2020 was a year of rapid change. Overnight, the pandemic pushed most businesses into a remote working set-up – and for many SMEs, this meant rushing to put structures in place that would enable your team to do their job from home. 12 months on, we’re getting used to a ‘new normal’, and some aspects of our lives will look quite different even after the threat of COVID-19 subsides.
In both the short-term and long-term, we’re unlikely to go back to the old world where everyone sits under the same roof, five days a week.
Around 3-4 times more people plan to work from home than pre-pandemic, but some are keen to transition back to the office – either full or part-time.
Adopting a hybrid approach to working is good for your bottom line: flexible policies keep employees motivated; virtual arrangements minimise property costs; and talented people who would never have pursued fully office-based roles will take an interest in your firm. But have you considered the risks?
In this blog, Epoq-IT will outline the main challenges that SMEs face when you’re running a part-remote, part-office-based working structure. And we’ll look at the security initiatives you can put in place to reduce risk and protect your people.
What does good business security look like? To many SMEs it’s installing antivirus software on company laptops. But this is no longer enough to protect your brand.
For maximum safety, you need to look strategically at your security set-up and put new templates and technologies in place that safeguard your company from evolving cyber threats. Starting with endpoint security.
‘Endpoint’ is the technical term for any digital device that communicates with your business network: think desktop computers, laptops and smartphones.
The number of digital security risks that SMEs face is growing. From malware and ransomware attacks, to phishing.
There are also new, emerging threats like malicious cryptomining (where cybercriminals use your computer as a power source for mining or stealing cryptocurrency), so you need to protect your endpoints from increasingly sophisticated attacks.
Many companies have moved business software into cloud for greater flexibility and protection. But while this is a clear step in the right direction, the cloud alone doesn’t guarantee security.
If staff can access information from anywhere, so can hackers. That’s why malware attacks increased by 358% in 2020 and ransomware attacks increased by 435%.
To safeguard your business against cyber threats, you need to think about how every person in your company accesses your network – and the potential risks that poses.
To create the highest level of security, ideally you should be issuing company technology to employees, fitted with business level antivirus and anti-malware software that continually monitors and actively remediates cyber threats.
Now is a good time to invest in tech, as a new government super-deduction initiative is allowing companies to claim up to 130% capital allowance on certain machinery assets.
It’s also important you ask your team to only use company-issued tech for work purposes, so you can limit their activity to approved files, sites and apps. Put together a ‘whitelist’ of acceptable sources if you’re worried about people going off-piste.
Smartphones are likely to be your highest security risk, as people often use their devices for both work and personal purposes.
As cafés, co-working spaces and public transport hubs reopen, people will start to work in places other than their homes – either for business purposes or a change of scenery.
Free Wi-Fi is a big attraction for hospitality venues, but public Wi-Fi networks are less secure than a private connection. Hackers can create false wireless access points that enable them to attack devices or harvest sensitive information.
Whenever your team is using public Wi-Fi, make sure they are connecting via a virtual private network (VPN) – this will create a secure data ‘tunnel’ between their device and your system, bypassing unsafe internet connections.
VPN software can be downloaded directly to your company devices. For maximum security, encourage your team to keep it connected at all times.
What information is your team able to access?
While it’s great to have cultural transparency in your firm, when it comes to sensitive documents, these should be shared on a ‘need to know’ basis.
If fewer people can access important data or edit critical files, there are fewer endpoint openings for cybercriminals to infiltrate. And considering cyber breaches cost the average small business over £25,000 in basic ‘clear up’ costs each year, every step you take to limit vulnerability is worthwhile.
Why every SME needs to know what endpoint security is… read the full story here
Does your company have an IT policy in place? Is it up to date?
While many SMEs have a standard document in the archive, if yours hasn’t been updated and shared in a while, now is the time to reconsider its content.
With more staff than ever working from home, it’s really important that you formalise remote access guidelines – and integrate them into your overall business
If you’re allowing staff to work from their own laptop, tablet or mobile, factor this into your remote working template. For example, ask them to make sure your business antivirus and anti-malware software is installed on all devices used to access company data.
But be prepared: your team may not like being told how they can use their personal equipment, so company-owned tech is often a better long-term option!
