April 18, 2023 By Jennifer Gregory 4 min read

The debates have (mostly) stopped about whether remote work is here to stay. For many people, it’s just the way we work today. However, even three years later, cybersecurity around remote work is still a top concern. Both companies and employees have room for improvement in terms of protecting devices, data and apps from cybersecurity threats when working remotely.

In addition to remote working causing new vulnerabilities to attacks, breaches involving remote work are more costly. The IBM Cost of a Data Breach 2022 Report found that around the globe, remote working increased the average cost of a breach by nearly $1 million. Breaches in the U.S. with remote working cost $600,000 more than the global average.

Though companies set up remote working policies and security at the beginning of the pandemic, employees may become lax over time. Now is the perfect opportunity to revisit best practices and improve cybersecurity for your remote workers. By taking proactive steps, you can reduce your organization’s cybersecurity risk when it comes to remote work.

Build a culture of cybersecurity

Many employees mistakenly believe that cybersecurity is the IT department’s responsibility. In today’s culture of threats and connected devices, that’s no longer true. In fact, it’s even less the case when employees are working remotely. Instead, they must become their own cybersecurity expert for their remote work setup and home office.

By moving to a culture of cybersecurity, remote workers feel empowered and responsible for cybersecurity. Workers who have the knowledge and the responsibility are more likely to follow best practices and report any suspicious activities. However, creating a culture of cybersecurity takes a concerted effort, starting with organizational leaders. The transformation happens over time, with repeated messages and training, not through a single training class or memo.

Provide virtual private network (VPN) access

Organizations should ensure that employees are using a secure network for all company work. Many companies expressly prohibit doing company work on public wireless. But in today’s workforce, people often need to get work done in locations other than their homes. When you provide a VPN Transport Layer Security (TLS), your employees can create a secure network wherever they are located so they can send the client a contract or help a customer resolve a problem — no waiting to get home or to the office required.

Remind employees to change default passwords on home routers

Many people simply set up their routers and get started. If the user leaves the default password on the router, cyber criminals can easily hack into the network. Educate employees that strong passwords apply to routers, and regularly send reminders to remote workers to change their router passwords.

Require employees to password protect devices

If an employee loses an unsecured work phone, then a cyber criminal can gain access to the network with relative ease. By requiring all devices used for company business to be protected with a strong password, you reduce your risk. Some companies take it a step further by requiring biometric passwords, such as fingerprints or facial recognition. Employees who lose their devices should contact IT immediately so the device can be locked and remotely wiped to decrease risk and diminish its value to cyber criminals.

Create remote work cybersecurity policies

Once your employees are trained on best practices, put those guidelines in writing and have each employee sign them. Be sure to include any requirements for encryption and secure networks in the policy. Additionally, detail any restrictions on using personal devices for work purposes. To keep the policy top of mind, require each employee to sign an updated version each year during their annual review.

Require employees to use anti-malware software

Any device used for company data, including personal laptops and cellphones, should have anti-malware software. Additionally, the employee must regularly update the software with any new patches or bug fixes. Every device with even a single unpatched software program significantly increases the company’s risk of a cybersecurity attack or breach.

Focus on phishing

Remote workers may let their guard down against phishing scams or social engineering if they are working on their couch or back patio. The IBM 2022 Cost of a Data Breach Report found that phishing was the second most common cause of a breach, accounting for 16% of breaches. However, phishing breaches cost organizations the most money of all types of breaches, at an average of $4.91 million in breach costs.

When you provide employees with training on best practices, such as not clicking on unknown links or not downloading files from people they don’t know, they are more likely to avoid phishing scams. Be sure to also provide employees instructions on what to do if they receive a phishing email or actually click on a potentially malicious file.

Consider endpoint detection and response

While anti-virus software should be an integral part of home office security, it’s simply the first step. With endpoint detection and response (EDR) solutions, remote employees have the same protections as they did in the office. If the employee clicks on a file that begins downloading malware, the EDR detects the threat and interrupts the download.

Remote working has become standard and simply the way we work. But it’s important to prioritize cybersecurity risks associated with working from home. By routinely reviewing and evaluating your remote work processes and practices, you can keep your organization as secure as possible, regardless of where employees work.

More from Risk Management

What does resilience in the cyber world look like in 2025 and beyond?

6 min read -  Back in 2021, we ran a series called “A Journey in Organizational Resilience.” These issues of this series remain applicable today and, in many cases, are more important than ever, given the rapid changes of the last few years. But the term "resilience" can be difficult to define, and when we define it, we may limit its scope, missing the big picture.In the age of generative artificial intelligence (gen AI), the prevalence of breach data from infostealers and the near-constant…

Airplane cybersecurity: Past, present, future

4 min read - With most aviation processes now digitized, airlines and the aviation industry as a whole must prioritize cybersecurity. If a cyber criminal launches an attack that affects a system involved in aviation — either an airline’s system or a third-party vendor — the entire process, from safety to passenger comfort, may be impacted.To improve security in the aviation industry, the FAA recently proposed new rules to tighten cybersecurity on airplanes. These rules would “protect the equipment, systems and networks of transport…

Protecting your digital assets from non-human identity attacks

4 min read - Untethered data accessibility and workflow automation are now foundational elements of most digital infrastructures. With the right applications and protocols in place, businesses no longer need to feel restricted by their lack of manpower or technical capabilities — machines are now filling those gaps.The use of non-human identities (NHIs) to power business-critical applications — especially those used in cloud computing environments or when facilitating service-to-service connections — has opened the doors for seamless operational efficiency. Unfortunately, these doors aren’t the…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today