Crafting a Cyber-Safe Remote Work Environment for SMEs
Introduction
In the past few years, remote work has gone from an occasional privilege to a mainstay of the modern IT environment. However, while this shift offers numerous benefits, such as flexibility and reduced overhead costs, it also brings with it a new set of challenges – and paramount among these is the issue of cybersecurity. It’s hard to overstate the importance of cybersecurity in a remote work setting. Cyber threats aren’t simply this year’s trend; they’re an ongoing business risk that can lead to significant financial loss, reputational damage, and in severe cases, threaten the survival of the business. For small and medium-sized enterprises (SMEs), the stakes are particularly high. If not managed correctly, vulnerabilities in distributed or remote working environments can result in larger and deeper breaches, in turn amplifying the impact and cost of cyber incidents.
Understanding the Cybersecurity Challenges of Remote Work
The transition to remote work has opened up a Pandora’s box of cybersecurity challenges for Australian SMEs. These challenges are multifaceted, and their solutions are often more complex than those implemented in traditional office environments. The first step in developing a robust cybersecurity strategy for remote work is to understand this unique set of risks.
Risks Inherent to Remote Work
Use of Personal Devices: Most experts agree that the most significant risk of remote work is employees using their own devices for work, including personal laptops and mobile phones. Personal devices rarely have the same level of security as company-issued hardware and can be a weak link in the cybersecurity chain. For example, they’re more likely to be infected with malware or lack the latest security updates, posing a significant risk to any company data they can access.
Unsecured Networks: In a similar vein, remote work typically sees employees accessing company resources over personal, unsecured or public Wi-Fi networks. These networks tend to lack the security measures that are standard in office environments, making them vulnerable to cyber attacks such as man-in-the-middle attacks. Often, these networks will transmit sensitive data, such as passwords or client information, without encryption – unless additional controls are put in place.
Unapproved Software: As remote workers adapt to their new working practices, they often try a variety of tools and software to help them to work effectively. Despite employees’ best intentions, this can easily result in unauthorised or insecure systems being used to store or transmit sensitive information. A common example is employees using personal cloud storage to share files with colleagues. Once these files are placed on personal cloud storage, the organisation loses control over them – meaning they may be unsecured and open to the public, or the employee could retain them when moving to a competitor.
Phishing Attacks: Remote work comes with an increased reliance on digital communication, making employees more susceptible to phishing attacks. Often, these attacks come in the form of seemingly legitimate emails or messages that try to trick employees into revealing sensitive information or downloading malicious software.
Lack of Physical Security: In an office, physical security measures help protect sensitive information. Locked doors and drawers prevent data and devices falling into the wrong hands. However, at an employee’s home or local café, these physical controls are unlikely to be in place. This can lead to sensitive documents being viewed by unauthorised people; however, an even bigger risk is the theft or loss of devices containing company data.
Isolation and Reporting: One of the downsides of remote work is increased isolation and reduced relationships with other internal teams. From a cybersecurity perspective this can manifest as a lack of knowledge of how to report cybersecurity incidents, or in the case of personal devices and networks, a hesitancy to report issues due to a fear of reprimand.
In their most recent cyber threat report, the Australian Signals Directorate (ASD) noted that they had “recorded extensive corporate network breaches that stemmed from employees conducting work from compromised personal devices.”1 The ASD also referenced a case study in which LastPass, a US-based cybersecurity company, suffered a devastating breach; a remote worker had a password stolen by malware that was installed on their personal computer, eventually putting 30 million users at risk and leading to millions of dollars in stolen cryptocurrency. These examples underscore the reality that cyber threats are not abstract or distant concerns; they’re real and present dangers that can have devastating consequences for businesses. As more and more businesses support remote work, the likelihood of similar incidents only increases. This means SMEs must take proactive steps to bolster their cybersecurity defences.
Fundamentals of Cybersecurity for Remote Work
Virtual Private Networks (VPNs): A VPN creates a secure, encrypted tunnel for data transmission between a remote user and the company network. Such encryption is vital for protecting sensitive data, especially when employees are accessing the network from various, potentially unsecured locations. Antivirus Software: Antivirus software helps to detect, quarantine, and remove malicious software from devices. It’s a fundamental tool for protecting against unauthorised access to devices and the data they store.
Encryption: Encryption is the process of encoding data so that only authorized parties can access it. For remote work, encryption should be applied not just in data transmission (as with VPNs) but also in data at rest, such as through Windows’ inbuilt BitLocker or similar disk encryption technology. This ensures that if a device is lost or stolen the data it contains can’t be accessed.
24x7 Detect and Response: Another unfortunate downside of remote work, or any setup which has users taking corporate devices home, is that these devices are often used outside of normal operating hours. Whether a device is being used for work or personal purposes, it’s at risk of being compromised, and if this happens, it’s more likely to be outside of normal IT support coverage times. To manage this risk, many SMEs have implemented services for detecting and responding to cyber threats around the clock.
Patch and Update Governance: As devices become distributed to support remote work, ensuring they have the latest patches and updates can become more difficult. With employees working remotely, there’s an increased risk that patches and updates are deferred or fail due to the limited bandwidth and stability of personal networks. Organisations that support remote work need to consider the governance they have around updates, and the reporting that identifies devices which haven’t been updated. This way, IT and security teams can identify gaps in cybersecurity defences and proactively close them by working with users.