Points to include in your remote working policy:
Prevention is better than cure, but sometimes accidents happen. Last year alone, someone fell victim to a ransomware attack every 10 seconds – and the quicker you can get on top of security breaches, the easier it is to contain them.
When you’re updating your IT policies for a hybrid office/home working set-up, make sure you include protocol on how employees should respond to a potential hack. For example:
A clear response process – and reassurance that people won’t be in trouble if their actions trigger a security breach – will help your business to limit damage.
It’s also beneficial to include a clause on what happens when someone leaves your company. You want to make sure that your data and systems are secure before they leave, and that you have full control over their system access – particularly if things end unhappily or they move to a competitor.
You might have an up-to-date IT policy in place, but it’s worth very little if your team aren’t familiar with it.
The most secure SMEs encourage your whole workforce to learn the latest industry best practice, and for people to understand their own contribution towards overall data security.
While most companies take cyber threats seriously, it’s often left to business owners or IT personnel to take care of security protocol, but this shouldn’t be the case.
1 in 5 professionals working from home have received no cyber security training
To truly reduce your risk of cyber-attacks and data breaches, everyone in the company has a role to play.
Even simple changes can make your business operation much more secure. For example, 81% of data compromises are caused by weak passwords. To increase security, make sure your team pick passwords that are:
It’s also a good idea to change your work passwords every 90 days.
One of the biggest security challenges SMEs face is that cyber threats are constantly evolving, so one basic training session won’t protect your business
for life. To make sure employees understand the full scope of digital risks your company faces, why not run a series of targeted training sessions around high profile issues. Workshops could include:
If you’re not sure what to tackle first, you can always refer to our blog – how cyber savvy are your workforce – this questionnaire will help you pick a suitable start point.
Unfortunately more than ever, employees are the weak link in an organisation’s network security. They are frequently exposed to sophisticated phishing and ransomware attacks. Employees need to be trained and remain on their toes with security top of mind.
Many companies are turning to comprehensive and structured Cyber Awareness Training: This enables employees to make smarter security decisions by training them to understand the mechanisms of spam, phishing, spear phishing, malware, ransomware, and social engineering, and then applying this knowledge in their day-to-day job. Simply put, this helps you build a human firewall as your last line of defence.
Download our Security Awareness Training fact sheet.
We’ve already talked about putting plans for reporting a breach in place – but is your company confident about how to handle a security incident?
Many SMEs have a backup and disaster recovery programme already, but it needs revisiting when you have team members working remotely.
Your aim is to respond to security issues as quickly as possible and to limit any damage; not only for your team, but to meet legal obligations around data protection.
69% of SMEs are currently backing up data to the cloud – which means that almost a third of firms still aren’t
In a hybrid working set-up, you’re likely to be adding more endpoints to your business network – which means the chances of data being stolen or devices being lost increase. Even if your business network is in the cloud, if someone has stored information to a location that isn’t integrated fully into your network – such as their smartphone or the desktop of their personal computer – then it won’t get backed up.
You also need to develop a clear response plan to support disaster recovery. Who needs to be notified if something goes wrong? Is it the same protocol for everything, or does each type of breach have its own separate response plan? How often will you review your plans?
But always remember that prevention is better than cure – so continue to run frequent backups!
As we move out of survival mode and increase business resilience following COVID-19, hybrid working is a new and exciting frontier – and for SMEs, it can be a flexible, cost-efficient way to run your company.
But it’s important to consider the impact a dual home/office set-up will have on your business network and security, and put the technology in place to run a tightly controlled operation.
The only way to truly safeguard against all cyber threats is to monitor and manage your endpoint security 24/7. And if you don’t have the time, skills or resources in-house to do this alone, a managed services provider can take the responsibility off your shoulders.
Epoq-IT is here to support your transition to hybrid working. Our cloud security software monitors endpoints and network events in real-time, to immediately identify threats and take rapid avoiding action.
Epoq IT’s business IT security services will help you to understand the multifaceted risks your company faces.
Tell us your concerns and we’ll put an integrated suite of measures in place that cover policies, technologies, hardware, software, cloud services and training – for complete protection and peace of mind.