Remote work, in some form or another, is clearly here to stay. But it’s not enough for businesses – particularly small businesses – to simply extend pandemic-era remote work accommodations indefinitely. And there’s a very good reason for that.
According to cybersecurity firm Malwarebytes, a full 19.8% of businesses suffered a data breach after switching to remote work arrangements. And the reason for that is clear. Rapidly deployed remote work infrastructure is often rife with security vulnerabilities. A cogent data-access policy and inadequate employee training are also contributing factors.
Therefore, to prevent a data breach, small businesses must revisit their remote work policies and IT infrastructure. And to add, they must do this with an eye toward data security for remote workers.
Fortunately, it’s not very difficult to do.
To help, here’s an overview of the issue and an action plan to help small businesses support remote workers without sacrificing data security.
Data security in a remote work context
For the better part of 30 years, small businesses have safeguarded their digital assets using a walled-garden approach. They relied on the centralization of digital assets inside an office network. They also used firewalls to keep outsiders from accessing the network.
But lately, businesses have been starting to use managed service providers, cloud services, and SaaS platforms. This was fine so long as employees were always going to be accessing company data from within an office environment. It meant that businesses could retain as much or as little of their on-premises infrastructure as they wanted. And they didn’t have to worry much about managing access.
The trouble is that the traditional access controls that work in an office environment don’t translate well to supporting remote workers.
This is because the only way to provide remote access to a business network is to open up holes in its firewall (typically via a VPN). And then, the devices accessing the network are outside of the confines of the firewall’s layer of protection – and away from significant oversight by IT staff.
And that’s when the risk of a data breach grows exponentially. But there’s a way to minimize those risks. Here’s an action plan to manage data security for remote workers.
Step 1 – Create a comprehensive remote work policy
The first thing that small businesses have to do when developing a long-term remote work strategy is to create a comprehensive remote work policy. The idea is to spell out in no uncertain terms what’s expected of every employee while they’re working remotely. This should include details about acceptable work schedules and communications standards.
But it should also include a complete explanation of the cybersecurity requirements that come with remote work privileges. This means spelling out who may have remote access to what systems and data. And, it should also set minimum standards for employee-owned devices and provide a mechanism for auditing them.
When it comes to cybersecurity details in a remote work policy, no amount of specificity is too great. A great place to start is by looking at this remote work policy template and adapting it to fit. Then, add in any other policy items that pertain to the business. These can be any applicable regulatory requirements or industry-specific data handling rules.
It’s also a good idea to spell out remedies for noncompliance. Employees must know that their responsibility for data security is more than just a request – it’s a requirement. Be sure to tell them the consequences if they fail to meet their responsibilities. As long as the remedies are fair and in keeping with the seriousness of the potential violations, employees will most likely get the message loud and clear.
Step 2 – Design an onboarding program for remote workers
A remote work policy will go a long way toward improving data security for remote workers. But, only if every remote worker follows it to the letter. And the only way to make that happen is through adequate training. In other words, employees will only follow the rules if they’re aware of them and understand how to apply them.
In a remote work context, the best way to accomplish this is through a comprehensive remote employee onboarding process. Create a training course that teaches employees what they need to know to comply with it. Use the now-complete remote work policy as a guide. Completion of the policy awareness course should become a part of the onboarding process.
But that’s not all. You can also give employees access to a general cybersecurity training course as a part of their onboarding process. This can be developed in-house or be left to a third-party provider. Cybersecurity firms like ESET and Webroot offer such training courses as a service. Plus, the National Institute of Standards and Technology maintains a list of free and low-cost resources businesses can use for the purpose.
Step 3 – Create a secure remote access infrastructure
The first two steps of the action plan help to make sure there’s less chance of a misunderstanding or human error leading to a data breach among remote workers. But The human element isn’t the only aspect of data security. It’s also necessary to build an infrastructure designed to maintain data security for remote workers.
