An ethical hacker’s guide to remote work for business owners and their teams

It wasn’t a tech revolution or the growing power of superstar employees that pushed the world into a massive remote work experiment, but a pandemic. 

Now that this is the new normal, business owners across industries are trying to figure out how to quickly adjust their equipment, tools, and processes to this new way of working. With burning priorities competing for attention, we know you need all the help you can get and we’re here to help you make this transition safely. 

Save time and mindspace by going through the items below and applying them to your own organization. It may take a bit of effort and time to implement these essential safeguards but you’ll benefit from them tenfold. It’s how you can avoid costly and damaging attacks that no business in the world needs right now. 

Prevention is everyone’s focus these days. Make it yours too to ensure your business runs as usual and that you can dedicate your resources to coping with current and future challenges. 

You’re not alone. We’re here to help. 

1. Ensure basic security for home wifi routers

One of the most important things to ensure is that the home wifi network is secure enough. You won’t be able to replicate your office setup but there are a few things you can do:

  • Change the name of your default home network (which is usually the router model)
  • Change the router’s default password to a strong and unique one (at least 8 characters, use upper and lower case, numbers and special characters)
  • Activate the router network encryption and enable it to (at least) WPA2 PSK
  • Disable remote access if that’s a feature your router has 
  • Update your router’s software and make sure to keep it updated 

If you have employees who are less technically-inclined, have someone guide them through securing their setups or provide approved and verified guides and resources they can follow. 

2. Apply essential security layers for devices your team uses for work

If you allowed employees to bring or use their own devices for work before the pandemic, you may already have rules in place that ensure they’re safe to use. If not, you’re going to need a BYOD security policy or guide employees can use. 

When making this request to employees, it’s helpful to highlight that it benefits them as well, because their overall security increases – both for work and personal online activities. 

If your employees use their own devices for work, make sure to provide them with: 

  • A reliable anti malware solution that can be set and forget and that works in the background
  • A trustworthy VPN to encrypt all their communication to and from company websites and other digital assets 
  • A safe, cloud-based way to share documents and other assets 
  • A secure way to communicate with their colleagues in real time (apps like Google Hangouts, Slack, Microsoft Teams, or others) 
  • Weekly reminders to update their operating systems and applications, especially for those that don’t have automatic updates as an option 
  • A set of must-have security settings for both desktop and mobile devices, per operating system. 

You may have to accompany these solutions with at least a short list of dos and don’ts, so employees know how to include all these tools into their workflow in a way that supports their productivity. 

3. Indicate safe places to download apps 

Since most threats originate in phishing and scam emails or malicious and compromised websites, browser and device security is essential. 

Guide your team to download apps only from sanctioned, safe places. Have a list of handy app recommendations for whatever they may need, so they can refer to secure websites. 

Choosing to restrict and limit the tools and services they can use may end up causing frustration and can make your employees get annoyed at the entire concept of security. To make these safe habits stick, encourage them to ask questions about the apps they want to use, and be positive and constructive in your feedback and guidance

4. Make 2FA mandatory for company services 

“There are over 300 million fraudulent sign-in attempts to our cloud services every day.”

This figure reported by Microsoft in 2019 has most likely increased significantly in the context of the current crisis. Even the president of the European Commission, Ursula von der Leyen, warned that cybercrime is on the rise in Europe

While many users may find it a hassle, two-factor authentication is more important now than ever. According to Melanie Maynes, Senior Product Marketing Manager at Microsoft Security, it can “block over 99.9 percent of account compromise attacks.” 

To encourage your employees to enable two-factor authentication, start by making it mandatory for company services. What’s more, you can also reward those who use it for their personal accounts too, setting a good example for the rest of the team. 

This simple security measure can save you a world of trouble down the road. 

5. Remind everyone that lock screen still applies 

While employees may be tempted to leave their laptops, tablets or phones unlocked at home, you should remind them it’s not the case. Not that you suspect their families or partners have malicious intentions, but negligence can be as damaging as mischievous behavior. 

With kids running around and touching everything, work may end up getting deleted or misplaced. A simple lock screen habit is good to have both in the office and everywhere else. 

