Remote working has undoubtedly introduced a number of benefits for businesses and their employees — streamlined costs, increased productivity, and an improved work-life balance, to name a few — but it’s not without potential pitfalls and concerns. One area that businesses might quiver at, for example, is online security — the logic being that with employees accessing company programs and files from a variety of locations, their data is less secure than it might be in a physical environment.
While that’s not always necessarily the case, a certain unease is understandable: remote work does introduce a number of different challenges when it comes to online safety and security, after all. With that in mind, how can remote businesses protect themselves against online security threats while continuing to operate flexibly and productively?
In this guide, we offer our top online security tips for remote businesses and their employees. Let’s begin.
Create a clear remote working policy
Whether your business operates exclusively with remote staff — as around 1 in 6 businesses currently do — or you adopt a hybrid approach that combines both remote and in-person working, it’s important to set out a clear remote working policy so your employees know exactly what’s expected of them when working remotely.
Not only will this have a positive impact on your business’ culture — as it will help to ensure your employees are aligned in terms of remote working expectations and reduce the potential for conflict — but it will also introduce better security practices, as your staff will have a clear outline of what’s required when it comes to ensuring the safety of company devices and data when off-site.
For example, your remote working policy might include instructions relating to:
- Your employees’ responsibilities when it comes to preserving the security of the sensitive company or customer data.
- Expectations regarding usage of company devices when working remotely (for example, the types of websites they should avoid visiting when using a company device, keeping devices secure when out and about).
- Where they are permitted to work when outside of the office (for instance, are you happy to allow them to work in public places such as cafes or co-working spaces?).
- The level of training and support they can expect to receive (this might include on-the-job training as well as operational and emotional support).
Enforce strong password use
Chances are, many of us roll our eyes each time we’re reminded of the importance of strong passwords, but there’s a reason it’s so often repeated: good password hygiene is fundamental to online security, whether you’re logging in to your favorite streaming service at the weekend or accessing a company device from your home office. Therefore, a password policy is essential for all businesses — but especially those with remote workers.
Your password policy should include at least the following tips for a strong password use:
- Avoid using common words or character combinations: A numerical sequence such as “123456” is a no-no, as is using a predictable character sequence like “qwerty” — these will be easily guessable to an attacker using brute-force methods.
- Prioritize length over complexity: Longer passwords are typically more challenging for an attacker to guess, so ensure your password contains at least 8 characters. It may be better to opt for a passphrase (for example, a series of three or more unconnected words separated by spaces) for added security.
- Don’t use the same passwords across multiple accounts: While it can be tempting to do this for convenience if one of those passwords becomes compromised then every other account using the same password is also at risk.
As a business, you can support your employees to create strong, unique passwords by using a password manager such as Dashlane. Not only will the tool enable the automatic creation of strong passwords, but it will also mean that employees can store and share passwords securely — and therefore, they won’t have to worry about remembering the passwords for all of their separate accounts.
You can also add an additional layer of password security by introducing two-factor authentication. This means that each time an employee logins into a particular system or software tool, they’ll be asked for two forms of identification: for example, their account password, followed by a code that is sent to a separate device they own.
Regularly install software updates
When you update software to its most recently-released version, you’re not just benefiting from improved functionality and added features — you’re also ensuring it’s protected against the latest security threats. Software vendors regularly release updates to their software, and these newer versions will address and remediate any previously-discovered security issues.
Outdated software versions — such as operating systems and web browsers — often contain vulnerabilities that are well-known to cyber criminals, meaning that if an attacker is able to discern which version of software you’re using (not to challenging a task for an experienced hacker), they’ll know precisely which vulnerabilities they can exploit.
To ensure the software is regularly updated, implement a ‘patching policy’ whereby you periodically check for software updates and install them as soon as possible. Alternatively, many software providers include an auto-update feature enabling updates to be installed automatically as soon as they become available.
Use a centralized storage solution
When your business is remote, it’s imperative that important documents and files are stored centrally so that they can easily be accessed and shared by teams across the organization — but of course, it’s also essential to ensure they’re stored securely. In a remote environment, you’ll almost inevitably be leaning on cloud-based storage — meaning your files are accessible from any device, provided the user has internet access at the time.
While there are understandable reservations about storing potentially-sensitive information in “the cloud”, cloud storage is generally a good thing for security. That’s because all files are encrypted and backed up, meaning they’re protected by an encryption key and recoverable in the event of a security issue. You should discourage your employees from storing documents locally on their devices, as they’re at greater risk of being lost or compromised.
However, businesses are increasingly using the cloud for reasons other than just file storage — and this is important for security, too. Think about how and where you’re hosting company websites. If you’re using a shared hosting service, for example — typically the most affordable type of hosting — you might be at greater risk than if you’re using a more powerful and secure alternative such as a cloud-based host or a virtual private server (VPS): Cloudways explains the subtle differences between cloud and VPS hosting here.
Use a Virtual Private Network (VPN)
If you’re flexible about where your employees work from — for example, you don’t mind them working remotely from coffee shops, trains, or co-working spaces — using a virtual private network (VPN) is especially important. This is because public Wi-Fi networks are often unencrypted, meaning it might be possible for someone with malicious intentions to infiltrate the network and view or steal information being sent over it.
A VPN such as ExpressVPN ensures any data transferred over a network is encrypted, meaning your employees can connect reliably — and safely — to the internet wherever they are, and whatever device they’re using. This means they can access company programs, share files, and browse the internet with less risk of falling victim to a cyber attack. Any remote-based business — or any business that allows its staff to work remotely at least some of the time — should be using a VPN to ensure their employees are connected securely at all times.
Conduct security awareness training
In a remote work environment where employees are often working in isolation, it’s important to maintain a high level of security awareness: after all, an organization’s security credentials are often only as strong as the people working there — its employees often represent the first (and last) line of defense against online threats.
Regular security awareness training is therefore vital, and it should be carried out at least once annually. A good cybersecurity training program should cover a variety of areas, including:
- How to identify phishing attacks: Phishing is a type of social engineering attack that targets individuals and coerces them into clicking a malicious link or providing sensitive information. It is typically conducted via fraudulent emails sent to work or personal email accounts, and it’s crucial that employees know how to spot and report a phishing scam.
- How to browse the web safely: When employees are using company devices to access the internet, it’s important they know how to detect online threats, avoid potentially-unsafe websites (i.e. websites that do not use HTTPS encryption), and take care when downloading files or applications.
- How to use social media responsibly: Attackers can glean sensitive information about a company through social media. Make sure your employees are aware of what information they should and shouldn’t be posting or sharing via social media, whether they’re using a personal account or your business account.
It’s also important to consider that cybersecurity threats are constantly evolving, so it’s essential to ensure your training material is up-to-date. Udemy has a range of cybersecurity training courses, ranging from basic introductions to online security for beginners — perfect for remote-based new starters — to more advanced courses for security professionals.
A good understanding of cybersecurity best practices is essential for all businesses that operate online, but there are additional challenges and considerations for companies that employ remote staff. In a remote work environment, it’s vitally important to establish clear policies and procedures, enforce the use of strong passwords, regularly update software programs, use a secure file-sharing solution and an encrypted connection, and engage in regular security awareness training.