Data security is even more difficult for a small business with digital assets located both on-site and in the cloud. Cloud-based assets, for example, may have their own security measures in place that already do a decent job of protecting business data. And on-site assets (like file servers, email servers, and company databases) may have never previously been configured to support remote workers.
This means many businesses have to find ways to create a comprehensive security and access solution that covers multiple, unrelated systems. Businesses dealing with especially complex technology needs shouldn’t do this alone. It’s a much better idea to hire an IT consultant to review the business’s existing technology and make recommendations.
For example, it may be more cost-effective to migrate existing on-site systems to cloud services and decommission the existing setup. Another option is to centralize the software and data on a terminal server built to accommodate remote connections. There are multiple ways to approach the problem.
In every case, though, it’s a good idea to link all company IT systems together using a single-sign-on (SSO) solution. This provides a single point of control for the business to set access rights for multiple systems. It also provides a single place to monitor employee login activity. Moreover, it minimizes the attack surface available to hackers seeking to find a way into protected systems.
Step 4 – Configure and distribute hardware security keys
Although SSO solutions centralize the access control of multiple protected systems and make them easier to manage, they don’t offer perfect security. That’s because they minimize the attack surface hackers can target. But, that may just end up concentrating attacks on that one system. And an SSO breach can be devastating. With just one compromised password, an attacker can gain access to everything the business is trying to protect.
But that’s not a reason to avoid using an SSO solution. It’s a reason to eliminate passwords as a weak point to be exploited by attackers. And it’s quite a weak point. According to a report, a full 81% of successful data breaches that year involved a compromised password.
The good news is that there’s a solution to the problem: hardware security keys. These are physical devices that contain complex, encrypted passwords to access digital systems. By giving them to employees and making them the default method of authentication with an SSO solution, two-factor authentication, the odds of a data breach go down dramatically.
They’re so effective because they eliminate the possibility of an employee falling victim to a social engineering attack. This is when an attacker tries to trick an employee into divulging their credentials using a misleading email or phone call.
With a hardware security key, the attacker would have to somehow gain access to the device itself. Plus he/she must also know what it’s used for (the keys contain no platform-identifying features). This also means they don’t pose much of a security risk if lost. In that situation, the business can deactivate the key and issue a new one – problem solved.
Step 5 – Choose and deploy an endpoint security solution
For a remote workforce, one of the biggest data security challenges is enforcing security standards on personal devices. In an office environment, a key tenet of security is standardization. That way they can be reasonably sure that those devices are up-to-date and secure.
On employee devices, however, there’s no such guarantee. The only way a business can have that type of control is by providing employees with all of the technology and hardware they need to work remotely – and that can get costly. It’s just something that’s not going to fit within the average small business’s operating budget.
The solution is to choose and deploy an endpoint security solution that can enforce the required security standards on the devices employees choose to use. Most such solutions provide a security dashboard that will let a business track things like missing security patches, recently installed software, and known risks the managed devices might be subject to.
This will give the business enough visibility to address any potential security vulnerabilities with remote workers before they become a liability. Plus, most endpoint security solutions also come with full-featured malware protection and antivirus functionality. So they also help to make sure software-based threats don’t make their way from employee-owned devices into business-critical systems.
Step 6 – Insist on the use of a VPN by remote employees at all times
Even though the majority of data breaches occur when a hacker finds a way inside protected business systems, that’s not the only risk businesses face. They also have to protect their data while it’s in transit between those protected systems and the employees working with it.
In an office environment, that’s easy to accomplish. Because most office networks rely on wired connections, an attacker would need physical access to a facility to find a way into a protected system. And even when WiFi is part of the equation, the business can see to it makes use of high-end encryption so only authorized users can connect.
But when remote workers are involved, none of that is the case. There’s no telling, for example, if an employee’s home network is up to the challenge of keeping hackers at bay. There’s not even any reliable way to know if they’re even using a home network – it’s quite common for remote workers to use public WiFi hotspots to get things done while on the go.
Of course, the remote worker’s responsibility to use only secure networks and office devices for work should be included in the business’s remote work policy. But the average employee isn’t an IT expert. They may have good intentions and still end up putting company data at risk.
