With a larger remote workforce comes more opportunities for cybercriminals to steal sensitive data. But amid a rise in attacks, businesses need to put more emphasis on teaching their employees how to avoid being victims.
As part of a virtual summit hosted by Providence Business News and the Tech Collective on Oct. 7, experts urged businesses to make cybersecurity a priority and shared advice on training employees to set up a secure work environment at home.
In the early days of the pandemic, many employers scrambled to allow remote work, with some assuming it would be a short-term measure. But with the enduring popularity of remote work, businesses need to revisit policies that may skimp on security.
“Remote work is not going to go away,” Eric Shorr, president of Secure Future Tech Solutions in Warwick, said in a panel discussion. “Many of our businesses are still working remotely. Some of them have adopted a more-hybrid approach … but this is a permanent change in the way we work.”
In a discussion titled, “How to mitigate risk in a remote workforce,” panelists identified potential security hazards in working out of the office: Employees may have a computer camera or microphone that can be hacked, lack the means to properly dispose of sensitive information or work on a shared Wi-Fi network, among other risks.
While employees “don’t want to be your weak link,” said Linn Freedman, chair of the data privacy and cybersecurity team at Robinson & Cole LLP, they can fall victim to phishing scams, hackers and other cyberattacks.
With remote work, “one of the risks is the fact that you’ve got a much broader platform that you have to secure,” Freedman said. “And all of these employees who now work from home with their own equipment, most aren’t focused on security.”
Freedman advised employers to take extra time to educate employees on extra security measures they can take, such as using a private Wi-Fi network and turning off devices with cameras, such as Amazon Alexa, when they’re working from home.
‘Assume that the network [the remote worker is] coming from is not safe.’
ANTHONY SIRAVO, Lifespan Corp. chief information security officer
John Sullivan, executive vice president and chief information officer at BankNewport, also emphasized education as a “huge component” of the bank’s transition to mostly remote work.
“The big takeaway, I would say more than anything, is emphasizing phishing attacks,” Sullivan said, and the bank began testing employees on a variety of scenarios to help them recognize the scams. Other steps, such as setting up a company email system to flag messages from an external source, also help employees avoid scams, according to Sullivan.
Additionally, employers can reduce risk by providing workers with company devices, such as laptops, said Daniel Andrea, a partner and director of information systems at Kahn, Litwin, Renza & Co. Ltd. in Providence. Businesses can encrypt and regulate these devices to prevent users from installing potentially unsafe software or printing sensitive materials.
If employees are allowed to print from home, Andrea said, companies should provide a paper shredder so they can properly destroy information.
Panelists also emphasized multifactor authentication as a powerful tool against security breaches.
Employers should assume that not all employees are working from home, said Anthony Siravo, chief information security officer at Lifespan Corp. They may be in a public space or using an otherwise unsecured Wi-Fi network.
“Assume that the network they’re coming from is not safe,” Siravo said.
Before businesses can train their employees to avoid cyberattacks, executives must ensure that the company’s leadership understands and prioritizes security, speakers said in the summit’s closing session and remarks.
“Security should always be moving forward,” Todd Knapp, founder and CEO of Pawtucket-based Envision Technology Advisors LLC, said in a closing session. “All it takes is for a top-down culture to say that this is not something we do once – this is who we are as an organization.”
Cybersecurity “is your top priority as a business professional, even if it isn’t your primary job,” Knapp said. “It’s something we all have to be worried about.”
When handled properly, additional security measures should help, rather than frustrate employees, Knapp said.
Knapp’s preferred model, a “Zero Trust” framework, involves working under “the constant assumption that your environment has already been breached,” verifying all users’ identities and limiting data access only to employees who must see it.
In closing remarks, R. Michael Tetreault, cybersecurity adviser for Rhode Island, Region 1 New England in the Integrated Operations Division, Cybersecurity & Infrastructure Security Agency of the U.S. Department of Homeland Security, also emphasized that senior leaders need to understand cyber risks and plan proactively.
Tetreault cautioned leaders that purchasing cyber insurance isn’t a full security plan.
Insurance “certainly does not help in the risk mitigation or resilience of the organization,” Tetreault said.
Businesses should also take proactive measures, Tetreault said, such as providing information technology professionals with up-to-date training to prevent attacks.
While “we prepare not to be attacked,” Tetreault said, companies must ask: “When a bad event happens, how can we respond and recover?”
Jacquelyn Voghel is a PBN staff writer. Contact her at Voghel@PBN.com.