Cyber security recommendations for remote work

A person checking their password on a phone and computer

Around the globe, businesses and individuals had to do their best to cope with the COVID-19 pandemic. With everyday lives and normal business practices put under pressure due to virus-prevention measures, many employees were required to work remotely, and continue to do so in some capacity today. Unfortunately cybercrime has increased, as widespread remote work introduces new vulnerabilities cyber criminals can exploit, such as inadequate security measures, unsecured home network and human error.

According to the Insurance Bureau of Canada (IBC)*, “In 2021, 41% of small businesses that ever suffered a cyber attack reported that it cost them at least $100,000, up from 37% in 2019.” Canadian businesses, big and small, have all felt the impact of cybercrime.

Shared below are some key recommendations for businesses to help protect their operations against cybercrime while navigating a remote work environment. By implementing these recommendations, organizations can help to safeguard their business information and minimize their vulnerabilities to cybercrime.

Stay safe with 12 cyber security recommendations

Password complexity is essential

This is the first line of defense against cybercrime.

Strong passwords typically use capitals, lower-case letters, numbers, and special characters over a minimum number of digits. A minimum of eight digits is a good rule (the more the better), for example, $Magenta. The Canadian Centre for Cyber Security provides recommendations for best practices on their website. The National Cyber Security Centre in the UK recommends using three random words, for example, bluemonkeyflag. This password, in turn, is then made more complex and secure by adding numbers and special characters, e.g., 27bluemonkeyflag&.

Weak or easy-to-guess passwords are a common entry point for cyber criminals to gain unauthorized access to business information. For example, date, place of birth, favourite sports team, pet’s name, partner or child’s name should never be used.

Utilize multi-factor authentication

Having two forms of identification is an additional layer of protection beyond just a password. This can be achieved by a password and then a randomly generated validation code, sent to a user by text message or an app.

Set user privileges across the organization

Individuals should only be granted access to those business systems, functions, software, and areas necessary for their job responsibilities. This helps prevent unauthorized access to business information and limits the potential damage that can be caused if or when a user account is compromised.

Employ Virtual Private Networks (VPN) for added security

Using a VPN adds an extra layer of security to online activities, as it extends a private network across a public network, allowing users to send and receive data as if their devices were connected to a private network. Private networks are designed to be secure and provide controlled access to authorized users, including password protection and encryption.

Restrict use of own equipment

Use of employee’s own equipment is not recommended for cybersecurity reasons as personal devices may not have the same level of security measures as business-owned equipment. A user's own laptop for example, may lack encryption, antivirus software and regular security updates. Personal devices for business purposes can also increase the risk for data loss and/or unauthorized access from sharing device with household members and may not be detected due to lack of monitoring.

Complete anti-virus and software updates as soon as they are available

Software updates can be a time-consuming irritation to users, but it cannot be emphasized enough that as soon as an update is available it should be completed. Each update will also include the latest security improvements.

Produce quick reference guides

Uncertainty about how to access the private network remotely, or unfamiliarity with different systems and applications, can increase query traffic to an IT Helpdesk. Production of easy-to-use 'How To' user guides can reduce pressure placed on the IT support team and reduce the chance of employees creating a security issue.

Train employees on common phishing tactics

Phishing is defined as untargeted, mass emails sent to many people asking for sensitive information such as login credentials or bank details. These emails can encourage individuals to click on a link or visit a fake website that can affect a user’s device with malware, allowing cyber criminals to gain unauthorized access to their accounts.

Institute removable media policies

SD cards, USB memory sticks and other removable media devices can introduce viruses into a computer, which can spread through a network. There should be a workplace policy that no removable media is to be used, and the ports on devices disabled to protect against this threat. Email or cloud storage should be used to transfer data instead.

Avoid the pitfalls of work in public places

There are three main things to keep in mind when using devices in public:

  • Don’t leave devices unattended:  Devices left unattended or unlocked are easy targets. Employees should always take the device with them.
  • Be aware of surroundings:  Can someone look over the user’s shoulder? What's on the screen and even the keystrokes could be compromised/captured.
  • Avoid public wi-fi:  A coffee shop wi-fi for example, with no password, provides easy access for cyber criminals. A mobile phone's 4G network’s built-in security and tethering is a superior option.

Use encryption for better security

This is the process of encoding a message or information in such a way that only authorized parties can access it. It will not stop a cyber incident, but it does make the data useless toa criminal if they were to maliciously access it.

Reporting Security Issues

Employees should be made aware that time is of the essence when it comes to reporting any security incident. Being able to assess the situation quickly and organize a suitable response could help maintain a level of security, limit losses, speed up recovery and increase the chances of a perpetrator being caught. The implementation of a cyber incident response plan can help prepare an organization for this type of scenario. To learn about the four steps to follow in an incident response plan, see Cyber Security: Respond quickly and recover faster.

In addition to the easy-to-implement cyber security recommendations above, the purchase of a cyber insurance policy is great way to protect against a wide variety of cyber risks.  Cyber coverage helps proactively manage business risks and gives access to around the clock support from technical experts who can assist with cyber incident resolution. Cyber coverage will also help a business meet the requirements to comply with Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA).

Navigating a remote work environment while protecting operations against cybercrime isn’t easy. However, applying these recommendations will go a long way to help safeguard business information and minimize vulnerabilities to cybercrime.

*Source IBC:

The content in this article is for information purposes only and is not intended to be relied upon as professional or expert advice.

Copyright in the whole and every part of this site belongs to Aviva Canada Inc., unless otherwise indicated, and may not be used, sold, licensed, copied or reproduced in whole or in part in any manner or form or in or on any media to any person without the prior written consent of Aviva Canada Inc.