Security is vital for small businesses but the rise of remote work adds an extra layer of complexity to safeguarding company systems and data. Data security for remote work cannot be compromised, so what are the solutions for security in workplaces that manage staff in a hybrid environment?
In this article
As we saw in our previous report, UK workplaces have continued to use remote and hybrid work solutions following the pandemic and these working models remain popular amongst workers. However, whilst many benefits of remote work can be cited for both employees and companies, there are also important cybersecurity risks to data and systems that should be addressed.
Running a remote company opens a business to many risks of a cyber breach that were easier to mitigate previously when in-office attendance was mandatory. Insecurities such as unprotected Wi-Fi access, less direct oversight from an IT team, and the possibility of workplace devices such as laptops being lost when travelling to and from an office are just some of the concerns that arise.
We surveyed 1,004 UK remote and hybrid workers to understand how companies currently address these concerns. From this, we hoped to learn what small to mid sized enterprises (SMEs) can do to optimise their approach to security and keep their data safe.
Most passwords rely on an employee’s memory
Password management practices are important for many reasons. Password security ensures access to crucial tools is available when needed and, most importantly, keeps cyber criminals out.
There are a few ways password management can be handled. In many cases, employees will be tasked with managing individual sign-in details their own way, although companies can put in place policies so that passwords are more secure.
In the case of our sample of SME hybrid and remote employees, we observed a number of methods in use. However, there was one clear leader for password management: memory.
Despite secure forms of keeping login details such as password management software being among the most common with the SME employees we surveyed, individual memory was 15 percentage points ahead.
Tips for SMEs
Password management software can prove essential to companies in helping employees quickly access secure passwords and facilitate good passphrase security practices.
Some key advantages include the following:
- Secure password generators
- Staff can create unique passwords for all sites they use
- Secure encryption
- Faster input thanks to password autofill functions
- Employees no longer need to memorise multiple passwords
Naturally, the fact that nearly half of our UK sample relies just on memory to keep passwords safe opens the possibility of being locked out of accounts if the keyphrase is forgotten. This could potentially cost a company time and resources to fix.
This example shows why it’s important to plan a workplace policy for password management. Having rules in place on where employees can and should store passwords for internal use can avoid the potential disruption caused should a password be forgotten.
51% of remote employees use unique passwords for every site
Creating and managing passwords needs to be handled carefully to ensure systems and cloud-based tools are as secure as they can possibly be. The more difficult a password is to guess the more unlikely it is for a hacker to gain access to sensitive information.
A hack can also be more likely if an employee creates a password and uses that same single sign-in phrase on multiple sites and accounts. In this instance, it opens the possibility of these access points being compromised in one go.
Nevertheless, we observed that most of our sample uses unique passwords on most of their accounts.
We did, however, see just over a fifth (21%) did use the same password across all sites.
Did you know?
The National Cyber Security Centre (NCSC) makes several recommendations for reducing reliance on passwords within an organisation and adding extra layers of cybersecurity to counteract threats.
Some extra security protocols companies can use to add extra security to their systems include:
- Multi-factor authentication (MFA): adding an extra step of confirmation for logins such as a single-use code or an app prompt from the user’s mobile.
- Single sign-on systems (SSOs): allowing users to only have to remember one password which in turn gives them access to multiple services and applications on a network.
Are employees mixing company passwords with personal accounts?
Another crucial factor that could influence the security of company logins is whether remote workers share their passwords between personal and business accounts. Like using a single login for every app and service, sharing company passwords on a personal device or account adds more points of access for a potential hacker, especially as it takes hackable details out of your network security controls.
We found that half of SME employees who repeated passwords across different sites also repeat passwords across business and personal accounts regularly, or at least some of the time.
This is something that SMEs should be very careful about. They should make it clear to employees that these practices create significant risks to data security for the organisation. These kinds of small insecurities can make it much easier for a breach to succeed.
How often are employees changing passwords?
Employees with multiple passwords are also actively changing their main business passwords regularly. Most (38%) have changed their login in the last six months, whilst a similar number (37%) changed their password in the last month.
Others updated their passwords less frequently with 13% having changed their passphrase over one year ago and, more surprisingly, 6% who have never changed their main credentials. Another 6% couldn’t remember.
Whilst it has been conventional wisdom for many years that passwords should change often, expert opinion has shifted in recent years to advise only changing passwords if they are known to be compromised.
The concern with frequently changing passwords is that users will start to rely on weaker passphrases if they have to keep formulating new ones. Instead, it is recommended to focus more on creating strong and unique passwords that are difficult to crack.
Employees are the frontline of remote workplace data security
A company’s employees are its first line of defence in keeping data security and systems safe. Everyone with access to sensitive information plays a part in keeping it confidential and secure and it is important to ensure employees are actively working towards that goal.
Do the UK’s SME remote and hybrid workers stand up to that test effectively though? We investigated by asking for information on the steps employees take to ensure a safe and secure remote/hybrid working environment.
As seen in the graph above, some of the most common actions that employees take is to ensure system software is regularly updated, use multi-factor authentication (MFA) so accounts are harder to breach by hackers, lock devices when they are unattended to avoid unwanted access, and install antivirus software on their systems.
Many positive practices are on show amongst the SME employees in our survey, although there is still room for improvement. Less than half of respondents of all options were actively practising the security measures we studied, including more passive tasks like updating software and antivirus tools.
