Cybersecurity is critical, especially in an age where everyone works from home. But you also can't sacrifice ease of use. Here's how to strike a balance between the two.
It's been nearly a year since the business world first felt the impact of COVID-19. Or maybe it's been over a year. At this point, it's difficult to tell — time has gotten a bit blurry.
Either way, we've existed in a world where distributed work is non-negotiable for quite some time. Yet somehow, there are still businesses that struggle in supporting it. In our experience, they tend to fall into three camps.
- Companies that still don't have the necessary infrastructure to support remote work.
- Companies with security processes and protocols that outright impede anyone who's telecommuting.
- Companies that don't bother with security, and simply let workers do as they will.
We're going to discuss the last two, circling back to one of the oldest problems in the business world — the delicate balance of security and convenience. On the one hand, you want your employees to be able to work as effectively and efficiently as possible. On the other, when distributed work enters the equation, it brings with it a host of new barriers and threats.
Per Security Boulevard, the security risks of remote work include:
- Unsecured home networks. Unless you work in a highly technical field, the average employee is likely connecting to corporate servers through a home network. They likely don't have any network monitoring solutions in place and may have multiple Internet of Things devices on the same network as their PC, which may not even have a proper antivirus.
- A distributed threat surface. It's easy to protect an isolated network from outside threats. Not so much when everyone is working from home. Remote workers are constantly exposed to threats ranging from file-less attacks to sophisticated phishing scams.
- An inability to revert and restore. If an employee's home system is compromised or rendered inoperable, there's very little your IT department can do. They have access to none of the typical remediation resources.
- Insufficient security. Consumer antivirus software and firewalls cannot be trusted to protect corporate resources. Yet even the largest enterprise organizations often lack the resources to secure every single remote endpoint.
- Unaddressed vulnerabilities. Corporate devices are likely hardened, with typical vulnerabilities removed. Not so with personal devices. You cannot apply standardized settings to these devices, nor can you harden them effectively.
Some businesses have addressed this through draconian remote access policies. Others have demanded that anyone working from home must do so on a company device. More have simply thrown their hands up and concluded that there was nothing they could do.
None of these solutions work. If your security measures make it impossible or frustrating to work from home, one of two things will happen. Either productivity falls through the floor, or your employees find unapproved third-party workarounds.
This problem and its solution both fall squarely on the shoulders of leadership. It is not the fault of the employees who are just trying to do their jobs. It is not the fault of the IT department which is likely underfunded and overworked.
It starts at the top. With getting executive buy-in for the necessary tools and processes. These include:
- A password manager and multifactor authentication. With a password manager, employees can have unique passwords and credentials for each tool or program they need to use. And with multifactor authentication, it's far more difficult for an unauthorized user to gain access to critical assets and systems.
- Cloud applications. Perhaps the best solution to ensuring corporate files are not compromised by insecure devices is to ensure those files are never on an employee device. Software-as-a-Service (SaaS) applications targeting the enterprise sector have experienced a renaissance during COVID for a reason.
- Educating EVERYONE. While it is common practice to require that employees are knowledgeable about best practices, leadership is frequently overlooked. There is genuinely no excuse for this. Someone in the C-Suite is just as likely to fall prey to a phishing scam as an ordinary employee, perhaps more-so.
- Limited access. Each employee should exclusively have access to the data and tools they need to do their job, no more and no less. If you want to see what can happen without any sort of access control, look back at the Panama Papers breach.
- Focus on functionality. To be frank, it doesn't matter how critical an application is to your business operations — if people can't figure out how it works, it's functionally useless. You need to make sure that you use intuitive software wherever possible, and that you provide everyone with the necessary training to use that software.
The balance between security and convenience is a delicate one, and striking it is only made more challenging by distributed work. But it's something your business needs to achieve. Otherwise, you'll not only fail to realize the true potential of remote work, but your business will likely suffer from leveraging it.