Millions of Americans are “working from home” due to the COVID-19 pandemic. However, the sudden transition to working at home leaves many businesses vulnerable to cybersecurity threats.
But new cybersecurity threats could shut businesses down, hold their data for ransom, and cost them big in stolen funds. As if you didn’t already have enough to worry about, am I right!?
Big businesses have the resources and IT staff to help secure their remote workforce. But most smaller organizations don’t—and hackers know it. If your SMB recently transitioned to remote work or is about to, here’s a cybersecurity checklist to keep your business safe.
First, why should small businesses worry about remote work security right now?
There are 3 big reasons why SMBs need to focus on cybersecurity as their people work from home.
- With every new device and network used to access your company’s data, your attack surface grows. What that means is that there are more potential ways for hackers to break into your systems. For example, if your payroll manager logs into your accounts from a phone over a public Wi-Fi network, hackers could steal their login credentials and get into your accounts, too.
- Cybercriminals profit from chaos and stress. Our current reality delivers both, which is why fraudsters are launching all kinds of coronavirus-related scams aimed at businesses, consumers, even hospitals. When your administrative assistant gets an urgent email from you directing them to make an online donation to a COVID-19 charity in the company’s name, they might do it without question—without realizing the email came from a scammer impersonating you to steal company funds.
- Most of us are less cybersecure at home than at work. Even if your cybersecurity game is perfect in your workplace, out-of-date or unpatched software on an employee’s home computer could give hackers the security gap they need to worm their way into your business.
OK, so how can you prioritize cybersecurity best practices?
Here are 7 security steps to make your business more secure while everyone’s working from home.
1. Talk to your employees and leadership team about phishing
Even before the coronavirus emerged, scammers were sending out 3.4 billion phishing emails every day, per TechRadar and Valimail. Now, scammers are targeting remote workers with COVID-19 related:
- scams designed to steal their login credentials to Office365, OneDrive and other cloud data storage services
- “urgent” email impersonations of company leaders requesting that employees transfer funds, pay invoices or make donations online. For real. It’s even happened to us at HostGator.
- messages that encourage recipients to click on a link or attachment for COVID-19 information, only to download ransomware.
To help keep your employees from getting phished, David Johnson, Chief Information Security Officer for HostGator, recommends reminding them to watch for emails containing:
- Mismatched or misleading information
- Fake shipping or delivery notifications
- Fake purchase confirmations and invoices
- Requests for personal information
- Promises of rewards
- Charity or gift card requests
- Urgent or threatening language (like “your account will be terminated”)
- Unexpected emails
Encourage (and frequently remind) your employees to
- Check the email header to see if the sender’s display name and their email match. Scammers can set up a free email account with any name they choose—even yours—so it’s important to check the address.
- If the email appears to come from a fellow employee, manager, customer or vendor, verify the sender via voice, text or video chat before you follow “urgent” instructions, especially requests for money.
- Be cautious about clicking links, opening attachments or putting information into pop-up dialog boxes. When in doubt, don’t.
- Report suspicious emails to you or your IT person.
2. Protect your website from crashes and takeovers
Because ransomware attacks are on the rise, it’s also important to make sure your website has regular backups and continuous malware scans.
Check with your IT person or your web hosting provider to make sure you have automated site backups at least once every 24 hours that include file and database backups. That way if your site goes down, you have a recent version you can bring back up while you sort out the problem.
You’ll also want to check to see if your site gets regular scans for malware infections and the kinds of vulnerabilities that could allow attackers to inject malware into your site. The quicker these problems are spotted and removed, the better.
3. Protect company equipment from hacking and theft
If your employees are using company-issued computers and mobile devices, make the rules for safe use clear.
- Company devices should be used for work only. Many companies mandate that company computers should be used for company work only, not as a personal computer. But the employees may not think about how using company tech for personal tasks and leisure creates risk. All it takes is one wrong click for your company data and logins to be hacked.
- Company devices should be securely stored when not in use. When company laptops and phones get stolen from people’s cars, the data on them gets stolen, too.
4. Keep everyone’s apps and OS up to date
Remember that huge Equifax in 2017 data breach that affected more than 143 million people? They could have prevented that by keeping their software patched and up to date. Instead, they let a known vulnerability in one of their apps sit unpatched for weeks, and hackers exploited it.
Keeping your company’s software updated, and patching vulnerabilities as soon as patches are available, are easy ways to keep hackers from walking right into your system.
The need for real-time updates also applies to company-owned devices that your employees are using at home—and to their personal computers and phones if they’re using those to work remotely.
5. Make employees’ remote connections as secure as possible
How your employees access company email, databases and files matters, because unsecure connections are another potential entry point for bad actors. Let’s look at connection methods from least to most secure.
Public or free Wi-Fi and computers. This shouldn’t be much of an issue right now, because so many of us are confined to home. But just in case, it’s wise to make clear that no employees should be logging in to work from public Wi-Fi or public computer terminals.
Home networks are safer than public Wi-Fi, if they’re set up correctly. Encourage your employees to make sure their home Wi-Fi network password isn’t easy to guess, and that it isn’t used for any other accounts.
If your workforce is at least moderately tech-savvy, you can encourage them to change the default password on their home router. Often, it’s “admin/admin” which makes them vulnerable to hackers who use search tools to scan IP addresses on the web, find those with default router credentials and hijack them. Read our guide to setting a secure password.
Your company’s VPN. If you already have a virtual private network (VPN), make sure it’s up to date and require your remote employees to use it.
Don’t have a VPN? Now’s the time to invest in one. A VPN encrypts the data that moves between your company’s system and your remote workers so there’s no way to steal it en route. Not sure where to begin? TechRadar has business VPN recommendations.
6. Have everyone use the same tech tools
Even though everyone’s out of the office, they should all be using the apps and services you’ve selected for your company—or alternatives you approve. When employees start using new apps to do their work without an OK from the company, that’s called “shadow IT.” It can result in “serious security gaps,” according to Cisco, in part because shadow IT increases your attack surface.
For example, if your company shares documents, slide decks and spreadsheets through Google Drive, no one should also be using Dropbox or OneDrive to share company data. If you’re using Slack for work conversations, employees should stick to Slack and not break off into Skype or Hangouts groups to work.
7. Encourage good password hygiene
Reminding your employees to use strong, unique passwords may not seem like an important security step. After all, we’ve been hearing that advice for years but people still use terrible, insecure passwords like 123123.
But terrible, insecure passwords are an easy way for hackers to get into your employees’ accounts and then into your business. One way to ensure better passwords is to use a password manager service for your SMB. With this kind of tool, you can require strong passwords, require two-factor authentication if you like and schedule required password changes. You can find a guide to SMB password managers at InformationWeek’s Dark Reading.
How can you get your employees to follow these recommendations?
Too many recommendations at once may overwhelm your people. A more workable approach is to focus on one security task per workday or per week, depending on everyone’s bandwidth. With a planned approach, you can make your business more secure and give everyone one less thing to worry about.