Maximizing network security for your business and your employees starts with human behavior. 90% of cyber attacks result from human error, often from non-IT employees who unintentionally expose the company to bad actors. In the era of COVID, remote working and hybrid offices complicate the problem by increasing the exposure and risk to a company’s digital data. How can CEOs balance the requirement to protect the business from attacks with the supply of remote and hybrid desktops that can attract top dedicated talent? Here are some tips for controlling data access, handling unauthorized applications, and conducting cybersecurity training.
- Control the right access
Remote workers and those in hybrid environments pose questions of access and control. These employees spend time working from home, in a Starbucks or in a hotel room in Vegas. They are not limited by location, which is great for morale, but makes it harder for the business to access IT. From a C-suite perspective, access management means a mix of awareness training and access controls.
A first line of defense is to review and improve password protocols. Tighten password requirements and enforce frequent ID changes. Require the use of a password management tool and implement multi-factor authentication to access every application, storage, communication and other platforms. These measures make it more difficult for hackers to exploit stolen credentials, which often leads to phishing schemes or ransomware problems.
Access controls should also delineate employee-specific data and systems based on roles. Do not give “all access” by default, but rather examine the roles and determine the weak points. Can the marketing manager access the company’s financial records? Should the accounting team review proprietary product research and development records? Matching access to roles reduces points of exposure, especially for remote workers who might break out of approved methods of extracting corporate content.
- Shed light on Shadow IT
When left on their own, teleworkers and those working in hybrid environments often choose their own technological tools. They will use WhatsApp to talk to colleagues and partners, or Google Drive to share documents with a provider. They use familiar tools that help them get things done in their personal lives, so it is only natural that they use them in their professional work. Although most employees use these tools for productivity reasons, it is very likely that they are not on the list of programs and actions approved by IT. They are embarking on “shadow IT”, the use of unauthorized software and hardware tools that can expose networks to security breaches.
With a remote workforce, there is much less IT visibility into an employee’s actions. The worker can use a secure corporate connection to check out files, but then talk to a coworker through Facebook Messenger instead of the trusted chat tool. Organizations need policies and controls in place that monitor and restrict certain activities. Management teams need to find the right balance between ensuring access and productivity and securing company data. If current IT infrastructure and policies make it much more difficult for remote workers to perform their duties, and these workers are under pressure to perform, then it’s understandable that they are moving away from approved tools. The CEO and CTO must deal with these situations to ensure the removal of any obstacles while reducing the potential risk of unapproved tools.
- Use contextual training
The training of remote workers must be accompanied by empathy and understanding, not just policies and mandates. For many remote workers, they have spent years or decades in the business, and adjusting at home takes time. It’s a different environment, filled with personal distractions and a mix of responsibilities. Mistakes are inevitable, whether it’s the employee forgetting the corporate VPN and using an unsecured network to access data, or sending a note to a colleague through their personal email instead of a business address.
CEOs can play an important role in requesting training that reflects the complexities of remote working. They may require their participation and that of the management team, as any employee may unintentionally put the company at risk. This training should link the actions of employees to the potential exposure of the company and the loss of their jobs. Providing some background on the ways in which hackers gain access to systems makes the training more relevant. Show employees stories about ransomware attacks that have crippled a business. Give them examples of businesses damaged by phishing schemes and provide technology tools that prioritize security and privacy, such as GOFBA – a secure search engine and communications platform.
Training for remote workers should cover BYOD policies. Can employees use their personal phones and laptops for work, or do they need company-supplied devices? For hybrid work environments, do employees follow the same procedures at home as in the office? If there are exceptions to the rules, does this pose a security risk? The training should also cover phishing prevention, the use of USB drives, the dangers of unsecured Wi-Fi and other similar topics.
CEOs can reduce their business risk exposure and improve employee productivity by investing in comprehensive workforce management. The most successful companies are those that protect the company’s digital assets while leveraging the benefits of a well-trained remote workforce that drives positive business outcomes.
Written by William DeLisi.
Follow the latest news live on CEOWORLD magazine and get updates from the US and around the world. The opinions expressed are those of the author and are not necessarily those of CEOWORLD magazine. Follow CEOWORLD magazine on Twitter and Facebook. For media inquiries, please contact: [email protected]