Have you heard of Cozy Bear, Darkside, or REvil? If not, prepare to hear from them and more ransomware gangs soon. Be on the lookout for “big game hunting;” that’s what cybersecurity firms call preying upon corporations and government organizations. They extract larger sums and create greater chaos through events such as ransomware attacks. Remote workplaces looking to go on the offensive should establish a security mindset that paves the way to better practices, planning, and preparation to prevent cyber breaches.
Ransomware Costs Billions
Ransomware cost an estimated $11.5 billion in 2019, and the cost nearly doubled in 2020 to $20 billion. Losses totaled over $4.1 billion due to increased business e-mail compromise schemes, phishing schemes, and ransomware cases. Estimates project the cost of ransomware to rise precipitously to $265 billion by 2031. Cybersecurity Ventures predicts this rise in costs will parallel a rise in frequency, “with a new attack every 2 seconds” in 2031 compared to every 11 seconds in 2021. Costs include damaged data, stolen money, productivity loss, intellectual property theft, embezzlement, fraud, business interruption, recovery, and reputational harm. The totality of which leads cyber experts to predict that overall cybercrime costs could reach $10.5 trillion a year by 2025.
Establishing A Security Mindset
While it is nearly impossible to avoid all risks, you can effectively prevent and mitigate many risks. Doing so starts with going beyond basic compliance and weaving a Security Mindset into the fabric of your organization. This shift will result in greater cooperative efforts to better guard your organization’s processes, equipment, members/clients, and data.
Keeping “Clean” with Cyber Hygiene
To build a Security Mindset with your hybrid or remote workforce, start by paying closer attention to your team’s cyber hygiene.
Cyber hygiene refers to “the practices and steps that users of computers and other devices take to maintain system health and improve online security. These practices are often part of a routine to ensure the safety of identity and other details that could be stolen or corrupted.” By focusing on cybersecurity hygiene practices, employees form routine positive habits that also create awareness around threats. It engages employees as essential partners countering them. This moves responsibility for cybersecurity from being solely on the shoulders of a cybersecurity/IT professional to a shared value by everyone in the organization.
Some basic cyber hygiene practices you can institute include:
- Locking up your equipment every time you step away from it – even while at home
- Not sharing a work device – even with your family/kids (i.e., while your family might not intend to launch a malicious attack, they may inadvertently open a corrupted email and/or install malware)
- Back up your files regularly
- Use complicated passwords with combinations of at least 12 letters, numbers, and special characters
- Update your password regularly
Plan and Prepare
Apart from better cybersecurity hygiene practices, remote workplaces must also plan and prepare. In planning, organizations should –
- Inventory employee equipment and the number of devices with access to company systems
- Document all equipment, hardware, software, and applications used
- Take stock of who has access to work devices (e.g., computers, tablets, cell phones, printers, etc.) and right-size their access to files, applications, and systems. (NOTE: By limiting employee access to what is essential for performance, employers ensure access to proprietary and/or confidential files is restricted to those who need it and are trained to keep it safe.)
Create Policies to Reduce Confusion
Taking the time to think through how and where work happens helps remote workplaces draft policies that address potential vulnerabilities that bad actors can exploit. Remote work can occur beyond a home office (e.g., coffee shops, hotels, airports, restaurants, libraries, etc.). Understanding this will shape usage policies to answer questions, such as, “Should I connect to the airport Wi-Fi?” (Answer: No – use a VPN or your phone’s hotspot instead).
Remote workplaces must create policies that detail common practices, ideally using the same tools. Some general policy areas to consider include:
- Using secure links to send personal information or confidential documentation
- Establishing consistent file storage practices (NOTE: If staff regularly store files on their laptops, their documents are not backed up; they expose the organization to greater risk; and files inaccessible to others who may need them. The same holds true if employees use email as their primary “document storage.”)
- Providing a dedicated work device that is regularly updated and protected
Train and Keep Training
Remote workplaces should be prepared to identify potential scams, speak up when a concern arises, and ready with a plan to limit a botched response in the event of a breach. Remote workplaces must identify who receives that first phone call when a breach is first suspected or discovered. This means having a dedicated resource ready to act, take charge, and manage the response. To guard against the onslaught of scams, organizations must train, train, and re-train employees in diverse ways. Training can introduce new cybersecurity hygiene practices and keep existing habits sharp. Run regularly scheduled tests for employees for feedback on training effectiveness.
Equally important, organizations must foster an environment that encourages employees to report breaches or concerns immediately. Rather than putting an employee on a “hot seat” for making a mistake, encourage everyone to bring up issues quickly so they can be resolved. As Admiral Bill McRaven says, “Bad news does not get better with time.”
Final Thoughts
Through practice, planning, and preparedness, organizations can develop a successful security mindset. In remote and hybrid workplaces, “work” takes place outside company walls. Therefore, it is essential to clarify rules, expectations, and habits for employees and avoid confusion that can lead to security breaches. Adopting a Security Mindset allows organizations to go from compliance and checklists to create a culture of awareness and collaboration where everyone shares in the responsibility of cyber protection.