The latest data from cybersecurity solutions firm Kaspersky showed only 34% of businesses provide staff with enough information on potential security risks involving company data. Employees working remotely sometimes use their own devices, those that didn’t pass — or haven’t been checked — by the IT personnel.
Business data is now drifting outside the corporate perimeter and companies’ security postures have drastically changed and now involve remote devices and data traveling to cloud environments.
Working from personal devices has become a necessity for some small organizations during the coronavirus pandemic. But even without COVID-19 lockdown measures in place, this practice remains relevant for some organizations as it gives greater freedom to employees to work anytime, everywhere, while making savings on equipment to employers.
However, in addition to the business benefits, organizations must also remember to protect these devices from cyber risks so that sensitive business and customer data stored on them remains safe, and employees can work without downtime as a result of ransomware or other malware infections.
IT security requirements
During the pandemic, three-in-five employees of small organizations (57%) were not provided with corporate devices from their employers, compared to an average of 45% of staff working in all companies, as shown in the recent Kaspersky study. While it may be the only option for some organizations to keep their business going, only one-third of small business staff (34%) indicated they were given any IT security requirements to work securely on personal devices.
These requirements could include, for example, having an anti-malware solution installed by a user or provided by an organization, using strong and unique passwords on devices and WiFi routers, and regularly updating device operating systems in order to reduce risks from unpatched vulnerabilities.
Having such instructions in place has recently become even more necessary, given that 35% of small business employees admitted they have begun to store more valuable corporate information on their home devices, as well as in personal cloud storage services (25%).
“Small companies may be in difficult circumstances and their first priority is to save their business and employees during the lockdown,” said Andrey Dankevich, senior product marketing manager, B2B product marketing at Kaspersky. “So it is no surprise that cybersecurity may become an afterthought. “However, implementing even basic IT security requirements can decrease the chances of malware infection, compromised payments, or lost business data. Moreover, there are plenty of recommendations already given by cybersecurity experts that businesses can share with their employees to help them keep their devices safe. And of course, the requirements should be followed not only during home isolation but continued when staff works remotely in the future.”
Small office security
Kaspersky advises small companies to follow these IT security requirements to protect their employees while working from personal devices:
- Home devices should be protected with an antivirus solution. Kaspersky offers small businesses a dedicated solution, Kaspersky Small Office Security, which can be installed remotely on any device, whether corporate or employee-owned and managed from the cloud.
- Device operating systems, as well as applications and services, should be always updated to the latest versions.
- Password protection should be switched on for all devices, including mobiles and WiFi routers. If a router has a default password it should be changed to a new and strong one. The password manager feature in a security solution helps to generate and store unique and strong passwords for every account.
- Home WiFi connections should be encrypted, ideally with the WPA2 encryption standard. This can be done in router settings.
- A VPN should be used if an employee is using unknown WiFi hotspots.
- Use a security solution that enables device and server encryption and creates backups for all corporate data – this will help to restore data quickly in case of a ransomware infection.
- Provide employees with a list of reliable cloud services that they can use to store or transfer corporate data.
- Conduct basic security awareness training for your employees. This can be done online and should cover essential practices, such as account and password management, email security, endpoint security, and web browsing. Kaspersky and Area9 Lyceum have prepared a free course to help staff work safely from home.
- Ensure your employees know who to contact if they face an IT or security issue.