The best solution is to take the decision out of the employees’ hands altogether. Instead, it’s a better idea to insist on the use of a virtual private network (VPN) solution at all times while employees work with company data and assets. It’s an extra security step that ensures that all company data remains encrypted at all times while traversing the internet.
There are three major ways businesses can go about this:
Using a Commercial VPN Service – Today, multiple commercial VPN providers offer low-cost VPN services built to serve the needs of businesses. The key advantage with them is that they come with their own tech support and are kept in good working order at all times by the provider.
But, from a security perspective, they can introduce some additional risks. To begin with, commercial VPN providers don’t provide much in the way of insight into how they’re operating. This means businesses have to rely on service contracts and the provider’s promises to keep their data safe. And that is by no means a guarantee.
Major commercial VPN providers suffer from data breaches, too. So using one simultaneously takes control of a business’s data security out of its hands, and can blind them to ongoing security incidents until it’s too late.
Using a Cloud VPN Service – For businesses that already make use of cloud-based software, platforms, and services, a cloud VPN service makes a natural fit. Major cloud providers like Amazon and Google offer them as an add-on option, and they’re considered highly secure.
Cloud VPNs are an excellent option for any business that’s already moved all of its data and infrastructure into the cloud. But they’re also a good fit for businesses that use a mixture of cloud-based platforms and on-premises infrastructure. They make it possible to stitch the two into a single business network using end-to-end encryption.
Then, remote workers can use client software to initiate VPN connections to that hybrid business network. That creates a situation where no business data ever travels over an open connection without encryption. And management of the whole setup remains under the business’s control at all times.
A Self-hosted VPN solution
– Not every small business has a complex computing infrastructure. For some, remote access for employees need not be any more complicated than giving them access to their work PC (and the office network) from outside the office. And the simplest way to make that happen is with a self-hosted VPN solution.
The good news is that most major small business firewalls already come with a VPN solution built-in. This means many small businesses could already have everything they need to get started already. But if not, there are some low-cost open-source solutions that fit any budget. Some are even completely free.
The most well-known of these is provided by open-source standout OpenVPN. Their solution is what powers many (if not most) of the available commercial VPN services on the market today. And, aside from purchasing (or repurposing) a server to run it on, it doesn’t cost very much. It even supports up to two simultaneous users for free.
Aside from the added layer of encryption, there’s another reason that using a VPN is a benefit to data security for remote workers. And it’s that it gives businesses complete control over who can even connect to their protected systems in the first place. By restricting connections that come in from anywhere but a trusted VPN endpoint, it’s possible to make protected systems near-impossible to attack from the public internet.
Step 7 – Deploy an employee monitoring solution
With a secure remote access infrastructure in place and employees trained to use it safely, it would be tempting to assume that the chances of a data breach are now minimal. But if there’s one thing that any cybersecurity professional will tell you – it’s that the average user can find a way to put even the most secure system at risk.
That’s why small businesses that plan to support remote workers over the long term should consider the use of some type of employee monitoring solution. It’s the only way to make certain that remote workers are living up to their end of the data security bargain, and that they’re not engaging in any activities that could increase the risk of a data breach.
But it’s not necessary to spy on everything remote employees do. The web and activity tracking features of a solution like Time Doctor are more than adequate for the task. With it, businesses can be open about what they expect of their employees and honest about exactly what they’re monitoring.
Plus, it aids in the management of an all-remote workforce by helping managers keep their teams on-task and as productive as possible.
Ready for the future of remote work
Once again, it’s quite clear that remote work is going to play a role in the way businesses operate going forward. And failing to address data security from day one can turn that reality into a major bottom-line threat. Small businesses, in particular, are especially at risk.
But by revisiting their remote work policies and accommodations, small businesses can manage that risk and move forward with confidence.
As the above action plan makes clear, there’s quite a bit for them to consider along the way. But getting it right is essential. And by following the steps laid out here – that’s just what they’ll be able to do.