Workplace

Remote work is here to stay. Here are the cybersecurity risks.

Phishing and ransomware are on the rise. Is your remote workforce prepared?

A person working at a laptop

Before your company institutes work-from-home-forever plans, you need to ensure that your workforce is prepared to face the cybersecurity implications of long-term remote work.

Photo: Stefan Wermuth/Bloomberg via Getty Images

The delta variant continues to dash or delay return-to-work plans, but before your company institutes work-from-home-forever plans, you need to ensure that your workforce is prepared to face the cybersecurity implications of long-term remote work.

So far in 2021, CrowdStrike has already observed over 1,400 "big game hunting" ransomware incidents and $180 million in ransom demands averaging over $5 million each. That's due in part to the "expanded attack surface that work-from-home creates," according to CTO Michael Sentonas.

Despite the rise in attacks, only one in five companies are confident their infrastructure security can support long-term remote work, and only 7.5% are confident that their security protections are adequate against phishing and ransomware attacks in the remote-work context, according to a recent survey of 200 North American businesses from IT firm Sungard Availability Services.

So what can you do to make sure your remote employees are properly equipped to protect against cyberattacks? Here are eight things to consider according to cybersecurity professionals.

Secure the home Wi-Fi network. Remote workers need to make sure they're on at least WPA2 encryption, according to Caroline Wong, chief strategy officer at Cobalt, a remote-first "penetration testing as a service" startup. Older security protocols like WEP and WPA have been hacked and are considerably less secure. Other things remote employees can do to protect their network at home is to consider hiding the network name from neighbors, said Wong.

Don't depend on your employees to protect themselves. Sure, you can tell people to secure their networks, but, these days, the reality of remote work is that it happens not just at home, but in coffee shops, at the airport, in Airbnbs and other places that are vulnerable to attack. So it's important to issue a corporate device with pre-installed and regularly-updated malware protections, as well as identity and asset management systems in place like multi-factor authentication, according to Shawn Burke, the global CSO of Sungard AS.

Prepare for people to do company work on personal devices. Even if you provide employees a company-issued laptop, odds are they'll still want the ease of accessing corporate data on personal devices. Consider using a mobile device policy, which is basically a way to remotely set up a security policy and push security controls, said Gartner Senior Research Director Thomas Lintemuth. That being said, "People get freaked out if you're trying to manage their device," so it's important to communicate that these programs are meant to "keep the bad guys out of your personal stuff" and that the company will not use them to track employees' personal information, said Grant Moerschel, VP of product marketing at SentinelOne.

Consider the "people" risk: kids, roommates and partners. This is a concern especially for companies like McKinsey, which often deals with confidential documents that could be seen, screenshotted or shared by other people in the household, according to Venky Anant, a partner in McKinsey's tech, media and telecom practice. Be diligent about setting automatic screen locks, and consider employing a virtual desktop so that corporate data is stored securely at headquarters rather than on a personal laptop, recommends Kathleen Moriarty, the CTO of the Center for Internet Security.

Be alert for more targeted, emotion-driven phishing attacks. Attackers in the age of coronavirus are capitalizing on your emotions and anxieties, and there's been a significant rise in phishing attacks that use COVID-19 as a lure, Moriarty added. Be wary of tailored messaging that preys on your desire to access vaccine information.

Expect to spend more on cybersecurity. Multi-factor is expensive, and so is scaling up VPNs and other solutions to handle more simultaneous usage. One way of dealing with the added cost could be to implement access control segmentations. For example, an engineer might require more security than a graphic designer, said Wong.

Aim for zero trust. An increasingly popular buzzword in the cybersecurity community, the "zero trust" model assumes that you can't trust anyone, and everyone is treated as a potential malicious actor. Authentication and controls are at every point of entry, and everything that's important is protected. That can be costly as well as theoretically productivity-impeding, but as John Kindervag, one of the original proponents of zero trust, puts it, "It's okay to occasionally block something good as long as you're not letting something bad in."

Educate, educate, educate. And gamify it. At Zoom, employees participate in an annual security awareness training complete with prize competitions that divvy out company swag or UberEats credit. Training has to be embedded in the culture of the company, said CISO Jason Lee, who also recommends monthly fake phishing attempts to test for employee preparedness.

Just don't do this.

A DTC baby formula startup is caught in the center of a supply chain crisis

After weeks of “unprecedented growth,” Bobbie co-founder Laura Modi made a hard decision: to not accept any more new customers.

Parents unable to track down formula in stores have been turning to Facebook groups, homemade formula recipes and Bobbie, a 4-year-old subscription baby formula company.

