Cybersecurity Risks from Remote Workers?

Cybersecurity should concern every business. Remote Work-enabled or not. Large, small, or in-between. Protecting the data your company generates, as well as the data customers give you about themselves, is nothing less than a primary responsibility.

Just one data breach can torpedo your entire business. DON’T let it happen!

But…what about people working remotely? Do they constitute a cybersecurity risk?

It seems like they might, doesn’t it? You have a nice secure company network over on one side. Firewalls and filters in place. Spam’s all filtered out. Nobody’s hacking in. Over on the other side though, you have Jim. Jim telecommutes. He has a company laptop, but he’s at home. Two cities over.

Well, that must mean he’s at risk for a cyberattack, right? Easy pickings for malware or something equally nasty.

Not so fast. In fact, if you use cybersecurity protections right, Jim is just as safe—if not safer—than anybody in the office.

The Major Concern: Data Transmission

The biggest concern in any and every cybersecurity strategy is data transmission. What’s that, you might ask?

Data transmission is the act of sending data from one device to another. We do this every day through Wi-Fi, network cabling, 4G/5G, etc. No business can function without it now.

Let me show you how ubiquitous – and risky – data transmission is, with a basic example.

(For this article, I use the term ‘device’ to refer to any type of computer. A laptop, phone, file server, Web server, and so on…they’re all ‘devices’ when it comes to cybersecurity.)

  1. At work, you create some data on one device. Say, an Excel spreadsheet on your laptop while telecommuting from home.
  2. You want to send the spreadsheet to your co-worker Sue. So you attach it to an email and send it on over.
  3. Your email client sends the email, with spreadsheet attachment, over to your company’s email server. This is a device that’s either in the cloud or within your company’s network. The route it takes depends on where the email server’s located.
  4. The server collects the email, looks at its address, and sees it should go to Sue. So it tosses the email over to Sue’s email client.
  5. Sue receives your email. Yay!

All this takes a few seconds. At most. Quick, automatic, and simple. But is it SECURE?

Only if every step of that example has security present. Your laptop, Sue’s laptop, the email server, and the networking routes between all of them.

Why? Because this is one of the most vulnerable places data can be!

  • The transmission media (cable, Wi-Fi) must employ encryption and secure transport.
  • The sending device must have malware protection.
  • The receiving device must use filters and identity protection to verify the data.

Within the confines of a business office, you can implement all of these. For every device, including servers. You control all of those devices though. You know where they are.

When you add a remote device into the mix, people ask questions. How can you secure the transmission if you don’t have control of one element—the Internet connection used to send/receive data?

This is the argument some companies use to forbid anyone telecommuting. “We can’t justify the risk to cybersecurity!”

However…the argument isn’t valid. It’s not hard to secure remote workstations at all!

Before I explain how, let me clarify why companies worry about cybersecurity in the first place.

What’s at Stake with Cyberattacks

If you’re concerned about cyberattacks…you are right to be. They keep happening, and they WILL keep happening. Cyberattacks are big money now, from blackmail to selling stolen data.

Each and every business possesses data that cybercriminals/hackers/bad actors want. Even if you’re still new.

What I find is that many businesses aren’t aware of all the data they do have. If you ask most workers what data they have that a hacker would want, they’ll say, “Customers’ credit cards.” That’s true, but it’s by no means the only valuable data item.

The list of data cybercriminals go after is much longer. I’ve seen every one of these targeted in cyberattacks, from the individual to the mega-corporation:

  • Intellectual Property (information exclusive to a company’s products, R&D, processes, etc.)
  • Customer banking data (credit card numbers, names, phone numbers)
  • Social Security Numbers (for customers and employees)
  • Employee information
  • Proprietary code
  • Marketing content
  • Internal documentation
  • Strategy documents
  • Emails
Remote Work Isn't a Cyberattack Risk

Nice data you have there…
Photo by JC Gellidon on Unsplash.

