Why Using a VPN Isn’t Enough
According to the Stanford Institute for Economic Policy Research (SIEPR), approximately 42 percent of U.S. employees worked from home full-time as of June 2020. That’s a percentage that may only continue to rise, with major companies like Twitter, Facebook, and Amazon already announcing that they may keep a significant portion of their workforce remote permanently.
The shift to remote work means more than just a location change. It also involves a significant shift in technology used to enable the same capabilities at the kitchen table that an employee has access to in the office. That may involve new physical technology, like laptops or monitors, or cloud-based software.
However, with the extension of the corporate network also comes the expansion of cybersecurity risk. For a small or medium business, which is already under intense pressure due to the pandemic, a cyberattack that disrupts operations or financial harm could have disproportionally impacted or caused the company to shutter altogether.
The first cybersecurity tool that many businesses — small, medium, and large alike — turn to when it comes to remote work is a virtual private network (VPN). A VPN allows for a secure network connection, including sensitive corporate assets. A VPN is beneficial for securing remote employees when their home network’s quality or security features aren’t known.
However, a VPN alone isn’t enough. First, like any product, some VPN solutions are better than others (especially many that are free). Second, it only protects the network connection itself, not the devices used or what those users are doing once they’ve accessed the corporate network.
SMBs need to consider a more holistic approach. Employees should be encouraged to use multi-factor authentication for all their essential applications, which will make it more difficult for hackers to leverage stolen passwords. IT administrators should also ensure all devices are still patched and updated to the latest versions, even while they are remote.
Businesses may also consider adding cybersecurity awareness training for employees, teaching them to spot phishing attacks, avoid clicking on malicious links, and overall, how to use their available security tools more effectively. Awareness training is essential in a work from home environment, where employees are left more to their own devices (literally).
Finally, SMBs should prep for what should happen if an attack were to take place. That includes having proper backups in place in case of an outage or ransomware and clear playbooks that employees can follow.
While many of these tools can be implemented by the business, it may help a small or medium business to consider working with a managed services provider (MSP) to guide them through this process and to offload some ongoing monitoring updates. This way, they can fully ensure that all steps are being taken to secure their environments during this time.
While the pandemic may not be around forever, our new work from home world may be here to stay. Businesses of all sizes need to make sure they are prepared to adapt their cybersecurity strategies for this new world or potentially face negative consequences.