Photo: JIM WATSON/AFP via Getty Images

The ongoing baby formula shortage has taken a toll on parents throughout the U.S. Laura Modi, co-founder of formula startup Bobbie, said she’s been “wearing the hat of a mom way more than that of a CEO” in recent weeks.

“It's scary to be a parent right now, with the uncertainty of knowing you can’t find your formula,” Modi told Protocol.

Keep Reading Show less
Nat Rubio-Licht

Nat Rubio-Licht is a Los Angeles-based news writer at Protocol. They graduated from Syracuse University with a degree in newspaper and online journalism in May 2020. Prior to joining the team, they worked at the Los Angeles Business Journal as a technology and aerospace reporter.

Sponsored Content

Foursquare data story: leveraging location data for site selection

We take a closer look at points of interest and foot traffic patterns to demonstrate how location data can be leveraged to inform better site selecti­on strategies.

Imagine: You’re the leader of a real estate team at a restaurant brand looking to open a new location in Manhattan. You have two options you’re evaluating: one site in SoHo, and another site in the Flatiron neighborhood. Which do you choose?

Keep Reading Show less
Enterprise

Celonis vows to stay independent despite offers from SAP, ServiceNow

Celonis is convinced standalone mining vendors can survive. But industry consolidation paints a different picture, and enterprise software giants are circling.

Celonis CEO Alex Rinke turned down offers from ServiceNow and SAP, according to sources.

Photo: Celonis

For the past decade, any software vendor that touted new levels of automation and data-driven insights appeared to have seemingly unrestricted access to capital. Now, as valuations drop and fundraising becomes more difficult, founders and company leaders are facing a difficult decision: look to be acquired or try to go it alone.

At Celonis — which, at an $11 billion valuation, is one of the buzzier software upstarts — that question appears to have already been decided. Enterprise software giants ServiceNow and SAP made offers in the past year to buy the process-mining firm, according to sources familiar with the deliberations, which were turned down because the Celonis leadership team wanted to remain independent.

Keep Reading Show less
Joe Williams

Joe Williams is a writer-at-large at Protocol. He previously covered enterprise software for Protocol, Bloomberg and Business Insider. Joe can be reached at JoeWilliams@Protocol.com. To share information confidentially, he can also be contacted on a non-work device via Signal (+1-309-265-6120) or JPW53189@protonmail.com.

Enterprise

SaaS valuations cratered in early 2022. But these startups thrived.

VCs were still bullish on supply chain, recruiting and data startups despite the economic environment that chopped the valuations of newly public companies and late-stage enterprise startups.

While private equity has been investing in enterprise tech for decades, the confluence of several trends in the sector is making it more competitive than ever before.
Image: Getty Images; Protocol

Despite a volatile tech stock market so far this year that has included delayed IPOs, lowered valuations and declining investor sentiment, a few enterprise tech categories managed to keep getting funding. Data platforms, supply chain management tech, workplace software and cybersecurity startups all dominated the funding cycle over the past quarter.

When it comes to enterprise SaaS, the number of mega-deals — VC funding rounds over $100 million — spiked last year, according to data from Pitchbook. Partially driven by the onset of a pandemic that accelerated the need for everything from contact centers to supply chains to move into the cloud, the number of large VC deals tripled between 2020 and 2021. That growth has extended into this year, where the number of mega-deals has already outpaced all of 2020.

Keep Reading Show less
Aisha Counts

Aisha Counts (@aishacounts) is a reporter at Protocol covering enterprise software. Formerly, she was a management consultant for EY. She's based in Los Angeles and can be reached at acounts@protocol.com.

Fintech

Plaid is striking back after Stripe entered its core business

Onboarding customers through identity verification and ACH transfers is a hot sector in fintech, and the two fast-growing fintechs are set to battle it out.

Plaid is looking to help banks and fintech companies with anything related to the onboarding of a customer onto a financial product, said Plaid CTO Jean-Denis Greze.

Photo: Plaid

Plaid is moving into identity verification in a crucial expansion beyond its roots connecting banks and fintechs — a move that could put it in more direct competition with Stripe, another company known for its financial software tools.

In conjunction with its Plaid Forum customer conference this week, the company is also announcing two products focused on ACH transfers as it moves into payments.

Keep Reading Show less
Tomio Geron

Tomio Geron ( @tomiogeron) is a San Francisco-based reporter covering fintech. He was previously a reporter and editor at The Wall Street Journal, covering venture capital and startups. Before that, he worked as a staff writer at Forbes, covering social media and venture capital, and also edited the Midas List of top tech investors. He has also worked at newspapers covering crime, courts, health and other topics. He can be reached at tgeron@protocol.com or tgeron@protonmail.com.

Latest Stories
Bulletins