April 18, 2023 By Jennifer Gregory 4 min read

The debates have (mostly) stopped about whether remote work is here to stay. For many people, it’s just the way we work today. However, even three years later, cybersecurity around remote work is still a top concern. Both companies and employees have room for improvement in terms of protecting devices, data and apps from cybersecurity threats when working remotely.

In addition to remote working causing new vulnerabilities to attacks, breaches involving remote work are more costly. The IBM Cost of a Data Breach 2022 Report found that around the globe, remote working increased the average cost of a breach by nearly $1 million. Breaches in the U.S. with remote working cost $600,000 more than the global average.

Though companies set up remote working policies and security at the beginning of the pandemic, employees may become lax over time. Now is the perfect opportunity to revisit best practices and improve cybersecurity for your remote workers. By taking proactive steps, you can reduce your organization’s cybersecurity risk when it comes to remote work.

Build a culture of cybersecurity

Many employees mistakenly believe that cybersecurity is the IT department’s responsibility. In today’s culture of threats and connected devices, that’s no longer true. In fact, it’s even less the case when employees are working remotely. Instead, they must become their own cybersecurity expert for their remote work setup and home office.

By moving to a culture of cybersecurity, remote workers feel empowered and responsible for cybersecurity. Workers who have the knowledge and the responsibility are more likely to follow best practices and report any suspicious activities. However, creating a culture of cybersecurity takes a concerted effort, starting with organizational leaders. The transformation happens over time, with repeated messages and training, not through a single training class or memo.

Provide virtual private network (VPN) access

Organizations should ensure that employees are using a secure network for all company work. Many companies expressly prohibit doing company work on public wireless. But in today’s workforce, people often need to get work done in locations other than their homes. When you provide a VPN Transport Layer Security (TLS), your employees can create a secure network wherever they are located so they can send the client a contract or help a customer resolve a problem — no waiting to get home or to the office required.

Remind employees to change default passwords on home routers

Many people simply set up their routers and get started. If the user leaves the default password on the router, cyber criminals can easily hack into the network. Educate employees that strong passwords apply to routers, and regularly send reminders to remote workers to change their router passwords.

Require employees to password protect devices

If an employee loses an unsecured work phone, then a cyber criminal can gain access to the network with relative ease. By requiring all devices used for company business to be protected with a strong password, you reduce your risk. Some companies take it a step further by requiring biometric passwords, such as fingerprints or facial recognition. Employees who lose their devices should contact IT immediately so the device can be locked and remotely wiped to decrease risk and diminish its value to cyber criminals.

Create remote work cybersecurity policies

Once your employees are trained on best practices, put those guidelines in writing and have each employee sign them. Be sure to include any requirements for encryption and secure networks in the policy. Additionally, detail any restrictions on using personal devices for work purposes. To keep the policy top of mind, require each employee to sign an updated version each year during their annual review.

Require employees to use anti-malware software

Any device used for company data, including personal laptops and cellphones, should have anti-malware software. Additionally, the employee must regularly update the software with any new patches or bug fixes. Every device with even a single unpatched software program significantly increases the company’s risk of a cybersecurity attack or breach.

Focus on phishing

Remote workers may let their guard down against phishing scams or social engineering if they are working on their couch or back patio. The IBM 2022 Cost of a Data Breach Report found that phishing was the second most common cause of a breach, accounting for 16% of breaches. However, phishing breaches cost organizations the most money of all types of breaches, at an average of $4.91 million in breach costs.

When you provide employees with training on best practices, such as not clicking on unknown links or not downloading files from people they don’t know, they are more likely to avoid phishing scams. Be sure to also provide employees instructions on what to do if they receive a phishing email or actually click on a potentially malicious file.

Consider endpoint detection and response

While anti-virus software should be an integral part of home office security, it’s simply the first step. With endpoint detection and response (EDR) solutions, remote employees have the same protections as they did in the office. If the employee clicks on a file that begins downloading malware, the EDR detects the threat and interrupts the download.

Remote working has become standard and simply the way we work. But it’s important to prioritize cybersecurity risks associated with working from home. By routinely reviewing and evaluating your remote work processes and practices, you can keep your organization as secure as possible, regardless of where employees work.

More from Risk Management

Are we getting better at quantifying risk management?

4 min read - As cyber threats grow more sophisticated and pervasive, the need for effective risk management has never been greater. The challenge lies not only in defining risk mitigation strategy but also in quantifying risk in ways that resonate with business leaders. The ability to translate complex technical risks into understandable and actionable business terms has become a crucial component of securing the necessary resources for cybersecurity programs.What approach do companies use today for cyber risk quantification? And how has cyber risk…

Cybersecurity Awareness Month: Cybersecurity awareness for developers

3 min read - It's the 21st annual Cybersecurity Awareness Month, and we’re covering many different angles to help organizations manage their cybersecurity challenges. In this mini-series of articles, we’re focusing on specific job roles outside of cybersecurity and how their teams approach security.For developers, cybersecurity has historically been a love-hate issue. The common school of thought is that coders are frustrated with having to tailor their work to fit within cybersecurity rules. However, many companies are embracing a security-first approach, and some developers…

Spooky action: Phantom domains create hijackable hyperlinks

4 min read - According to a recent paper published at the 2024 Web Conference, so-called "phantom domains" make it possible for malicious actors to hijack hyperlinks and exploit users' trust in familiar websites.The research defines phantom domains as active links to dot-com domains that have never been registered.Here's what enterprises need to know about how phantom domains emerge, the potential risks they represent and what they can do to disrupt phantom attacks. There are two common types of phantom domains: Errors and placeholders.Domain errorsErrors…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today