Small businesses failing to train employees on safe home-working
Although small businesses are less inclined to provide their staff with company devices to work from home, only one third of the employees (34%) of small businesses have been told how to securely work on personal devices while at home during the pandemic lock-down. This is despite the fact that more and more business data is processed outside the secure corporate IT perimeter.
A recent Kaspersky study on working from home has highlighted the importance of protection and security awareness for smaller enterprises.
Working from personal devices has become a necessity for some small organisations during the coronavirus pandemic. But even without COVID-19 lockdown measures in place, this practice remains relevant for some organisations as it gives greater freedom to employees to work anytime, everywhere, while making savings on equipment to employers.
However, in addition to the business benefits, organisations must also remember to protect these devices from cyber risks so that sensitive business and customer data stored on them remains safe, and employees can work without downtime as a result of ransomware or other malware infections.
During the pandemic, 57% of employees of small organisations were not provided with corporate devices from their employers, compared to an average of 45% of staff working in all companies. And only one third of small business staff indicated they were given any IT security requirements to work securely on personal devices.
These requirements could include, for example, having an anti-malware solution on personal devices, using strong and unique passwords on devices and WiFi routers, and regularly updating device operating systems in order to reduce risks from unpatched vulnerabilities.
Implementing even basic IT security can decrease the chances of malware infection, compromised payments or lost business data, according to Andrey Dankevich at Kaspersky. There are a number of relatively simple IT security tactics that will protect their employees while working from their personal devices:
- Home networks and devices should be protected with an antivirus solution such as Kaspersky’s Small Office Security, which can be installed remotely on any device and managed from the cloud
- Software on personal devices, including operating systems, should be updated to the latest versions as quickly as possible: often this can be done automatically for operating systems, meaning an employee without IT skills does not need to worry
- All devices mobiles and WiFi routers should be protected with a password. If a router has a default password it should be changed to a new and strong one. This is something that some employees may need assistance with
- Where possible two factor authentication should be used. Some employees will dislike this saying that it gets in the way of efficient working but in reality the inconvenience is very small and the benefits far greater, something that may need emphasising to employees who are less confident with technology
- Home WiFi connections should be encrypted, ideally with the WPA2 encryption standard. This is likely to be a default setting, but should be checked in router settings, again something that employees may need help with
- A VPN should be used if an employee is using WiFi outside their home, for instance in (or more likely near!) cafes and in public areas like stations and shopping malls; these are simple to set up but again some hand holding may be needed for some employees
- Where possible personal devices used for work should be fitted with tracking software and ideally the ability to wipe the device remotely should it be lost. Organisations should however consider how they can manage the remote deleting of corporate data on a private device without deleting private data or infringing privacy
- Any corporate data created on personal devices should be backed up, in case of a ransomware infection or the failure or loss of a personal device
As well as providing a list of safety tips, employers will ideally also conduct basic security awareness training for their employees or provide access to an online cyber safety course. Other useful resources include providing employees with a list of reliable cloud services that they can use to store or transfer corporate data, and instructions on how to use them safely. And perhaps most important is the need to ensure employees know who to contact if they face an IT or security issue while working from home.