The number of employees working mostly or full-time from home skyrocketed during the COVID-19 pandemic, peaking at nearly 40 per cent.

And for various reasons, the number of remote workers has remained high ever since. Recent studies show some five million people in Canada – 20 per cent of the workforce – work from home most of the time. In 2016, in comparison, that number was only 7 per cent.

This hybridization of the workforce is here to stay. Remote workers like it: 90 per cent say they achieve equal or higher productivity as in the office. Nearly half would prefer to work remotely half of the time; more than a third say they would rather work at home all the time.

It’s been estimated that as many as half of all advanced economy jobs could be done remotely, and many businesses see a chance to consolidate office space and reduce associated costs among the benefits to their bottom line.

But many do not fully see the associated cybersecurity challenges and risks when working with a partial or fully remote workforce.

One of the most concerning challenges is us: it has been estimated that 80 to 90 per cent of all data breaches are caused by human error. Overcoming those operational shortcomings and behavioural miscues so that all employees are empowered to meet various cybersecurity challenges is a significant and ongoing undertaking that requires planning, training, resources and support.

That’s how many cybersecurity experts see it, Florin Soltan among them. He’s a Cyber Security Product Manager at Acronym Solutions, a Canadian IT and telecom firm that grew out of Hydro One Telecom.

He knows that for some small or medium sized businesses, cybersecurity might be seen as but an added expense or operational roadblock. Even larger enterprises may face challenges building and sustaining a culture that is security-minded.

“Cyber should be first!” Soltan says with conviction. “Some companies never think about it; some make small investments in-house, maybe hire on or two people, and they think that is enough. Not anymore.

“Now, you have to be on the top wave,” he says. “You have to layer your protection. You have to realize you are not one platform; with a hybrid workforce in action, you are many.” Multiple users mean multiple end points, he underscores. Remote work means multiple devices are being used to regularly access and work with company data. Each end point – each device a remote worker uses, be it phone, laptop, desktop, tablet – is a potential attack surface. Each can be compromised.

Key to securing such a dispersed and varied work environment is preparing and educating the staff, Soltan says. While he strongly urges employers to make sure employees and remote workers stay updated on cybersecurity best practices and procedures, he knows that one in three organizations do not provide cybersecurity training for their remote workers.

(As just one example, a company I worked for in a part-time capacity as a remote worker during COVID did provide complex passwords for remote log-ins, but no specific or additional cybersecurity training. Not saying the two are related, but that company was hacked, its IT infrastructure comprised, and its online activities suspended for several days).

“Small and medium businesses should provide training and leverage it to their advantage,” he says. “Cyber risks pose a threat not just to operations, but to the company brand. So security protocols and best practices should be covered through regular training and testing sessions. Employees need to be fully aware of the risks and should be educated to recognize and respond to cyber threats like ransomware, phishing attacks and social engineering. Cyber criminals know many more workers are handling both personal and professional data and often on personal devices.”

Soltan recommends once-a-month training sessions, conducted online as necessary, with follow-up quizzes and tests. If an employee fails a test, he or she should re-attend the session. Additional information, reference materials and cyber updates can be distributed via email or made available on company websites.

Training can be delivered to any size organization, he affirms, citing various subscription models and fee-for-service cybersecurity training program (including those offered by Acronym).

Interacting with cybersecurity knowledge experts and training partners on the outside will help turn a company’s workforce into its best line of defence, learning of the latest techniques to protect and secure email, how to best defend company networks and worker devices, the best way to provide safe back-up for company data, be it on-site or in the cloud.

Remote workers must know how to protect their home devices and Wi-Fi network, Soltan cites as an example, by always changing the default password that comes from the manufacturer or service provider. He recommends a strong passphrase over simple passwords. Routers or other devices on the home network must also have the latest firmware update, without which they are open to cyber attacks.

Whenever possible, remote workers should use separate devices for work and personal activity. In any case, devices on which work is done should be encrypted. There are tools to enable remote locking of devices (should they become lost or misplaced) and tools to find (or wipe) a device if necessary.

Identification credentials like strong PINs or passwords should always be updated to thwart potential attacks in the home office or corporate boardroom.

Password managers are a key tool for any worker or organization, Soltan says. Cyber criminals are trending towards the use of sophisticated password-hacking algorithms, he adds, making simple passwords easier and easier to hack through.

“Passphrases, a jumbled combination of words and even numbers, make no sense to these password-hacking algorithms. Even so, I recommend changing passwords at least twice a year, and if you are working with very sensitive data or PII (personally-identifying information), you want to change them every month.” Whenever possible use 2FA, he adds, or two-factor authentication, for log-in credentials (especially on the password manager).

Soltan points out that another cyber-criminal technique, social engineering, is a new way to obtain sensitive personal information or corporate credentials. With tons of info available on social media, for example, they can often convincingly pretend to be someone they are not, making their phishing scams that much more convincing. Deep fake audio or video only make phishing scams that much more of a threat for which training is essential.

Soltan says effective cybersecurity training is an on-going process, and he knows keeping up-to-date is not an easy process. “Bad actors always trying to be ahead of you. I encourage companies and workers to practice sound cyber hygiene: good equipment and software can help protect your IT environment,” he says, but particularly in a hybrid work environment, “employees must be empowered to make use of good cybersecurity habits as well. Training, planning, resourcing are all a part of that.

Making outside service providers a part of the workplace cybersecurity team can help guide companies and their remote workforce as they face the challenges of a hybrid work environment, sharing tips and techniques, identifying the latest threat profiles, showing how other companies secure their IT environments, and demonstrating how educated employees are a company’s first line of defence against cyber threats.

No matter where they work.

-30-