As the pandemic recedes in the summer of 2021, millions of workers wonder if they’ll transition back to in-person offices or if they’ll remain at home. According to a March 2021 survey from RingCentral, three out of 5 companies with employees previously working mostly or completely in offices, offer remote work. And 67 percent of respondents said they do not foresee traditional five-day-a-week in-office schedules returning after the pandemic.
For small businesses operating on tight budgets, it’s difficult to justify office space. Full remote work or hybrid work situations bring with them a host of cybersecurity issues that small firms will need to conquer if they want to survive and thrive through 2021 and beyond. Here are three of the top considerations:
1. Phishing to Thumb Drives: Training on What Not to Do
Small businesses must manage the cybersecurity risks that come with remote workers, but they need to do this with empathy and understanding. Settling into remote work is a significant transition for staff used to an office. It’s a blending of personal and professional lives that requires an adjustment period. On the cybersecurity front, small businesses must offer security-related training. Employees are eager to participate in this type of training when they understand their actions can protect (or endanger) their job and the future of the company. Providing staff with context about the threats as well as support tools reinforces team unity, instead of a combative “IT versus everyone” mentality.
Employee training should include multiple aspects including:
- Guidance on BYOD policies, and any restrictions workers might have in accessing company data. Do they need to use corporate VPNs and company-provided laptops, or can they use their own devices?
- Best practices for hybrid work environments, to ensure employees follow the same processes and rules when they’re in the office and at home.
- Tips to prevent phishing schemes and other tactics such as “smishing” that come via text messaging. Companies can offer visual examples of phishing emails and smishing texts within the training, so staff understand the hallmark signs of a scam.
- Information about essential cybersecurity practices, such as not using thumb drives, avoiding unsecured Wi-Fi, and logging off company networks when work is completed.
- Adopting widespread usage of two-factor authentication within a “zero trust” architecture, which is an approach that does not assume user connections are valid based on their physical location or network location.
2. Staying out of the Shadows
While a survey from KPMG found 91 percent of remote workers said their employers provided them with tech tools, these tools are not always accessible or useful for the workers’ roles. Remote workers and those enjoying more casual hybrid dynamics are much more apt to use unapproved tools and platforms to get their work done. This dynamic creates “shadow IT” where employees go outside of IT’s governance policies. This might pose significant challenges for small firms who might not have a formal IT department, or who have a single person that doesn’t have a cybersecurity background. IT needs insight into what tools the staff are using so they can ensure that patches and security updates are followed, and so they can stay in compliance with user license agreements.
With shadow IT, the employee is not looking to infiltrate or defraud the company, they use familiar tools to help them work more productively. An example is usage of WhatsApp for communicating with colleagues instead of the company’s approved messaging and workflow platform. Or the worker might use a personal Dropbox account to store work files instead of pulling them from the firm’s approved cloud storage provider. There are no technical barriers to these actions since these cloud-based tools are designed for the non-technical audience. However, they pose significant risks when used to discuss proprietary company business and offer avenues for hackers when data flows between unsecured platforms and a company’s network.
3. Monitoring’s Benefits and Potential Risks
Small businesses allowing remote working after the pandemic will need deeper visibility into their employee’s activities. For many firms, remote work arrangements involve a mutual understanding that if the required work is done, then the employees’ have a measure of flexibility. They can work out of a Vegas hotel for a few days or take a three-hour lunch if they’ll clear off the rest of their work in the evening. This level of understanding doesn’t always develop, so some firms are considering employee monitoring and tracking tools to manage productivity and hours. This can be as simple as virtual “time clock” to live camera feeds and keyloggers. Monitoring is a tricky subject and can alter the owner/employee relationship. Here are a few tips for proceeding in a way that protects the company while also respects the employees:
- Share monitoring protocols transparently, including the need for monitoring, the scope, and how any collected information might be used. Give employees an opportunity to provide feedback and ask questions about the monitoring.
- Use automated tools to detect undesirable employee behaviors, including inappropriate web searches, attempting to access restricted company data, or noting extended periods of non-activity. Monitoring can spot risky behaviors as they happen and give managers time to shut them down before they turn into cybersecurity nightmares.
- Consider the privacy implications that come with video monitoring or taking frequent screenshots of employee computers. Screenshots might capture personal information such as the worker’s banking login information or medical-related data. Balance the need for monitoring and productivity with the rights to privacy and the downsides of any employee backlash.
Small business owners and managers without cybersecurity budgets should consider the implications of a breach. They might lose proprietary data and intellectual property. They could expose customer’s to fraud and hacking. And there’s the branding hit that comes with a data breach. Owners should consider if their business could survive a cybersecurity intrusion, and if the answer’s “no”, then they need to take immediate steps in the remainder of 2021 and beyond.