As the U.S. continues to battle the effects of the ongoing pandemic, more and more companies are rethinking their return-to-office initiatives. While high-profile, digitally savvy organizations like Twitter and Facebook have already announced plans to keep workers remote permanently, many smaller companies that don’t make headlines are doing the same. Even small businesses are welcoming back a mere fraction of their workforce and keeping the majority at home to meet social distancing and infection control guidelines.
Aside from the personal struggles related to at-home schooling and limited human interaction, companies must also attempt to maintain security protocols in a decentralized, remote office environment. Small businesses that often passively prioritize cyber security in a normal working environment now have to make it a top concern in our remote working world.
Pandemic Stress Can Lead to More Small Business Cyber Security Breaches
Feeling burnt out by competing priorities, overworked by round-the-clock office access and distracted by the constant news cycle have become a way of life for many. As the lines blur between being at home, being at work and even suddenly being a teacher’s aide for school-aged children, working adults find themselves with more to do and not much more time to do it in.
These factors have shown to lead people to be less discerning of common hacker techniques including phishing and social engineering. In fact, a report released by cyber security firm Tessian and a Stanford University professor sought to pinpoint why people breach cyber security. The report reveals that being stressed, tired and distracted while working from home were some of the biggest contributors to employees falling prey to hacking attempts. By understanding why people fall victim to cyber attacks, small businesses can be better prepared to mitigate that risk.
Ways to Keep Cyber Security in Remote Offices Top-of-Mind
With remote office environments seemingly here to stay, security leaders need to consider how cyber security awareness and training approaches should shift in order to keep people and assets protected, no matter where they are. A few simple tactics can help remote workers feel connected to the overall cyber security goals of your organization.
Real-time Security Bulletins
As the head of cyber security at Hillard Heintze, I will occasionally share informal, brief security bulletins via email to inform people of recent attempts at breaching our firms’ cyber defenses. This is something that can be particularly effective in smaller organizations, but even larger firms can benefit from this more personal approach to cyber security awareness.
In small or mid-size companies, the CISO or CSO might send a company-wide email detailing the attempted breach and steps people can take should they experience a similar attempt. Hackers will often target multiple individuals within an organization if they can. Real-time communication about actual incidents within the company puts employees on alert, mitigating the risk of someone falling for a hack that someone else did not. It also reinforces training with contextually relevant examples.
Short, Frequent Training
Now is not the time to ask people to set aside an hour or even 30 minutes for cyber security awareness training. Short, frequent trainings can be just as effective – if not more so – than lengthy ones. Our team often recommends interactive, online trainings that run 15 or 20 minutes and cover specific topics to clients. These shorter trainings keep employees’ attention and can be equipped with quizzes to test and reinforce people’s knowledge. Consider working with your training vendor to update curriculums to acknowledge new risks brought on by the pandemic and work-from-home environments.
You can plan out an entire year of training with requirements fulfilled every few months or each quarter but be prepared for an impromptu need to arise should a major breach happen at another firm or within your own.
Assess Your Current Cyber Defenses
The potential for a long-term or even permanent remote workforce is becoming more real, which means that it may be time to assess how effective your cyber defenses are to keep up with the needs of the workforce. Many small businesses found themselves unprepared with the proper guidelines, VPN access or security system updates to meet the needs of a suddenly at-home workforce. The 11 steps I provided in a previous blog for how small businesses can protect against sophisticated phishing and ransomware attacks still hold true.
But, with hackers exploiting the ongoing pandemic crisis, this assessment should be done as soon as possible, and any identified security gaps mended quickly. My team works with many small businesses, family offices and individual high-net worth families to examine and analyze their cyber security protocols. We often identify opportunities for them to improve the defenses based on information security best practices with respect to areas such as network infrastructure, wireless network security, internet access and information sharing. If you don’t have the in-house resources to conduct a thorough assessment, do not hesitate to bring in an outside expert.
Home Office Networks Can Also Pose a Risk
During the pandemic, we’re doing a lot of virtual assessments, including some that evaluate the cyber security of home office networks. As your team members are working from home, their residential network becomes a potential entrance point for hackers. We find that providing organizations an overview of their overall risk profile with consideration of their remote workforce is valuable. While as an employer you may not retain responsibility for implementing security solutions for the employees’ personal network, an assessment provides us with a view of the threat landscape, and enables us to develop policies and procedures to mitigate or minimize the remote threats.
Cyber Security Gets Personal
Hackers have gotten personal in their attempts to use social engineering to trick people into taking an action that puts information at risk – information they can then hold for ransom, milking companies out of thousands or millions of dollars. This can include hackers’ attempts to target someone’s character or reputation; for example, hackers use ‘sexploitation’ (i.e., pretending to have access to compromising or private photos and web histories) to scare users into submitting to their scams.
However, even instances that may seem embarrassing to a user should not be off limits for external review, including by the CSO or family office manager. By communicating often and championing transparency, cyber security leaders can ensure that users feel safe coming forward with any type of potential hack. Regular training that speaks to real-life incidents can further demonstrate how even a very personal attack can have profound business implications if left unaddressed or if the user tries to solve the problem on their own.