Opinions expressed by Entrepreneur contributors are their own.
Remote work is a double-edged sword: It provides your employees with the comforts of staying at home, but it also creates additional security risks as they are more likely to use unprotected devices and connect to unsecured public networks.
At least 20% of businesses went through a data breach caused by remote workers. As reported by IBM, the average data breach cost is $1 million higher in companies where remote work is common. It also takes 58 days longer for such organizations to discover and contain data breaches.
Step 1: Categorize your company’s data
Your business holds vast data, from client credit card details to employee IDs. For effective security, categorize your information. We classify ours into three: critical, restricted and confidential data.
Critical data is what, if leaked, would seriously damage the company’s reputation, making a return to normal operations almost impossible. It includes user credentials, card security codes, client order history and customer behavior data. I would also add source code for software companies.
Restricted data, if leaked, could seriously threaten our business. It would undermine the company’s reputation, but it’d be possible to continue operating in a limited way. Such data contains emails, locations, device info, app usage insights and many other kinds of data from our customers.
The last category, confidential data, includes the organization’s trade secrets. Such leaks would harm the company’s operations but would have a smaller impact on its reputation. It comprises the team members’ data, company policies and procedures, recruitment process details, source code, financial statements and more.
Step 2: Calculate the cost of a breach and create policies
We all hate bureaucracy— I know that. Yet for a business to work, its members must follow certain rules (i.e. policies). To create a good cybersecurity policy for remote workers, you need accurate data. I recommend calculating the cost of potential data breaches using real money.
Be sure to take into account all types of losses. A company’s data breach results in direct expenses like investigation and compensation, indirect costs from recovery efforts and lost revenue and opportunity costs due to reputational damage and lost potential business.
After calculating the costs of a data breach, design policies. Standard procedures usually include policies on how you label and share data, what security controls you must have and what training your workers must attend.
Step 3: Reduce the risks of remote work
First, ensure the security of your computers. Make it so your remote workers access corporate resources from corporate devices only. Have your helpdesk specialists configure all devices according to your information security standards. They’ll need special administration tools for the task like JAMF.
Second, monitor the state of your corporate devices. Handle the installation of patches, security updates and the latest versions of OS and software. Use special monitoring tools like JAMF and encourage employees to keep their working stations up-to-date. Last, install an Endpoint Detection and Response (EDR) or Antivirus (AV) agent to track malicious activities on your corporate computers. An example of such a system would be CrowdStrike.
Third, control the access to corporate resources. Remote workers should only have access to resources necessary for their work. Make it so they can interact with them only with the corporate VPN turned on. I recommend also enabling IPS or IDS on the VPN to look out for network anomalies.
Don’t forget about multi-factor authentication. It’ll add one more layer of security to your company’s data and decrease the chance of unauthorized access, and you can use ready-made MFA solutions.
Step 4: Encourage your remote workers to be responsible
Truth bomb: The actions above aren’t enough to protect your business from security risks. About 60% of attacks succeed because average employees make mistakes. It’s your duty to help your employees understand the importance of cybersecurity.
First, encourage them to use special apps that track whether their device is safe. They can be in the form of a security checklist, which dynamically checks various system indexes and is easy to understand.
Second, motivate workers to keep the corporate VPN turned on. You can also make their lives a lot easier by making the VPN connect automatically when the system starts up. If you don’t have a business VPN, use a regular one from a trusted provider.
Last, don’t forget about training. Encourage your workers to learn, but make it exciting. Monotonous video lectures won’t do — add gamification and interactivity. Your company’s security rests with your team; build a strong human firewall by instilling best practices and fostering vigilant behaviors.
Bonus step: What to do with your freelancers
The problem with freelancers is that you can neither make them work on your corporate laptops nor install special security software on their devices. You can, however, manage their access to your company’s resources.
Limit their access to essential company resources, using the least privilege principle. If feasible, avoid access altogether and establish secure data-sharing protocols. Always clarify collaboration terms in contracts and NDAs detailing data access and usage. Emphasize that violations may lead to legal consequences.
Safeguarding your company in a remote work era is entirely achievable. Begin by discerning the types of data you possess and understanding the potential costs of breaches, tailoring security measures in response. Prioritize the integrity of your corporate devices and manage access to resources. Talk to your remote workers and implement the use of robust security tools like VPNs.