Written by Gary Stevens
Remote working is now the norm across many industries, including for various startup companies who do most of their business online, but remains a huge security risk if implemented incorrectly. These security risks have become further exacerbated as a result of the COVID-19 crisis, which has left many startup businesses scrambling and in dire need of assistance.
Before the crisis, over half of the knowledge workers said they were not allowed to work from home, but this is changing quickly. LinkedIn’s 2019 Talent Trends report found there has been a 78% increase in job posts mentioning workplace flexibility since 2016. That’s partly because, according to a survey done by FlexJobs, only 7% of workers believe they’re most productive while in the office, as we pointed out in our guide to remote working.
There is a tendency, particularly among cybersecurity professionals, to blame individual users for some of these security vulnerabilities. That criticism is sometimes justified, as 28% of smartphone users don’t even use screen lock even when working remotely, and the level of security awareness of the average remote worker remains low.
On the other hand, insecure user behavior is often caused by the systems that companies have put in place to allow them to work remotely. Making small changes to the way that workers operate off-site, such as mandating biometric security for mobile devices, can have a huge effect on their behavior.
In this article, we’ll look at why remote working remains such a huge source of risk for startups, and how you can increase network security for your remote employees so you can avoid getting hacked.
The Security Dangers Of Remote Working For Startups
The major security dangers for your startup’s remote workers can be broken into three major factors: theft, connectivity, and access.
Theft, believe it or not, your workers will face when working for your startup. Finding a laptop or a smartphone that has been left on a train or a park bench is still a common way for hackers to gain access to your startup’s systems. It’s one reason why your startup needs to ensure that every employee is properly trained in how to lock down a device and create truly strong passwords before you grant them access.
Second, there is the broader problem of connectivity. Passing commercially sensitive data between corporate systems and remote machines is always going to be risky, but in many sectors, this is still done over standard, unencrypted web protocols. These are very easy to crack for an experienced hacker, particularly if employees are using public WiFi networks to exchange this information.
Third, there is the problem of access. The theft of a device, or the interception of the data it is using, is not such a huge problem if remote employee access to critical systems is properly controlled. It is still pretty common for companies to grant the same privileges for remote workers as those they have when in the office, but this is a huge mistake. It potentially allows an attacker total access to corporate systems in the event of a successful hack.
Finding The Balance Between Productivity and Security
There are many reasons why it can be very beneficial for your startup to hire remote employees. By looking for people globally, your startup has access to a wider pool of talent, you can reduce overhead costs, and you can afford your workers greater flexibility as they can choose where and when to work.
All this said, there is a balance to be struck when it comes to implementing remote working protocols at your startup. New research from digital services provider Capita illustrates this balance very well. Only 52% of the UK knowledge workers Capita surveyed said that remote working was an option for them. Even fewer, just 14%, said they were encouraged to use their own device.
The most important finding of this research, however, was that the vast majority of employees (92%) said they believe it’s the organization’s job to secure remote working, yet over two-fifths (42%) claimed current security policies make it difficult to do their job.
In short, employees believe that it is their employers’ responsibility to show them how to stay safe when working remotely, and how to store their data securely when doing so. Yet, many of these same employees are frustrated at the security policies that their employers have put in place to protect them and their data.
This data also points to a deeper truth: startups need to strike a balance between allowing their workers to work remotely – and giving them the tools to do so – whilst also ensuring that they don’t grant inappropriate access to remote machines.
In reality, many of these problems are caused by the fact that remote working systems commonly used by new business startups are often deployed ‘on top’ of legacy systems that are not designed to be worked in this way.
When granting an employee remote access to simple software tools, such as digital marketing tools, timesheet management systems, or accounting software, for instance, companies generally use remote desktop clients.
The problem with doing this is that if an employee’s remote desktop session is hijacked, a hacker is going to have access to all of the information stored on the corporate machine.
One solution to this problem is to compartmentalize systems and to move as many systems as possible to cloud models. Compartmentalization should take place at every level in your startup. Corporate systems should be locked down so that hackers cannot move laterally between them.
This is, in fact, a huge growth sector within the cybersecurity marketplace, which is quickly transitioning from large service contracts to more SaaS-like business models, offering huge benefits in terms of accessibility. Employees working remotely can access SaaS products without the need to expose an entire network. SaaS is growing rapidly in popularity amidst businesses and new startups, with more than 86% of companies projected to be using SaaS by 2022.
Segmenting IT systems in this way also has many other benefits. Because employees (whether working remotely or not) access the various parts of a corporate system independently of each other, the chances of a hacker being able to compromise the whole system are greatly reduced.
As Capita IT & Networks’ head of workspace and collaboration, Ian Hart, put it to InfoSecurity Magazine: “By replacing traditional desktops and applications with a more user-centric and modern IT environment, organizations can have better control over the sensitive material they need to protect while allowing employees to work more flexibly and safely from any location.”
Finally, cloud storage as a whole should be implemented in a secure way by using secure alternatives to Dropbox (which is still the most popular small-scale cloud storage solution). Some companies take this approach even further, and create a separate remote working network that contains the data required by employees when they are off-site, but does not permit access to critical systems.
The Bottom Line
In short, remote working remains a major source of vulnerability for startups. That said, the productivity boost that it affords means that it remains attractive for many. Addressing these security risks need not be hard, but does require that new startup businesses take the time to transition from legacy systems that are not designed to be operated from remote machines.
Often, even a little extra effort can go a long way. If you can make your systems even slightly harder to crack than those of your competitors, this is commonly enough for a hacker to move on in search of a ‘softer’ network to compromise.