By: Robert Rutherford, CEO, QuoStar
Even when COVID-19 stops dominating our headlines, the changes the pandemic has brought to your workplace will remain. The ‘hybrid model’ in particular is a buzz phrase you’ll already be familiar with. It means employees split their time between the workplace and a work from home (WFH) setup, and according to McKinsey, some 90% of businesses will permanently implement a hybrid work model in the coming years.
Businesses that embrace the hybrid model will hopefully enjoy improved staff wellbeing , greater staff retention and better levels of productivity. However, despite their intention to go hybrid, almost seven out of 10 businesses have no defined plan on how to do so.
This leaves businesses at risk to evolving cybersecurity threats. Cybersecurity is an even greater challenge for small to medium-sized enterprises (SMEs) working with smaller budgets, smaller IT teams, and without the expert advice available to big corporations.
So how do you protect your business from data breaches that could cost you severely and deliver irreparable damage to your brand?
Train your employees to identify and respond to cybersecurity threats
Any cybersecurity professional will tell you that the weak link in a company’s defences is its employees, with some 90% of cyberattacks linked somehow to human error.
However, those employees are also the first line of defence, which means they can also be a valuable asset in protecting your business. But employers need to make sure they are equipped and prepared to perform this role.
An introductory training course or company guidebook given to staff to read their own time are no longer enough. Staff need regular training to stay alert to new threats. You already perform fire drills in case of an emergency, and you should practice cybersecurity drills so that everyone knows how to respond to a data breach. Staff should develop muscle memory for spotting threats like phishing attacks, vishing attacks and ransomware, and this can only be achieved through training and continual reinforcement.
Finally, it’s important to practice good communication with your team in order to spot mental health problems like isolation, burnout, or stress. When teams are away from the workplace these issues are harder to spot. Aside from promoting a happier workforce, it’ll mean your staff are more alert to security threats.
Ensure both your workplace and employees’ homes are equipped with secure and up-to-date software
First, perform a security audit of your infrastructure and identify and document the risks that all of your assets face in the new way of working in a risk register. It’s then also essential to evaluate the controls to those risks.
Even if a business had good security before the pandemic, its previous measures may no longer protect it, with staff accessing internal networks from around the world behind all sorts of networks. It’s also important to identify the most valuable data you hold and where it is actually stored – after all, this is what hackers will want to steal or encrypt to demand a ransom.
Your workplace may be cyber secure, but your employees’ homes might not be. The majority will have purchased their home devices without thinking they’d have to use them for work.
They may be working on unsecured networks, click a malicious link, or have their laptops exposed to malware. And it takes just one infected device to log in to your corporate network and then your system is compromised.
As a minimum, there are several controls that all your team should be working with:
- Two-factor authentication – most breaches are a result of weak or stolen passwords so provide an extra layer of security for logon is essential.
- A VPN – you must create a secure and encrypted network for your employees to use when accessing corporate data and systems to protect against 3rd parties viewing and intercepting connections.
- Endpoint Detecting and Response (EDR) – standard antivirus systems are just not cut out to protect and respond to the current threats organisations face.
- Security Incident and Event Management – you have to be watching every part of your network and every device to watch for suspect activity and track down security breaches.
However, you can buy the most expensive and secure security applications on the market but your money will be wasted if your internal IT team doesn’t know how to use them effectively. Training is important, butso is testing regularly using external parties. You can’t be marking your own homework.
Remember, your business is still liable even if your data is stored with a cloud provider
Cloud-based providers have made the transition to a hybrid model seamless for many businesses. They offer flexibility, scalability, and lower costs, all of which not only benefit a business in the short-term, but enable longer-term development too.
However, some 83% of business owners believe that a provider is responsible for protecting clients’ data, and this could be a costly mistake – your business is always liable for your clients’ data.
So, if you are trusting your data storage to an external provider, it’s important to ask the following questions:
- Have they been independently audited?
- Are they compliant with the latest regulations?
- Do you know what technologies and security controls they use?
An external partner can look after all your cybersecurity needs
There are 65,000 attempts to break into small to medium-sized enterprises (SMEs) every day, and around 4,500 are successful.
Each of these data breaches costs a UK business an average of £2.99 million, but it’s not just security costs you’ll be paying. There are legal fees to be paid, the business could lose of brand equity and trust, and there will be lost productivity from your team while your systems are down. But the damage to your brand may be the costliest of all. Clients and customers will often just walk away, and new prospects simply won’t take the risk. It’s unfortunate but it is the reality.
A good IT support company should have a strong security arm to provide a tailored service that is focused on ensuring your business is compliant with all the latest regulations or simply best practice. Security leaders should be in place to take control of audits, compliance and breaches whilst technical experts should be available to respond to an incident rapidly 24x7x365, as every second counts. The threat landscape has changed and its essential to have the right security skills and experience in place.