6. Backups – it’s time to treasure them even more 

When your team is distributed and work gets done in a more varied way than before, it’s fundamental to make sure that you have good, reliable, frequent backups. 

Breaking down big, complex projects into smaller pieces, so team members can operate more independently or cluster together when they need to is an efficiency booster. But you also have to make sure you can piece their work back together. 

An essential part of that process is to back up as often as possible and ensure everyone’s work is safely stored, no matter what happens on their end. This covers your basis for both security and compliance, giving you a bit of extra peace of mind which – to be frank – we all need more of  these days.   

7. Mindset and habits – even more powerful than tools

Cybersecurity tools can only do so much. What’s even more important is how your team behaves online. 

Advise them to be careful around their social media usage. This includes refraining from oversharing, which most people are prone to because they crave the connection that the office routine used to give them. 

What’s more, a clear mind is as important as online security. True security starts with a certain mindset which is not something any combination of tools can provide. 

Getting information from legitimate sources is essential, especially with fake news spreading like wildfire. We created a dedicated guide for business owners like you, so you can strengthen your critical thinking in times when a huge volume of information and issues compete for your attention. 

Gently advise your employees to value clear thinking and remind them that all their actions and decisions – just like yours – influence the company’s evolution. Security is the compound effect of daily habits. 

To make online safety more actionable, create a handy FAQ and make it available for the entire team. You can go as far as to create a dedicated channel on your instant messaging platform of choice (Slack, Teams, etc.) where people can ask security-related questions and find the answers they need. The less confusion they have around the topic, the faster they’ll warm up to all these security measures they have to apply. 

8. Be open to questions 

Either publicly or privately – be sure to make yourself available to answer security-related questions. If, for whatever reason, you can’t do this yourself, appoint someone in the team who can. 

Reply to questions promptly and respectfully, no matter how silly they are. Don’t make people feel bad because they can’t handle the tech – that’s a sure-fire way to make them reject advice, guidance, and generally start hating the topic. 

To make security a habit, it has to feel approachable and doable. That’s why encouraging and rewarding reporting of phishing attempts, potential attacks, and other suspicious activities makes such a difference in companies who’ve been training their employees for years.   

9. Set reasonable expectations 

This is a big adjustment for many people. 

The first few days of working from home may leave your team irritated, uncomfortable, unmotivated, or just plain exhausted. You may experience the same. 

Adding security tips to the list may just add to your fatigue right now. Make sure your team knows you understand. Take it one day at a time, one step at a time.

Business cybersecurity must-haves 

In times like these, it helps to go back to cybersecurity basics

You don’t need to add strain to your budget or operations with sophisticated tech or processes. Just ensuring you implement these 5 basic security controls in your business can reduce the risk of cyber attack by a whopping 85%!

The Center for Internet Security recommends you:  

  1. Do an Inventory of Authorized and Unauthorized Devices
  2. Do an Inventory of Authorized and Unauthorized Software
  3. Make sure you have Secure Configurations for Hardware and Software
  4. Ensure you conduct Continuous Vulnerability Assessment and Remediation
  5. And implement Controlled Use of Administrative Privileges.

On top of these 5 key controls, we recommend adding two more: 

  • Leave no critical service exposed online. Your core business assets should be shielded from public access. Think of things like your customer database, for example. Remember: anything connected to the internet is at risk.
  • Ensure you have at least minimal business continuity plans. If something does happen (an attack, a breach, phishing, etc.), do you and your employees know what to do? Do you know who to call and how to report it? Do you know who should make sure to get the systems back online and contain the breach? Answering these questions helps you put together a business continuity plan that can be incredibly useful in a crisis, when you need to respond to incidents effectively

The current context is quickly and drastically changing IT environments. They are becoming more complex to defend as we speak, but the basics make a world of difference for your business. 

Taking the actions above should be part of your priorities as a business owner because they’re highly effective. We recommend working together with your IT specialist or the IT company that manages your tech assets to implement them. 

If you don’t have that help handy, you can always reach out to us for advice, guidance, and a customized action-plan we can implement with you or for you.

We know you have a lot going on right now and that it’s not going to change anytime soon. We’re here to help you navigate the complexity – and urgency – of cybersecurity for your business. We’re in this together.

[email protected]

get in touch