Small businesses remain a prime target for cybersecurity attacks, which makes sense if you think like a hacker. Most small businesses don’t have a lot of cash to spend on safeguarding their networks, and remote teams often unintentionally increase their organizations’ cybersecurity risks. This gives hackers plenty of easy targets — but that doesn’t mean you can’t protect your business, including your remote employees.
According to an Alliance Virtual Office analysis of millions of cybersecurity data points, misuse of both work and personal devices drives remote vulnerabilities. Here’s a prime example: The analysis revealed that 69 percent of employees use their personal devices for their work tasks. However, personal devices often lack the cybersecurity guardrails and access control tools that protect work devices. This is one way hackers can more easily target remote workers.
Similarly, this analysis found that 70 percent of employees also use work devices for personal purposes. Websites and programs built for personal, nonbusiness use may lack the stringent security features that are part and parcel of business tools. This personal use of work devices thus offers another potential entry point for hackers.
Additionally, 30 percent of employees have allowed people other than themselves to use their work devices. This introduction of additional users, who may use weak passwords or nonbusiness programs, generates another security loophole through which hackers can infiltrate your business’s systems. It’s no wonder that according to Verizon’s 2023 Data Breach Investigations Report, employees are targeted and manipulated in approximately 20 percent of cyberattacks.
“Small and medium-sized businesses are the No. 1 target for attackers because they don’t have the security in place and they haven’t deployed the technology they should have years ago,” said Rob Krug, network security architect at Avast Business.
Danger abounds for small business owners and their remote workforces as they navigate remote work. Small business owners need to protect their networks, make sure they’re safe when using third-party software, and prevent their remote workers from clicking on the wrong thing.
Security is a herculean task, but an important one. Recovering from a cyberattack can be costly and time-consuming. Many small businesses don’t survive it. Staying one step ahead of the bad guys is the first line of defense. That comes from knowing the cybersecurity risks, including the following:
Many businesses with urgent needs to give employees remote access to their networks have turned to remote desktop protocol (RDP) servers — a Microsoft tool for accessing Windows servers and desktops remotely. Previously, these RDP servers didn’t have the most up-to-date software installed, which left them vulnerable to cyberattacks. Criminals exploited that weakness, which led to a huge upswing in brute-force attacks on these remote access servers.
In brute-force attacks, the cybercriminal forces entry into a network by trying known username and password combinations. The RDP server crisis showed that this approach is less scattershot — and more effective — than you might think.
“Adding RDP servers opened up businesses to an external world, putting them at risk,” said Kurt Baumgartner, principal security researcher at Kaspersky.
[In the market for remote access software? Check out our best picks for remote PC access software.]
Phishing emails — in which hackers try to trick users into clicking on links — have long been a problem in the business world. They’ve become so common that, in recent memory, the U.S. Department of Health and Human Services has warned the public about the upswing in phishing schemes.
“The big thing that will continue is the constant phishing attacks,” said Tiffany Garcia, national cybersecurity practice leader at CBIZ. “They are getting more sophisticated and looking more legit.”
It doesn’t help that many employees use their personal devices or go rogue with the apps they install to communicate and remain connected to other remote workers. That makes a company more susceptible to malware and other nefarious infections. In fact, there’s been an increase in fake versions of popular messaging and video conference apps that, once clicked on, install malicious software to track your movements and keystrokes. Hundreds of iOS and Android apps have served as hacker entry points.
Virtually all reporting on ransomware agrees: In recent years, this type of cyberattack has become increasingly common. It involves hackers breaking into company networks and holding their data hostage for a fee. Typically, the ransom exceeds $100,000. In fact, the average ransom is $5.3 million.
Much of the attention is on big corporations, but small businesses are a prime target for ransomware attacks as well. This type of attack is particularly worrisome for smaller companies since the bad guys usually require payment in untraceable cryptocurrency. They may impose a tight deadline, making a difficult situation even worse.
Small business owners are relying on third-party software more than ever before. That increases the company’s risk if the software isn’t safe and secure. That was the case with SolarWinds, a software company catering to Fortune 500 and government customers. National headlines abounded when, in 2020, the SolarWinds network was infiltrated by hackers who secretly installed malware on the company’s software, which other companies were using to manage their IT resources. Those SolarWinds customers were compromised.
“As SolarWinds shows, you have to be careful about what software you are installing,” said Peter Fidler, partner at WCA Technologies.
Brute-force attacks, phishing and malware, ransomware, and shadow IT apps are all big risks that small businesses face on the cybersecurity front.
Protecting your company from cyberattacks is a joint effort, whether your employees are home or in the office. You might have all the safeguards in place, but if you don’t set boundaries with employees, you can easily be infected.
This means segmenting permissions to access your systems and applications, blocking certain websites and apps, and teaching your staff about what to click on and what to avoid. This may be a refresher course for one employee and an eye-opener for another. The idea is to get everyone on the same page in regard to cybersecurity.
Cybersecurity training is extremely important in a remote work environment, yet it’s often overlooked. This is true even at companies that put ample effort into their cybersecurity. According to a 2023 Fortinet report, 85 percent of organizations run cybersecurity awareness and training programs. However, among the same set of organizations, more than half said that their employees remain unknowledgeable on cybersecurity.
“There have to be clear policies on what kind of devices, the type of home network that can be set up, what employees are responsible for, and awareness about the shifts in [cyberattack] tactics,” Baumgartner said. “The cybercriminals are going after people working from home. They need to be aware of that.”
If you use third-party software, cybersecurity analysts said it’s important to properly vet the providers. Work with a reputable company that has a security policy in place to protect your business and your customers’ data.
When you download software, Fidler said, verify that the download link is the correct one and consider blocking employees from installing it on their own. You can either outfit workers with laptops with preinstalled apps you’ve vetted or have the software live in the cloud. Either way, you want to prevent employees from installing unapproved apps that could infect your network with malware.
To protect your network, control access to the network and apps, train employees on how to be safe and smart online and with email, and vet any third-party software you use.
Multifactor authentication means employees must verify their logins to your company platforms from other devices. For example, upon logging into your company’s HR software, your employees might need to verify this login attempt via their work smartphone. This is an important security measure because your employee should be the only person with access to the verification device.
Additionally, through single sign-on (SSO), your employees can log into just one page to immediately unlock access to all your business software. If each of your employees’ SSO passwords is ultra-strong, then SSO is highly secure. It minimizes the chances of your employees using the same password for multiple business logins — a major security weakness. Plus, with SSO, you can activate multifactor authentication at one point instead of across many different platforms. This results in more uniform cybersecurity for your remote employees.
A virtual private network (VPN) allows you to mask your remote employees’ IP addresses. In doing so, you encrypt all the information that flows from your employees’ devices to your platforms and vice versa. This blocks hackers from accessing your business data and software. And despite its imposing-sounding name, you don’t need a big server or any hardware to set up a VPN. Many of the best models are software-based, which makes them as easy to implement for secure remote work as multifactor authentication and SSO.
Whether it means training employees or making changes to company infrastructure, you have plenty of options when bolstering your remote team’s cybersecurity. Plus, with remote and hybrid work models dominating the business world, you have ample reason to prioritize these measures. Sure, maybe you can’t make everything snap into place overnight. But a long-term investment in cybersecurity is a long-term investment in your business itself.
Max Freedman contributed to this article.