By Olumuyiwa Awosile
Despite the common misconception that cybercriminals only target larger enterprises, the vast majority of SMEs are under genuine threat. In a recent survey of 850 global organizations with sizes ranging from 10 to 1,000 employees, it was found that 64% had suffered a cyberattacks.
The ongoing restrictions triggered by the COVID-19 pandemic have resulted in a remarkable increase in the number of staff working from home for a lot of businesses both large and small. Cybercriminals love remote workers because a lot of businesses do not put in place the right level of security for their staff while working from remote locations. To make matters worse, many SMEs have very weak security practices, which make them easy targets for cyber-attacks and ransomware. So, the fact that cyberattacks among small and mid-sized businesses are becoming increasingly commonplace means remote access security issues must be taken seriously.
To protect your network, your employees and your reputation from malicious attacks, here are five tips that you can implement to secure remote access for your employees.
1. Password Complexity
Passwords are your first line of defense against cybercriminals—so don’t make things too easy for them. The first rule when creating passwords is to ask yourself: could an attacker easily guess this based on the information I share online? So what does a good password look like? The National Institute of Standards and Technology (NIST) recommends using long, unique passwords for all your accounts. The ideal password is about eight characters long and incorporates a mix of upper and lowercase letters, symbols, and numbers—making it truly unique and hard to guess. Of course, when you’re dealing with multiple applications on a daily basis, it’s hard to remember lots of complex passwords. That’s why you need a password manager. These applications allow you to store multiple passwords in one secure place, ensuring you only have to remember one—the password to the password manager.
2. Multifactor Authentication
You know how you need two forms of ID to access your bank accounts? That’s the basic idea behind multifactor authentication—it adds extra layers of security by requiring users to verify they are who they say they are using at least two unrelated authentication methods. For example, after typing in their log-in details, a user might be asked to supply a one-time PIN (OTP) that’s been sent to their phone. Two-factor authentication is a way of making an account doubly secure. That way, even if a cybercriminal were to crack your password using methods like brute force, credential stuffing, or keylogging, they would still need to gain access to that second method of authentication in order to access your account.
3. Role-Based Security
When you check into a hotel, you don’t get keys to every room but just the one you need for your stay. Similarly, role-based security is about granting permissions according to the role that a user performs, limiting their access to only the machines that they need to do their job. This reduces the damage that a cyber attacker can do. If they steal one of your technician’s credentials, they’ll only have access to a limited set of features and machines, meaning they can’t wreak havoc like they could with full-blown admin access.
Role-based security is not meant to put roadblocks in your employees’ way. It’s simply about giving them everything they need to do their job, and nothing more.
4. Logging and Auditing
In security, as in medicine, prevention is better than cure. To spot potential remote security issues in advance, you should be tracking who connected to what machine, what actions they performed, when they connected, and where they connected from. Ransomware is usually the last thing cybercriminals do. Typically, they’ll poke around in your environment for weeks before they strike, doing things that won’t necessarily raise alarm bells—like sending a 3:00 a.m. command here and there—until it’s too late. It’s critical to review audit logs regularly. That way, if you notice something suspicious, you’re able to remediate it right away, before a molehill becomes a mountain.
5. End User Controls
Lastly, security is ultimately an all-hands-on-deck effort—so make sure your employees are doing their part. Employee education is therefore a must. After all, the average employee doesn’t know what a phishing attack is or how to recognize one. Taking the time to teach your staff about cybersecurity ensures you make your business safer because your employees can act as your last line of defence against cyber criminals.
OlumuyiwaAwosile is a cybersecurity expert and CEO of Tros Technologies. He can be reached on firstname.lastname@example.org or 0815 715 1011