Small and medium businesses (SMBs) had to move fast to enable their people to work from home during the lockdown in 2020. In some cases, they took security shortcuts to get up-and-running. But with many companies settling into a permanent mode of remote or hybrid work, now is a good time to evaluate whether there are any gaps in their security processes and systems.
The State of Hybrid Workforce Security 2021 report, which surveyed 3,000 IT leaders worldwide, discovered that 48% of organisations admitted to compromising security or increasing security risk through lighter-touch enforcement of security policies. Over a third (35%) of respondents agreed that their employees either circumvented or disabled the remote security measures.
But with cyber-security risks growing and stricter data privacy laws in place (such as POPIA, which came into effect in July), companies need to put the right security measures in place to defend their information and systems for the long term. Here are some best practices for SMBs with 1work models to consider:
1. Focus on end-user education
A good starting point for refreshing cybersecurity for a hybrid world is to assess the company’s document security policies (if it has any), update them to cater for remote working, and socialise these policies with the team. End-users should be trained in security basics, such as the importance of avoiding unsecured Wi-Fi networks and how to recognise security threats like phishing emails. They should also know how to recognise the signs of a malware attack or security breach and how to respond.
2. Enforce multifactor authentication and strong passwords
In a world of cloud-first apps, anyone who has a user’s password and login can potentially access their sensitive data over the web. This risk can be mitigated by using strong passwords and multi-factor authentication (MFA). With MFA, users will get a one-time password or PIN emailed or texted when they want to access a system. Or they could use an app like Google Authenticator or a hardware token to generate a code.
When it comes to passwords, a good password should be long (the more characters the better); comprise a mix of upper- and lower-case letters, numbers and special characters; and not be based on an easily-guessed sequence like a dictionary word or the user’s private information.
3. Be mindful of physical security
Physical theft of a device remains one of the largest security concerns. Ensure that end-users understand the importance of securing mobile devices, notebooks and other equipment with a strong PIN code or password. If a device stores sensitive information on a local drive, it should preferably be encrypted. Also, enable the ‘Find My PC/Phone/Tablet’ feature on devices to improve the chances of recovery if a device is lost or stolen; depending on the device, it might be possible to remotely erase its data.
4. Consider making VPNs mandatory
Many remote employees are accessing business information using their home networks or even public Wi-Fi. Virtual private networks can help to secure business information in these settings. VPNs encrypt all traffic leaving and entering devices, meaning that if someone manages to intercept the info, all they will see is unusable encrypted data.