Why remote working creates security headaches for SMEs

The COVID-19 outbreak has forced many Aussie SMEs into changing their company policies and allowing their staff to work from home. An unwelcome consequence has been an increase in risky behaviour by those remote workers using company-issued devices for personal business.

In a Mimecast survey of over 1000 remote workers across the globe which included small businesses, 78 per cent of Australian remote workers admitted to using their work tools for personal matters – higher than the global average. Over half of those respondents (53 per cent) confirmed that their personal use of work tools had increased since COVID hit.

Emails a a weak spot

Activities ranged from using personal email (53 per cent), to social media (40 per cent), financial transactions (51 per cent), and online shopping (38 per cent).

Personal email and shopping are particular areas of concern for IT support staff. As online shopping ramps up, opportunities for malicious actors to infiltrate corporate networks through malicious online retail sites and bogus ads and scam emails will be abundant.

Awareness is high, but it’s not fully translating into practice

Encouragingly, 97 per cent of Aussie respondents said they were aware that links in emails, social media, and fake retail websites could potentially infect their devices and the company network.

The proportion of employees who have received dedicated cybersecurity awareness training relating to working from home during the pandemic is also high (71 per cent), but there is a disconnect between acquiring this knowledge and actually putting it into practice.

Training is key

The primary reason for this is that most

training fails to engage staff to the extent that the knowledge is fully retained, and future practices are influenced to any great degree.

In short, much of the training is boring.

By introducing short, snappy, visually engaging and entertaining learning modules, the message resonates. People are far more likely to remember and share training content that is fun, and more importantly, use it to change their online habits for the better.

Additional measures

Engaging and amusing training is one important factor in reducing the risk posed by malicious actors, but it is by no means the only option open to IT teams.

SMEs can take other actions to maintain network security in the new hybrid office/home work environment:

• Have clear policies around the personal use of work devices, with regular reminders sent to staff about these policies.
• Limit what software and websites can be accessed through the business network when working remotely.
• Consider whether it is worth the inherent risk of providing employees with the option to access the corporate network through their non-work devices. This can be complex when using contractors, but it does need some risk vs. benefit analysis.

With so many of us now using our homes as offices, and with the holiday retail period already in full swing, SMEs must address any weak spots in their network security, to ensure that 2021 really is a Happy New Year for their business.

Garrett O’Hara, Principal Technical Consultant, Mimecast Australia