IN THE U.S., fully remote and hybrid workers are expected to account for 71% of the workforce by the end of 2023, according to Gartner. At the same time, cybersecurity threats have grown.
Cybersecurity and compliance consultant Mike Semel of Semel Consulting sees a correlation. “Hackers have become more active knowing that remote workers haven’t had the same levels of cybersecurity as when they were in a controllable office,” Semel observes.
SMBs need updated cybersecurity policies to meet the new and evolving threats posed by a remote and hybrid workforce, and managed service providers have an opportunity to help them.
Semel suggests a comprehensive approach. “Identify all your requirements. This includes laws, regulations, industry requirements [like PCI DSS], contracts, and cyber insurance.”
Security consultant Kevin Beaver, founder of Principle Logic, agrees. “It’s always best to perform an assessment to see where things stand so that you’ll know what controls and processes you need for your specific situation,” he explains.
Many MSPs find their SMB clients don’t have much of a cybersecurity policy in place at all. “Most have employee handbooks that cover some aspect of the technical,” says Matt Rose, chief experience officer at Tech Rage IT, an MSP in Winter Springs, Fla. “But, for the most part, it’s something you’ll need to create.”
For a practical first step in updating policy, both Beaver and Rose suggest MSPs provide clients with a security policy template. “There are resources available online,” Beaver says. “A good security policy template can provide guidance and save a ton of time and effort. Just know that they need to be customized.”
Rose ticks off a few very important features a cybersecurity policy or template will likely include:
Virtual private network. “Be connected to a VPN no matter what kind of network you’re on,” he says. “Even if they’re at home, employees should be forced to use VPN.”
Multifactor authentication. “Use multifactor authentication,” he adds. Indeed, a recent study by Verizon showed that 80% of breaches were caused by password attacks. Yet, as Microsoft VP of Identity Security Alex Weinert reported in a blog post on 2023 identity security trends, only 28% of users have MFA enabled.
Password management. “Do existing passwords have enough complexity?” Rose asks. He explains that his team prefers single sign-on for his Microsoft platforms. “But if it’s some other tool being used, we typically want unique passwords and MFA—preferably a one-time passcode or better—and we want it saved by a password management tool.” (Tech Rage uses Password Boss by CyberFOX.)
Data governance and admin access. “Think about access,” Rose says. “For all our clients, we pull admin rights from everyone. We can grant privileges through our privilege access management solution.” (Tech Rage uses AutoElevate by CyberFOX.)
Encryption. “Ask about data management,” Rose says. “Maybe an encryption policy where all work has to be done from work-owned equipment.”
Cybersecurity policy isn’t something that’s written once and forgotten about. It’s a living document that is updated as new challenges and threats emerge.
Moreover, as Semel, Beaver, and Rose each attest, those policies must then be enacted and enforced.
“Policy is one of the hardest things to do,” Rose admits. “We’re still going through it with some clients.”
“Employees must be trained in the procedures required to comply with policies,” Semel says, “not just handed a policy manual and be expected to know what to do.”
“The most important thing is that you convey what’s expected,” Beaver says, adding that it should be management—and not IT—that holds violators accountable. “The best thing to do is to perform spot checks. See how policies are being followed. Are users even aware of them? Periodic and consistent assessments can provide great insight into how things are working and where the opportunities are for improvement.”
Image: iStock / metamorworks