Employee Access Management: Managing who has access to what information is a critical component of cybersecurity. This involves:
• User Account Management: Regularly review user accounts, especially when employees leave the company or change roles, to ensure that access rights are up to date.
• Least Privilege Principle: Employees should only have access to the information necessary to perform their job. This minimizes the risk of an insider threat and limits the potential damage from compromised accounts.
By ensuring only the right accounts are active reduces the risk of a cybersecurity incident; making sure each user only has access to the information they need to fulfil their role reduces the impact of any incident that occurs.
Corporate Password Management: Employees working remotely can sometimes develop bad habits that they might not in the office. The key risk here is employees writing passwords down, and – to the dismay of managers – leaving the passwords with their device. If the device is lost or stolen, either from their home or a bag stolen during transit, no amount of encryption will prevent data loss if the passwords are available to the attacker. To help prevent this bad practice, organisations can provide access to a corporate password manager to help employees store their passwords securely.
Multifactor Authentication (MFA): A cornerstone of all good cybersecurity, multifactor authentication is even more important when employees are working remotely. Remote work will almost always require systems to be online, which opens them up to attacks from any of the five billion people connected to the internet. MFA enhances the security of any authentication mechanism, including passwords, and helps prevent unauthorised access if passwords are reused, leaked or phished.
Regular and Secure Backups: As well as the risk of devices being lost or stolen, remote workers have an increased risk of damaging devices. While this isn’t strictly a cybersecurity practice, having regular backups in place can prevent disruption when these events occur, and securing these backups ensures the data remains confidential in the event of an incident.
Cybersecurity Training and Awareness: The biggest vulnerability in most security systems isn’t the technology; it’s the humans. The risk of human error is increased for remote workers, so training all employees in cybersecurity best practices is crucial. This training should cover common areas such as phishing, safe internet practices and good password hygiene, as well as company-specific information like policy guidelines and cyber incident reporting procedures.
Regular cybersecurity training ensures that employees are not just aware of the risks but also understand how to mitigate them. This training should be an ongoing process, reflecting the evolving nature of cyber threats.
Establishing and Developing a Secure Remote Work Policy
For any Australian SME that implements remote work, a clearly defined remote work policy is an essential part of effective cybersecurity. This policy ensures consistency, clarity, and accountability in cybersecurity measures by outlining both the employer’s and the employees’ responsibilities in maintaining a secure remote work environment.
Scope and Applicability: Succinctly describe who the policy applies to, in what circumstances, and the scope of its application. This includes delineating between different roles and departments, as well as specifying scenarios such as full-time remote work, hybrid models, or temporary remote arrangements.
Security Protocols for Devices: Establish guidelines for the use of both company-issued and personal devices. These should include requirements for antivirus software, firewalls, secure boot settings, and encryption. For personal devices, consider implementing a bring-your-own-device (BYOD) policy that outlines the security measures employees must adhere to. The aim of this section is to ensure all devices which access corporate data meet minimum security standards set by management.
Data Management and Privacy: Outline how data should be handled, stored, and transmitted. This includes the use of secure cloud storage services, guidelines on sharing sensitive information, and protocols for data backup. The aim of this section is to ensure that corporate data remains within corporate control, and does not end up on personal cloud storage or backup drives.
Network Security Requirements: Provide clear instructions on securing home networks, such as changing default router passwords and using WPA3 encryption. Mandate the use of VPNs for all remote work activities, especially when accessing the company’s internal network.
Incident Reporting and Response: Define procedures for reporting suspected cybersecurity incidents. This should include contact information for the IT security team and a step-by-step guide on what to do in the event of a security breach.
Employee Education and Awareness: A policy is only as effective as the people who implement it. Regular training sessions should be conducted to ensure all employees understand the remote work policy and their role in maintaining cybersecurity. This training should be practical and engaging, using realworld scenarios to illustrate the importance of following the policy.
Regular Review and Update: The remote work policy should be a living document, subject to regular reviews and updates to address new cybersecurity threats and changes in technology. This ensures that the policy remains relevant and effective over time.
Conclusion
There’s no question that this decade’s massive shift towards remote work offers numerous advantages to Australian SMEs. However, it also comes with a unique and complex array of cybersecurity challenges. The risks associated with remote work – from the use of personal devices and unsecured networks to the threats of phishing attacks and the challenges of maintaining physical security – are not theoretical. They’re real, immediate, and potentially devastating in their impact.
The Australian Signals Directorate’s recent report, highlighting breaches stemming from compromised personal devices, serves as a stark reminder of the vulnerabilities inherent in remote work environments.
To navigate this landscape, SMEs need to adopt a comprehensive approach to cybersecurity. This means understanding the unique risks of remote work, establishing a secure remote work policy, and implementing fundamental cybersecurity measures such as VPNs, antivirus software, encryption, 24x7 detect and response mechanisms, patch governance, and strong access management.
However, the human element also plays a critical role. Regular and thorough cybersecurity training and awareness programs are essential in equipping employees to recognise and respond to threats as they work remotely. Policies and technologies are only as effective as the people who use them; thus, fostering a culture of cybersecurity awareness and vigilance is paramount.
In conclusion, maintaining security in a remote work environment is a multifaceted and ongoing challenge. It requires a blend of technological solutions, comprehensive policies, regular training, and an overarching culture of security awareness. For Australian SMEs, investing in these areas is not just a matter of protecting data and systems; it’s about safeguarding their business’s integrity, reputation, and future. As remote work continues to change the way we do business today, a strong commitment to cybersecurity is essential.