 

The Risk: High, if Your Data’s Visible

Now that we’re aware of what cybercriminals want, how do we know if they’ll come snooping around your business?

Working in the IT field as long as I have, I can say with confidence: They already are. Always assume that your business is a target. Large or small, new or old. Assume they’re trying to break in—because they are.

That said, some businesses are higher-risk than others. If your business has any of the following characteristics, consider it “at high risk” for cyberattack:

  1. High-profile brand name
  2. Your actions receive a lot of attention in your industry
  3. You have a sizable customer base
  4. You maintain an online service
  5. Your upper management does not prioritize cybersecurity

The Weak Points

Let’s assume you’re at risk right now. You want to protect against cyberattacks. What do you do first?

First, you identify any weak points in your company’s IT infrastructure. That does not necessarily mean “all the remote workers” either. In fact, they’re a lower risk than some of the other weak points I’m about to discuss.

I’m ranking these weak points in order, from highest-risk to lowest-risk.

#1 – Untrained workers who don’t know about phishing/malware-infected emails. In the office or remote, this stands as the #1 weakness by far. One unaware employee can defeat all of your cybersecurity by clicking one single link. As such, TRAIN those workers on what not to click!

#2 – No active cybersecurity protections. “We bought new servers, so we’re protected right?” Sigh. No. Get some actual protections in place. Talk to your IT department (if they haven’t already screamed at you for this).

#3 – Unsecured servers. See above.

#4 – Lack of current backups. I cannot stress this one enough, for a general good-business-sense context. Keep a full set of current @#&%ing backups for all devices (including servers)!

#5 – No encryption in use. Encrypting data makes it much harder for cyber-attacks to “succeed.” Even if they get data from you, they can’t make use of it.

#6 – Overseas contractors. You might think you’re saving money by contracting workers overseas. Guess what…you’re also increasing your chances of data theft. Remember what I said about securing data transmission? Sending data halfway across the world pretty much guarantees a security hole along the way.

#7 – Remote devices with no secure transmission medium. A telecommuting employee sending you a spreadsheet from coffee shop Wi-Fi. Not good, but not nearly as bad as an unsecured server. Easy to solve too. Let’s go into how.

How to Protect all Data – Even on Remote Workstations

Now we see that Remote Work isn’t the “weakest link” when it comes to cybersecurity. Instead, install protections for the business as a whole, and you’re in a better position.

What kinds of protections? This list will guide you. Consult an IT professional on the details of each. Most company IT infrastructure will accept these with few issues.

VPN for Telecommuting

Photo by Petter Lagson on Unsplash.

 

  1. Use encryption on your servers (cloud and on-premise). You can do the same for all devices, but test this first. Sometimes encrypted devices snarl up office productivity.
  2. Employ a VPN for all workers. You can run one on-site, or use a VPN service (NordVPN and OpenVPN are two good examples). They’re not infallible, but it’s good protection for data transmissions.
  3. Prohibit Remote Workers from using unsecure Wi-Fi (coffee shops, airports, hotels). If they travel frequently, you can provide a wireless hotspot for use when out-and-about.
  4. Mandate a good password policy. We may move past using passwords in the near future—but for now, require strong passwords for all workers. (Hint: Use spaces and random words.)
  5. Offer cybersecurity training for everyone. As I said above, the weakest point in ANY network is each of its users, no matter where they are. The good news is, a little training cuts that risk to almost zero. Plan for a one-day training session annually and you’re golden.

Don’t worry about Remote Worker cybersecurity. Worry about overall cybersecurity.

Cybersecurity is one of the rarer objections I hear to remote work, but it has come up. This article demonstrates that, like most objections, it doesn’t stand up to scrutiny.

You should very much worry about your entire company’s cybersecurity! However, once you’ve implemented solid protections and trained employees (including the remote ones), relax. Remote Workers aren’t a security hole anymore. They’re just like you—part of the team.

What’s your experience with cybersecurity in the past 2 years?