Editor’s Note: The author is founder and CEO of Netology, a Stamford-based IT services provider that manages network systems for many small businesses in the Tristate area. Netology is a CEDF client.
In the past eight months we have seen many of our clients and partners shutter their office locations and either work completely remote or employ a skeleton or rotating office staff strategy. We have also seen some of our clients (NYC, in particular) completely abandon their leases and plan to work remotely for the indefinite future.
As the stay at home/work from home impact from COVID has swept through the business world, a lot of small businesses’ IT systems have faced increased security risks. The increased risk stems from the use of employees’ home computers or devices combined with flawed remote access solutions that can allow cybercriminals not only access to an employee’s personal home device but also to their employer’s digital assets.
When an employee’s device is owned and managed by the employer’s IT department or IT service provider there is likely what’s called endpoint security software in place to monitor, prevent and control any threats. If the business adheres to IT best practices, there would also be network security systems in place that can detect and or prevent network threats and activity.
On the flip side, we are seeing remote employees use their home or personal devices to access their employer’s IT systems remotely. These devices often are not up to date with operating system patches, lack the proper endpoint security software or even worse, have local administrator rights. So, when these unprotected home devices get connected to the company network via VPNs, they become the weakest link in the security chain and can expose the company’s digital assets to potential cyber criminals. Think about what a ransomware threat could do to the company share drive!
The best solution for organizations to employ for these work from home risks, is to provide company issued and managed devices for the employees to use from home. Unfortunately, if the business doesn’t generally issue laptops, this can be quite expensive and cumbersome.
When purchasing all new devices for employees isn’t realistic, the next best thing is a well-defined BYOD (Bring Your Own Device) policy combined with a cloud sharing platform with some extra security add-ons. You’ll need technical help from an experienced IT company to implement this.
BYOD policies can provide a little piece of mind for IT departments as they can instruct employees as to what is an acceptable device to use when accessing work related information. Since these devices are unmanaged, the ultimate responsibility of keeping them secure is up to the employee (which is scary). Combining a BYOD policy with a traditional virtual private network (VPN) access solution is not a good idea.
Therefore, we are seeing many small businesses adopt cloud platforms like Microsoft’s OneDrive to alleviate the risks associated with directly connecting to the office network via traditional VPN. Even if the remote employee fails to bring their BYOD device up to standards, there are extra protections in place with such cloud sharing platforms. For example, Microsoft OneDrive includes ransomware protection so users can revert back to previous versions of ransomware encrypted files in the case of an attack. While there are many security add-on services and subscriptions that can be added, the most important one is multifactor authentication (MFA). You are likely familiar with this tool as your bank or insurance company website might insist on texting or phoning you with an access code to use in addition to your password. MFA alone, can effectively reduce the risk of attacks.
In summary, organizations need to take a hard look at the security of their remote access systems and ask if they keep their digital assets reasonably safe. Implementing MFA can be a quick and effective way of improving overall security, but developing an overall strategy (like moving from a traditional VPN to the Microsoft Cloud) for mitigating risks created by employees’ home BYOD devices is usually what is needed.