Not keeping software properly updated opens companies to security vulnerabilities and misses fixes that could keep systems secure. It is important to make employees aware of the importance of allowing applications to update and also giving administrative staff the ability to make updates obligatory on company systems.
Preparing for the worst-case scenario
The correct leadership needs to be in place to ensure that there is a clear direction on how to react to a cyber threat. Employees need to know who to contact if a breach occurs and adequate security training needs to be given. This is even more important if staff are working remotely.
In the case of our sample, we observed that most (61%) had a dedicated team or member of staff responsible for the task of security and privacy compliance, and knew who to contact should an incident occur. However, we also observed that 17% of respondents didn’t know who to contact for these purposes and another 22% didn’t have a responsible party in their organisation or weren’t sure.
As we can see, a cumulative 39% of our sample didn’t have dedicated touchpoints or didn’t know who they could reach out to if a security incident occurred. This means a considerable proportion of companies currently put themselves at risk of greater harm should the worst-case scenario occur.
Tips for SMEs
It’s important that staff know who to contact in a security emergency quickly. SMEs can use team communication software and intranet software to ensure the information they need is shared internally and easy to access if it is needed.
Is enough cybersecurity training available to SME staff?
Another major obstacle that companies face in addressing cybersecurity is training staff on correct procedures and compliance in the case of a significant security threat such as a ransomware attack or hacking attempt. We saw that most of our participants received training of some sort (as seen in the graph below).
Despite the clear majority receiving training in some form, we still observed 17% who didn’t UK-wide. This was even higher in England outside of London, where 23% of participants had received no security training at all.
English staff outside the capital being less prepared to deal with digital safety risks underscores the importance of ensuring that adequate security awareness training is available. This can go some of the way to prevent some of the habits we’ve seen such as insecure password management or a lack of emergency preparedness from risking sensitive data and systems should the worst occur.
80% of UK employees have received phishing emails
Phishing attacks are another common way that SMEs may encounter a cyber breach. Therefore preparing employees with procedures and guidelines on what to do if they encounter a phishing email is an essential consideration.
What is phishing?
Phishing occurs when a cyber criminal sends a fraudulent email to a recipient. This email will usually take on the appearance of a trusted organisation to encourage recipients to interact with it. This prompts recipients to divulge private information such as passwords and financial data such as credit card details.
Phishing already affects internet users in the UK widely. An Office of National Statistics (ONS) survey conducted in 2022 discovered that half of all adults in England and Wales received a phishing message during the month before being surveyed. This is being exacerbated by the increase in generative AI tools, according to a Europol advisory posted in March 2023.
We observed this trend in our sample too. 80% reported that they had received at least one phishing email, suggesting the problem is widespread.
We also observed a mixed picture in the organisations that were targeted by these emails. Our respondents who had received them observed that many were impersonating companies, however around a fifth (21%) claimed these had impersonated government entities.
How to avoid a phishing scam
As we can see from the data, phishing attacks are evermore common and SMEs need to be on guard. There are a few ways that companies can mitigate the risks of a security breach from a phishing message.
- Take advantage of training software and security awareness tools to explain the signs of a rogue message or give employees basic simulation exercises.
- Put a spam filter in place to prevent phishing emails from getting into employee inboxes
- Ensure software is regularly updated to get the latest security patches.
Avoiding the phishing bait
The threat of being phished is very real, as we’ve seen in our data. Are remote/hybrid companies ready to deal with this growing risk and do employees know what to do if they are phished?
We observed that participants who had received these messages were able to avoid the worst effects of an attack. 45% reported the incident to their security team and 44% recognised it was a phishing attempt and ignored it. We also observed that 66% of those receiving a phishing message changed their passwords following the attempt.
However, whilst only 1% entered personal or sensitive information into a website linked in the phishing attempt, 7% admitted to opening the bogus email by accident and 4% clicked on its link.
These signs seem to show that most company employees are wise to the threats posed by a phishing attack. Their responses and follow-up practices seem to indicate mindfulness of these risks and proactive security measures. However, we still saw that a noticeable proportion of people forewent these steps or came close to falling for the phishing message, meaning companies can’t lower their guard just yet.
Protecting workplace data security from threats
Cybersecurity is vital to keeping companies running smoothly and maintaining a positive reputation. We saw in a GetApp report earlier this year that online security worries are growing amongst consumers, who now have minimum expectations of what companies should do to safeguard their web safety.
Some important principles that SMEs should keep in mind for keeping their systems defended and employees aware of their part in holding cybersecurity threats at bay include the following:
- Passwords: remind employees to use unique, strong passwords that are not shared between workplace and personal accounts
- Security response: have a response plan ready for security breaches and make sure employees are trained on what to do or know who to inform if the worst occurs
- Phishing: spread awareness through the organisation of the risks of phishing and run regular simulations to prevent a rogue email wreaking havoc
We’ve seen during this study of remote work that employees play an essential part in keeping cybersecurity standards high. Therefore it’s important for businesses to ensure security training is given regularly especially as new threats, such as an increased prevalence of phishing, arise and the right tools are put in place to help protect company systems and sensitive information such as passwords and company systems secure.
The data for GetApp’s 2023 Remote Work Survey was collected in April 2023 and comprises answers from 1,004 respondents. We selected our survey sample based on the following criteria:
- UK residents
- Employed full or part-time in companies with between 2 and 250 staff members
- Aged between 18 and 65
- Working fully remote or hybrid in a role above trainee level