The 5 best cybersecurity practices for a remote world

March 18, 2022 5:30 AM

Employees may feel physically safer and more comfortable working from home than ever before, but virtually, they’ve never been more at risk.

Most companies have unprotected data and poor cybersecurity practices in place, making them vulnerable to data loss, according to data from software company Varonis. With over half of remote workers using a personal device, 71% of security leaders say they lack sufficient visibility into at-home networks, making it nearly impossible to stop or prevent an attack, according to cybersecurity company Tenable.

“There is good news and bad news,” says Josh Yavor, chief information officer at software company Tessian. “The good news is that as an industry we've come a long way and technology has gotten better, so it's easier to actually be more secure by default. The bad news is that there's some hard decisions people still need to make that they’re struggling with.”

As a result, at least two-thirds of security leaders plan to increase cybersecurity investments over the next two years, according to Tenable, with nearly 75% citing vulnerability management and cloud security as top priorities. But as important as it may be to invest in better software, it’s equally important to invest in employees’ knowledge of that software and security.

"Increased engagement from employees and questions around security, devices and privacy are necessary," Yavor says. “Increasing accountability and responsibilities for things that they didn't have to think about previously is a really healthy direction.”

Yavor shared a few more best practices to boost a company’s cybersecurity.

Recognize good security and digital hygiene

Good security software goes to waste without the good habits to keep it running.

“Employees have a split reality,” Yavor says. “They have their work identity — their work email, their work laptop, their work data access — and they also have an equally technically capable personal side. And you can't treat one half of that reality while also ignoring the other half.”

This means that employers need to be building good security habits within their employee base in order to promote the separation of employees' personal and professional lives.

“Provide employees with guidance and resources that aren't just requirements for the business, but that actually drive good outcomes in their personal life,” Yavor says. “A good example is having certain security tools like a password manager or providing free personal accounts for their employees.”

Employers may not be promoting the adoption of cybersecurity tools for employees’ personal lives because they want to respect employees’ boundaries, according to Yavor. But, he says, better safe than sorry.

[Employers] try to respect work/life boundaries,” he says. “But attackers won’t.”

Educate employees

“Employers should be focusing on education for device updates and hygiene,” Yavor says. “Make sure that people understand the value of updating their browser and updating their operating system.”

Pre-pandemic, when employees went into the office, they traditionally had IT teams on hand to manage their desktops and workplace devices. But with the shift to remote work, personal devices became their work devices, and IT departments became harder to access.

“In cybersecurity, 90% of the problems are not actually deeply technical,” Yavor says. “It's just people's stuff — and we need to approach it as such.”

Equip employees with the right hardware

As much as employers must equip employees with the right knowledge, employers should also be providing employees with the right devices.

“I would love to see more organizations provide employees with at least one corporate-issued device,” Yavor says.

Whether it's a part of the Apple or Android ecosystem, devices of a certain caliber are already equipped to handle continuous, regular updates in order to tighten security — something that may not be the case with the personal devices employees are currently buying for themselves using their own money.

It’s a small price to pay, he says, to avoid the thousands of dollars in damage a security breach can cause a company.

“It's a really difficult decision for a lot of people to pull the trigger on buying a very expensive, new and supported smartphone [or laptop],” Yavor says. “But companies making it easier and more accessible for their employees to upgrade to better hardware are actually making them more secure.”

Should a company not want to invest in devices themselves, Yavor suggests a stipend system that will encourage employees to get themselves separate devices for their personal and professional life.

Increase the adoption of security tools

On the more technical side, there are still a handful of companies that have yet to embrace and implement several new technologies that could keep their data safe.

“Embrace things like single sign-on solutions that reduce the total number of accounts, identities and credentials that need to be remembered, or put into a password manager,” Yavor says. “The fewer moving pieces for a business is usually better."

Isolate access to data

In an office setting, it was okay to have shared access to files and data — even if it wasn’t for you — because it was all under the same roof and the watchful eye of the company.

But as more companies adopt hybrid systems, giving too many people access is creating more points of entry for potential attackers.

“How do you design security solutions in a way that does not require that device to be on a corporate network or in an office for security,” Yavor says. “Even if you have a VPN or you try to force a VPN on everyone, we know that that's very difficult.”

The solution is to create a system of role-based control, according to Yavor. Which just like the name implies, means that access to files and data will be designated according to an employees’ role and their credentials.

“One of the best things that you can do is make sure employees only have access to the things that are actually necessary for them,” he says. “You're never going to get to zero, but it's shocking how many organizations don't put in enough effort to say that by default employees should not have access to a bunch of other systems.”