Small businesses failing on remote worker protection

Small and medium-sized enterprises (SMEs) are failing to keep their remote working employees adequately supported or protected against the vast range of cyber security threats they face, according to a study by Kaspersky.

With remote working a virtual necessity during the Covid-19 coronavirus pandemic, Kaspersky found that 57% of employees were not provided with corporate-owned devices by their employers – compared to an average of 45% of staff across all companies – and that only 34% had received instructions on how to work securely on personal laptops, tablets and smartphones.

Such instructions could include installing anti-malware technology, paying attention to basic password hygiene on both devices and home Wi-Fi networks, and updating and patching device operating systems to account for the steady flow of new vulnerabilities.

Kaspersky said such instructions were even more necessary than before the pandemic, given the trend of more and more small business data being held and processed beyond the confines of the office network on employees’ home devices, or in consumer cloud storage services.

“Small companies may be in difficult circumstances and their first priority is to save their business and employees during the lockdown, so it is no surprise that cyber security may become an afterthought,” said Andrey Dankevich, senior manager of product marketing at Kaspersky’s B2B operation.

“However, implementing even basic IT security requirements can decrease the chances of malware infection, compromised payments or lost business data.

“Moreover, there are plenty of recommendations already given by cyber security experts that businesses can share with their employees to help them keep their devices safe. And of course, the requirements should be followed not only during home isolation, but continued when staff work remotely in the future.”

Speaking last week at a virtual PeepSec panel event hosted by security firm CybSafe, tech entrepreneur and investor Piers Linney said SMEs were at a significantly elevated risk of being compromised in a cyber security incident during the pandemic.

“As people are working from home more, there is more risk in how data is stored and managed, but small companies don’t always understand what is needed to mitigate that risk,” said Linney. “The soft underbelly at risk of attack is small businesses.”

Kaspersky said that even reckoning without the impact of national lockdowns on working practice, the figures were concerning, but added that good practice will remain relevant because even though daily working life will eventually start to return to normal, the greater freedom offered by remote working and the cost savings to some businesses mean many employees are likely to stay remote, and will still need to be protected.

There are a number of core steps that SMEs can take to safeguard their remote workers, including: protecting home devices with an antivirus service; keeping device operating systems, apps and services patched and updated; activating password protection for all devices, including wireless routers; encrypting home Wi-Fi networks, ideally with the WPA2 standard, which can be done in the router’s settings; using a virtual private network (VPN); deploying a security service that enables device encryption and backups; assisting employees with access to reliable public cloud services; conducting security training; and establishing a central point of contact for security issues.