April 18, 2023 By Jennifer Gregory 4 min read

The debates have (mostly) stopped about whether remote work is here to stay. For many people, it’s just the way we work today. However, even three years later, cybersecurity around remote work is still a top concern. Both companies and employees have room for improvement in terms of protecting devices, data and apps from cybersecurity threats when working remotely.

In addition to remote working causing new vulnerabilities to attacks, breaches involving remote work are more costly. The IBM Cost of a Data Breach 2022 Report found that around the globe, remote working increased the average cost of a breach by nearly $1 million. Breaches in the U.S. with remote working cost $600,000 more than the global average.

Though companies set up remote working policies and security at the beginning of the pandemic, employees may become lax over time. Now is the perfect opportunity to revisit best practices and improve cybersecurity for your remote workers. By taking proactive steps, you can reduce your organization’s cybersecurity risk when it comes to remote work.

Build a culture of cybersecurity

Many employees mistakenly believe that cybersecurity is the IT department’s responsibility. In today’s culture of threats and connected devices, that’s no longer true. In fact, it’s even less the case when employees are working remotely. Instead, they must become their own cybersecurity expert for their remote work setup and home office.

By moving to a culture of cybersecurity, remote workers feel empowered and responsible for cybersecurity. Workers who have the knowledge and the responsibility are more likely to follow best practices and report any suspicious activities. However, creating a culture of cybersecurity takes a concerted effort, starting with organizational leaders. The transformation happens over time, with repeated messages and training, not through a single training class or memo.

Provide virtual private network (VPN) access

Organizations should ensure that employees are using a secure network for all company work. Many companies expressly prohibit doing company work on public wireless. But in today’s workforce, people often need to get work done in locations other than their homes. When you provide a VPN Transport Layer Security (TLS), your employees can create a secure network wherever they are located so they can send the client a contract or help a customer resolve a problem — no waiting to get home or to the office required.

Remind employees to change default passwords on home routers

Many people simply set up their routers and get started. If the user leaves the default password on the router, cyber criminals can easily hack into the network. Educate employees that strong passwords apply to routers, and regularly send reminders to remote workers to change their router passwords.

Require employees to password protect devices

If an employee loses an unsecured work phone, then a cyber criminal can gain access to the network with relative ease. By requiring all devices used for company business to be protected with a strong password, you reduce your risk. Some companies take it a step further by requiring biometric passwords, such as fingerprints or facial recognition. Employees who lose their devices should contact IT immediately so the device can be locked and remotely wiped to decrease risk and diminish its value to cyber criminals.

Create remote work cybersecurity policies

Once your employees are trained on best practices, put those guidelines in writing and have each employee sign them. Be sure to include any requirements for encryption and secure networks in the policy. Additionally, detail any restrictions on using personal devices for work purposes. To keep the policy top of mind, require each employee to sign an updated version each year during their annual review.

Require employees to use anti-malware software

Any device used for company data, including personal laptops and cellphones, should have anti-malware software. Additionally, the employee must regularly update the software with any new patches or bug fixes. Every device with even a single unpatched software program significantly increases the company’s risk of a cybersecurity attack or breach.

Focus on phishing

Remote workers may let their guard down against phishing scams or social engineering if they are working on their couch or back patio. The IBM 2022 Cost of a Data Breach Report found that phishing was the second most common cause of a breach, accounting for 16% of breaches. However, phishing breaches cost organizations the most money of all types of breaches, at an average of $4.91 million in breach costs.

When you provide employees with training on best practices, such as not clicking on unknown links or not downloading files from people they don’t know, they are more likely to avoid phishing scams. Be sure to also provide employees instructions on what to do if they receive a phishing email or actually click on a potentially malicious file.

Consider endpoint detection and response

While anti-virus software should be an integral part of home office security, it’s simply the first step. With endpoint detection and response (EDR) solutions, remote employees have the same protections as they did in the office. If the employee clicks on a file that begins downloading malware, the EDR detects the threat and interrupts the download.

Remote working has become standard and simply the way we work. But it’s important to prioritize cybersecurity risks associated with working from home. By routinely reviewing and evaluating your remote work processes and practices, you can keep your organization as secure as possible, regardless of where employees work.

More from Risk Management

Ransomware payouts hit all-time high, but that’s not the whole story

3 min read - Ransomware payments hit an all-time high of $1.1 billion in 2023, following a steep drop in total payouts in 2022. Some factors that may have contributed to the decline in 2022 were the Ukraine conflict, fewer victims paying ransoms and cyber group takedowns by legal authorities.In 2023, however, ransomware payouts came roaring back to set a new all-time record. During 2023, nefarious actors targeted high-profile institutions and critical infrastructure, including hospitals, schools and government agencies.Still, it’s not all roses for…

GenAI: The next frontier in AI security threats

3 min read - Threat actors aren’t attacking generative AI (GenAI) at scale yet, but these AI security threats are coming. That prediction comes from the 2024 X-Force Threat Intelligence Index. Here’s a review of the threat intelligence types underpinning that report.Cyber criminals are shifting focusIncreased chatter in illicit markets and dark web forums is a sign of interest. X-Force hasn’t seen any AI-engineered campaigns yet. However, cyber criminals are actively exploring the topic. In 2023, X-Force found the terms “AI” and “GPT” mentioned…

How will the Merck settlement affect the insurance industry?

3 min read - A major shift in how cyber insurance works started with an attack on the pharmaceutical giant Merck. Or did it start somewhere else?In June 2017, the NotPetya incident hit some 40,000 Merck computers, destroying data and forcing a months-long recovery process. The attack affected thousands of multinational companies, including Mondelēz and Maersk. In total, the malware caused roughly $10 billion in damage.NotPetya malware exploited two Windows vulnerabilities: EternalBlue, a digital skeleton key leaked from the NSA, and Mimikatz, an exploit…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today