The pandemic has caused a lot of businesses to pivot and adjust to a work-from-home arrangement. As employees stay home and refrain from going into the office or workplace, they still need to use technology to do their jobs. We can't get around it - computers, the internet, and wi-fi are crucial and many depend on them to fulfill their job responsibilities. However, having employees work from home exposes employers to a host of cyber risks that they may not have faced when their workers were in the office or at the workplace.
COVID-19 has opened the door for a variety of scams as merciless hackers target unsuspecting computer users. Employers need to be aware of the risks that the pandemic has created on the cyber front and the scams that their employees could see, and they also need to know how to help their remote employees keep their computers secure. Here's what employers should know.
Why businesses need to think about their cyber risks.
Unfortunately, one effect of the pandemic that small business owners have to contend with is the fact that scammers could take the opportunity to trick people, playing on the fear that COVID-19 has caused. Another is the fact that remote work presents new and unique cyber risks for small businesses that have sent their employees home. What it all boils down to is the fact that a cybersecurity breach can be devastating for businesses. It’s impossible to understate the importance of cybersecurity.
As far as new scams go, COVID-19 has given online hackers and scammers a variety of options for methods with which they can trick people. A Forbes article points out that new scams involving health, unemployment, and business loans are very real possibilities that your employees may have to contend with. Even scams involving masks are a possibility. It’s important that your employees know not to click on suspect emails, particularly those that involve COVID-19. Computer criminals use these topics to try to get people to click on malicious links that install ransomware, which is a program that allows a hacker to take control of a website and take it hostage, demanding money in return for its release. Scammers also use phishing attacks in which they try to fool people into giving up money or sending credentials.
And because a lot of people use the same password for multiple accounts, it can lead to vulnerabilities in other platforms if one is compromised.
Remote work risks:
Remote work has opened businesses up to a variety of new risks. Cybersecurity is increasingly challenging to control and there are potential risks for employers when their teams are home, such as the security of employee Wi-Fi and the physical safety of computers and other work equipment, as well as who has access to it within at-home workspaces. Establish rules for Wi-Fi passwords and how work computers are to be protected, including securing them so only the employee has access, especially when the employee has visitors or service workers in the home. Another important action to take is to ensure your system security measures continue, including applying security patches to protect against malware, which is software that’s placed onto a device with the intent to cause harm.
How can employers help their employees protect themselves from cyber risks?
You and your employees must be at the top of your cybersecurity game. As an employer, you have to educate your employees on how to secure their computers and on what types of security measures you expect from them. When your employees are on the computer, they also need to pay attention to the website certificate, which indicates that the site uses encryption to protect the user, and make sure that the certificate is valid. (If a website has a certificate, there should be a padlock icon near the URL and the URL should have https:// instead of just http://.) Here are a few tips for businesses to help their workers protect themselves from online risks.
1. Inform your employees about online work guidelines.
If you have a remote workforce, you’ve probably had to roll out some cybersecurity and online work guidelines. You need to make sure your employees understand your guidelines and that they know the importance of keeping up with cybersecurity. They ought to know what you expect from them as far as computer security measures are concerned.
2. Establish rules for strong passwords.
It might seem basic, but it’s really important that everyone knows what constitutes a strong password. A proper password should have a combination of upper and lower-case letters, numbers, and symbols, and ideally, a password would be eight or more characters. It’s also really important to make the password guess-proof. Anything that needs to be password-protected warrants being guarded by a top-notch code.
(Another consideration - make sure that your employees know that they shouldn’t share passwords or login information with anyone, including over email or instant message.)
3. Warn employees about suspicious emails.
Emails can be a source of trouble. Your employees need to know not to open suspicious-looking emails, or click links in suspicious-looking emails. Emails that look fairly innocent can be anything but, so let your employees know that they should be on the lookout for fishy messages. Hackers try to get people to give them private information or to download things like malware on their devices. Your team should know that if they’re ever in doubt about an email, they just shouldn’t click on it. If it looks like it’s from someone they know but they’re not sure, they should call or speak with that individual in person, if possible.
4. Conduct cybersecurity training.
It’s also worthwhile to explore having cybersecurity training for your employees to go over essential and crucial information concerning cyber threats. Many programs will cover topics such as scams and attacks (including email-related scams) to prepare your employees for what they could one day encounter.
