Data breaches are costly, not only in terms of potential out-of-pocket costs for employers, but also in terms of the potential damage to their reputations and brands. IBM’s Cost of a Data Breach Report, released in 2020, estimated the average global cost of a data breach at about $3.86M. When consumers’ personally protected information (PII) is involved, the costs can be even more.
As hundreds of thousands of employees left corporate offices to follow stay-at-home or shelter-in-place orders due to the coronavirus pandemic, employers already challenged to ensure data protection for sensitive employee, customer and client data are faced with even more risks.
Employers aren’t the only ones with security concerns—employees feel the heat as well.
According to research by Nulab, a global software creation company, based on input from 1000 full-time employees, about one third believe that cybersecurity is a moderate to major problem for their employers. They point to the top cybersecurity issues as phishing (29%), malware or virus (26%), hacking (15%), compromised email or social media accounts (14%) and data breaches (13%). Their concerns are not only for their employers, but for themselves (34%), their customer (18%) and their clients (16%).
To address these concerns ongoing communication and education are critical.
Ongoing Communication and Education
It’s not enough to provide training once, or even on an annual basis, to employees in the hopes that this will be sufficient to minimize risk. Communication and education must be ongoing and episodic to ensure employees understand both the risks and their own roles in helping to protect company data.
Some key points to emphasize with employees regularly include:
- Establish a complex password that contains a combination of upper- and lower-case letters, numbers and symbols—change passwords frequently.
- Use completely different passwords across various systems and accounts.
- Store passwords in a secure environment and never share with others.
- Never access public networks with work equipment (this is a good safety practice for employees to follow with their own equipment as well).
- Beware of phishing attacks! Never click on a link or open an attachment coming from an unfamiliar email address. In addition, since the cyber-crooks are increasingly savvy and often change just minor elements of an address make sure to check and double-check even emails from seemingly trusted sources.
Get your HR and/or training and development team involved in this process. Data security is not just an IT issue; data security is everybody’s concern—the more parts of your organization that are collaborators in the process, the stronger your protections and processes will be.
Beachgoer, A Case in Point
Beachgoer is an AI-assisted eCommerce startup that leverages big data to make profitable purchase decisions. Founder, Finn Cardiff, says the company was started “with the vision of offering beach products, outdoor products and toys all in one place.”
Even before the pandemic, the company had tapped into its HR team to help with cybersecurity awareness training, says Cardiff. “During this quarantine period when most of us are on remote work status, we’ve reinforced this by having them send weekly email reminders on remote-work security policies,” he says. Some of the key elements in the company’s cybersecurity policy manual include:
- Email encryption
- Access to work apps from an external network
- Creating and safeguarding passwords
- Social media use
- File sharing
- Third-party inquiries management
In addition, Cardiff says: “We have random checks to identify if our staff have complied with our multi-factor authentication requirements. This helps them to be compliant. If employees notice anything suspicious, we require them to report the incident right away to our IT department.” Employee vigilance is key, he says.
In addition to training and ongoing communication, here are some additional steps that employers should take to minimize cybersecurity risk.
Provide Protected Equipment
Even though the vast majority of employees these days have access to their own personal computers, laptops or tablet devices, a best practice for employers is to provide employees with company-owned devices. These devices should come backed up with virus scanners and software and provide the ability to conduct maintenance remotely to ensure virus software is up to date and to scan the devices regularly to detect any potential risks.
Beyond simply providing employees with the equipment needed to work from home, businesses should also take steps to ensure that employees understand—and abide by—requirements that this equipment is used only by them and not by other members of the family.
Limit Access to Only Those With Real Need
Just as when dealing with data access in the typical employment environment where employees are located on-site, employers should continue to limit access to data based on employees’ roles and legitimate business needs. COVID-19 doesn’t change that. Role-based access controls can be used to ensure that employees are only able to see the portion of the company’s overall data that is specific to their jobs.
Require VPN Access and Two-Factor Authentication
A virtual private network (VPN) requires encrypted access. That’s one step, or factor, in helping to protect company systems from potential hackers. Two-factor authentication adds another layer—requiring a second step to gain access like sending an access code via text to an employees’ work-issued cellphone or corporate email account. That means that, even if an employee’s login and password information is compromised, those who have this information will not be able to gain access to company systems.
Be Even More Hypervigilant About Password Requirements and Updates
Implement or update password policies and requirements to ensure that employees are using unique, long, and complex passwords for each system they will access. A password manager can help with this by generating these unique and complex passwords and requiring employees to change them regularly.
Company data is at risk—on-site and, even more so, through employee access to company data and information from remote locations. The bad guys know this and will quickly find and leverage any security vulnerabilities they may find. The best defense for employers of all types and sizes is a good offense—one that goes beyond strong technology protections to incorporate the potential user missteps that can often leave data and systems vulnerable. Despite even the best efforts, unfortunately, risks may still exist. Companies should make sure that their business insurance covers third-party cybersecurity risk (to include protection of customer and client data) and that this coverage extends to the many employees who are now, and for the foreseeable future, working from home.