable prior to the pandemic: Roughly two-thirds of companies with fewer than 1,000 employees have experienced a cyberattack, according to a 2018 report by the Ponemon Institute.
"The shift to telework has been a really long time coming. In some ways, it's really great to see how really quickly the global corporate community has been able to adapt to the changing requirements. But the bad guys adapted too," said Rick Passero, Solutions Architect at cybersecurity firm IPM. Passero was speaking Wednesday at a virtual event on IT modernization hosted by the U.S. Chamber of Commerce, where cybersecurity experts shared their insights from working with small businesses.
Luckily, companies can take steps to protect their remote workforces from nefarious actors. Here are a few helpful insights from the event.
1. Start with a risk assessment and identify your weaknesses.
Many companies still neglect to perform a simple cybersecurity risk assessment. As a small-business owner, it's crucial to figure out what data you need to protect, how you're doing it, and what you can do now to address vulnerabilities. Risk assessments should also be prescriptive. In the event that something goes wrong, what is the company's next step?
Kiersten Todt, managing director of the Cyber Readiness Institute, said that many small businesses outsource responsibilities to third-party vendors. But you must also take additional steps on your own and be proactive, she warned: "When it comes to ransomware, it's making sure that you've got the backups on a separate network, that you are prepared for those things that could take you down, that keeps you alive."
Risk assessments don't have to be expensive, Todt noted. Many cybersecurity vendors now offer them to companies for free.
2. Concentrate on endpoint security.
Leaving the office also means giving up the secure corporate infrastructure that houses all of its proprietary data and functions. Employees who use the same device for personal and work-related purposes are potentially opening up your company to all manner of new risks.
Passero said that going into 2021, there will be a big focus on endpoint security--that is, security related to the devices themselves--as well as on worker education. Todt noted that while issuing new devices to employees for work is the most preferable route, not all small businesses have the budget to do so. You should be prepared to walk employees through any security protocol you expect them to take.
3. Take a zero-risk approach to cybersecurity.
Does every employee in your organization need access to customer data or other highly sensitive, proprietary information? Probably not. Passero suggested taking a zero-risk approach to securing your network, which requires being selective about the levels of access you grant to staff.
"Don't configure your network to trust someone just because they gained access," Passero said at Wednesday's event. By default, all users inside and outside an organization's enterprise network should not be trusted. Users should be authenticated and authorized at every level. Before granting access to the most secure information, companies should evaluate the safety of the employee's device. Limit permissions to one specific service or server, rather than giving every employee access to the entire network.
4. Make sure your firmware is up-to-date.
When was the last time you updated your router's security firmware? The biggest vulnerability in your organization may end up being an employee whose home router is inadequate. A report from the Fraunhofer Institute for Communication found that 90 percent of routers were made by manufacturers that failed to update the firmware with the latest patches and fixes.
Hackers in the past have taken over home routers to steal passwords or launch DDoS attacks on corporate websites. Since manufacturers typically neglect to roll out software updates as often as they should, consumers have to do it themselves. Asking employees to take some time to update their router's firmware could go a long way toward preventing future problems, the experts said.