Cybersecurity training for your employees should incorporate the following…
- Keeping the workspace free of confidential information or passwords. There should be a section of training involving the importance of keeping papers or even memos with private information secure. Whenever the employee is not at their desk or workspace, these papers should be hidden in a secure place.
- How to keep personal devices secure. If the employee will be using their own devices for work, they need to know how to keep them safe. They also need to know what your expectations are as far as keeping these devices secure. There should be qualifications for what devices are and are not acceptable for work use.
- Proper use of flash drives. Thumb drives and flash drives present cyber risks, such as malware. Your employees need to know not to use external devices like flash drives and hard drives that have not been approved.
- Internet security. Cybersecurity training should also include a section about Internet safety. This can include topics like what sites are approved for use during working hours, deactivating pop-ups, and not downloading software from unreputable places. Since the Internet is unavoidable, it’s important to go over how to use it securely.
- Workplace security. Currently, a lot of employees are working from home, but there may also be a section of cybersecurity training that goes over the importance of keeping the office building itself secure. There might be topics like not leaving passwords on desks, not leaving computers without password protection, accompanying all guests in the building, and so on.
- Email training. Emails present an enormous risk to employers. Even if you use an email filter to catch spam and suspicious email, employees should be trained on how to identify suspicious emails, and they need to know not to click on links or attachments in suspicious emails. They should know how to deal with spam and the proper procedure for reporting unusual emails. (And of course, they need to know not to send money or confidential data in response to emails that ask for it without verifying the request over the phone using the company directory and not any contact information contained within the email.)
- Social media. It’s not just email that can open the door for phishing attacks. Social media can also present the opportunity for phishing, so your employees need to be aware of the risks. You might consider banning social media sites on work equipment for employees who do not need access to those sites to perform their job duties.
For your cybersecurity training, you might consider looking into programs like KnowBe4, which offers security awareness and training services led by computer security experts.
5. Keep all software updated and secure.
If you have a virtual private network or another system to allow for remote work, make sure that it’s secure. The system also needs to be monitored closely so that you’re aware of anything strange going on.
Now, about updates - as the employer, it’s your responsibility to make sure that all professional devices are kept updated. As far as updates go, here are a few tips:
- Keep your software licenses updated and apply security patches as they are released. Consider appointing a team member to keep up with it.
- Turn on automatic updates for the business’ operating system.
- Keep plugins on your browser, like Java, current.
- Use web browsers that are updated regularly, like Chrome or Firefox.
And a few other considerations – you should also make sure that all of your important data is always backed up, use multi-factor authentication for additional security, and check that all systems have secure firewalls. Make sure that your employees know not to use personal technology, like smart-home devices, for work purposes.
6. Have IT support available.
Employees might not be terribly confident in their computer abilities, so if possible, have some IT support available. Let everyone know what IT help is available to them if they encounter any problems or have any questions. (And let them know how to reach an IT person.) It’s better if your employees are able to reach out to a professional who can help them address computer issues.
Should you consider cyber liability insurance?
Today’s cyber risks might make small business owners wonder what they can do to further protect themselves from the fallout of a hack or data breach. One way that small businesses can protect themselves is through cyber insurance. This coverage can protect a business if they get hacked or if they're subject to a data breach by helping to cover the business’ liability if their customers’ personal information is taken. (Again, the potential risk of being hacked is why cybersecurity has to be a priority for small businesses.) If you’re the victim of a hacker, the costs for your business can be very high, but cyber insurance can help your small business recover from the incident. An article from the International Risk Management Institute notes that cyber insurance can cover expenses like the costs of notification and credit monitoring.
Of course, insurance policies vary, so you need to read it very carefully to make sure that everything you need to be covered is included. Ask questions if you’re not sure about the risks that are covered and find out exactly how your cyber insurance will protect your business.
Protect your business from cybersecurity risks during the pandemic.
As the pandemic continues and employees work at home, employers have to be aware of the risks that come along with having remote workers. Scams and phishing attacks aim to capitalize on the current situation, and there are new vulnerabilities inherent in working away from the office environment. Small businesses need to make sure they are addressing cybersecurity and talking with their employees about keeping their computers and devices safe from hackers. Though hackers are crafty, there are measures you can take to make their mission more difficult and to thwart cyber attacks before they happen.
This post was contributed by InsuranceHub, a technology-driven insurance agency that serves over 15,000 clients across the United States.