Summertime, and the livin’ is easy… or so the Gershwin song would have you believe. Unfortunately, cyber criminals do not take a holiday which means your cybersecurity efforts sometimes need to work overtime to protect data privacy and security. With employees wanting to work remotely or having more flexible schedules during the summer, organizations need to double down on their cybersecurity protections.
Remote employees pose multiple data security risks. When employees are connected to your on-premise systems, networks, and software, you have control over all of those different potential entry points. For example, if your employees are connected to your wireless network, you can control the encryption, firewalls, and malware protection. However, when employees work remotely, they cross into a gray area similar to off-site vendors.
Unfortunately, you still need to protect your sensitive data. A data breach arising from a remote employee with poor cyber hygiene is still a liability for your organization.
No matter where your employees work — on-premises or remotely — you should be incorporating multi-factor authentication (MFA). Malicious actors often use “brute force attacks” to obtain unauthorized access to systems, networks, and software. In a brute force attack, cybercriminals use one employee’s email address, figure out the formula for the way the company assigns email addresses, and then use software that attempts to login to services with a variety of known, weak passwords. For example, most companies use the same formulas for assigning logins, including firstname.lastname@example.org or email@example.com. Once the cybercriminals find the formula, they use their software to bombard the systems, trying all the possible weak passwords. This often provides them a way to access the organization’s data.
With MFA, a user must also incorporate “something they have” or “something they are.” In many cases, organizations use codes sent to smartphones as a “something they have” for authentication. However, increasingly, companies also incorporate biometrics such as facial recognition or fingerprints as a “something they are” for proof.
If you think about passwords as the lock on a door, the MFA acts like the deadbolt. The cybercriminal needs to obtain the key for both locks to gain access.
A VPN, or virtual public network, hides a user’s information when they’re on a public network. When you use the internet, your information has to connect to the internet service provider’s servers. When people use public wireless networks, such as those in a local coffee shop, the networks lack password protection and encryption. Cybercriminals can use a “man in the middle” attack to obtain any information that you send across that connection.
VPNs not only redirect your information to their servers, keeping your information protected from the internet service provider, but many include encryption. The encryption acts as additional protection because it scrambles the data, making it unreadable even if it is intercepted.
Most VPNs can be used on any device — laptop, smartphone, tablet — which means that if you’re providing it to your employees, they can secure their access across all uses.
No matter where employees work, they’re accessing the Internet. Malware and ransomware are the scourge of the internet. Even when employees are accessing the internet for business purposes, they can infect their computers accidentally. Adware and popups often contain malicious code that automatically downloads to devices. Even worse, new strains of malware and ransomware do not require people to execute, or open, files for the code to run in the background.
While most employees know that anti-malware and anti-ransomware protect their devices, many forget to install it or feel they can’t afford it. Providing employees with the right protective resources ultimately protects your business.
Most employees know about phishing, malware, and ransomware. Many may even have heard about adware or brute force attacks from the news. However, many companies feel that a single, annual training protects them and works. In reality, since malicious actors continually evolve their threat methodologies, the training that works today may not be applicable tomorrow.
Effective employee training programs need to be job-focused, starting with the c-suite and then moving down through all employee job functions. Moreover, to adopt a security-first approach to data protection, you need metrics that help prove the training program’s effectiveness.
Even if you give your employees their own laptops, many of them are going to use smartphones, tablets, or the closest digital device to them. In short, they’re going to use their own devices no matter what you do.
Establishing a BYOD policy lets you set the terms and conditions of how employees access your systems, networks, and software. However, if you have a policy but don’t enforce it, you leave your data at risk. Your BYOD policy needs to have either positive or negative consequences for actions. For example, you can create an incentive - either a gift card or other small token reward - for employees who meet certain security requirements. On the other hand, you can also create penalties for noncompliance such as a “3 Strikes You’re Out” rule.
At Zeguro, we understand that protecting your business from data breaches can be overwhelming and expensive. This is why we created a holistic approach to help you strengthen your cybersecurity program. Starting with a security-first approach, we help you identify risks, create policies, train employees, and monitor control effectiveness. We also provide the documentation necessary to meet increasingly strict industry standard and regulatory compliance requirements. As part of our Cybersecurity-as-a-Service (CSaaS), we also direct you towards a cyber insurance policy that fits your needs.
To get early access to our end-to-end cyber safety platform and find out first-hand what CSaaS is all about, sign up for early access here.