11 May Cybersecurity for Small Businesses with a Remote Workforce
Kiersten Todt, Managing Director, Cyber Readiness Institute
Craig Moss, Director – Content, Cyber Readiness Institute
No company is an island in the world of cybersecurity, just as no person is an island during the COVID-19 pandemic. The parallels are clear. The cybersecurity hygiene of your employees directly impacts the cybersecurity of your organization, just as the health hygiene of an individual directly impacts the family, friends, and community of that individual during this COVID-19 pandemic.
The economic impact of the pandemic has been devastating for companies, especially small and medium-sized enterprises (SMEs). The rapid shift to remote work has hit SMEs extremely hard. Recent studies have again emphasized that SMEs are particularly vulnerable and ill-prepared for cyber attacks. In 2019, 66% of SMEs experienced cyber-attacks, and 63% reported a data breach.
SMEs are frequently targeted given they are less likely to have the resources, tools, and technical expertise of a larger corporation. The new cybersecurity vulnerabilities resulting from remote work make the situation even more urgent. Cyber Readiness Institute conducted a survey from March 25-27, 2020 of 412 small business owners, and only 40% have implemented a remote work policy focused on cybersecurity as a result of the coronavirus (only 25% of those with less than 20 employees.)
Despite strong evidence, many SMEs do not think that their business is at risk of a cyber-attack or data breach. However, the cybersecurity of your company is critical to the security of every organization you touch in your value chain. In a recent Ponemon study, only 16% of SMBs expressed concern that they would become the victim of cybercriminals. This statistic clearly represents a false sense of security. It seems that much like individuals take their personal health for granted until they have a health problem, SMBs take their cybersecurity for granted as well. According to a study that surveyed 2,176 businesses with a headcount of less than 1,000, attacks cost SMBs an average of $1.2 million due to damage or theft of IT assets and infrastructure and an average of $1.9 million due to the cost of disruption to normal operations. These costs can easily force an SMB out of business.
This false sense of security leads to a lack of focus on creating a culture of cyber readiness. Cyber readiness focuses on ensuring that every employee within an organization is trained and educated to take basic steps to prevent incidents and to respond effectively when an incident occurs. Building a culture of cyber readiness is even more critical with a remote workforce.
On top of the flood of bad news about the pandemic, SMEs are now inundated with an array of companies selling cybersecurity products and services for remote workers. Although technology is an important aspect of cybersecurity, SMEs should be aware that addressing and improving human behavior and creating a strong culture of security can have a significant impact at little or no cost. Every company needs to realize that being cyber ready starts with an educated workforce.
So how can SMEs begin building a culture of cyber readiness? For managers or owners, tackling cybersecurity can quickly feel like an overwhelming and expensive project. Fortunately, it is not necessary to have a technical background or expertise to be a cybersecurity leader within an organization. The lack of cybersecurity preparedness can largely be remedied through changes in human behavior. Most malicious attacks initially stem from human error, as criminals typically attempt to penetrate a company’s system by exploiting vulnerable human behavior. Most often the vulnerability is related to weak passwords, not updating software, clicking on phishing emails, or the use of USBs and removable media.
For remote workers, these four basic areas become even more important. Each of these issues needs to be considered in light of what devices your remote workers will be using, how they will connect to your network, and what data they can access. Given the rapid shift to remote work, it is critical to quickly review any existing cybersecurity policies, adapt them to remote work, and communicate your expectations to the remote workers.
Specifically, make sure your employees are:
- Enabling multi-factor authentication whenever possible
- Using separate passphrases for work and personal computers
- Updating software on all devices
Make sure your employees are NOT:
- Clicking on links to attachments in emails from unknown senders
- Sending passwords or financial information via email
- Using USBs or public WiFi
As people are shifting to remote work, they are changing their behavior and developing new work patterns. Now is the time for every organization to embed the basics of cyber readiness into how everyone does their job. Visit Cyber Readiness Institute’s Remote Work Resources for more helpful information.