Light Dark
April 18, 2023 By Jennifer Gregory 4 min read
Risk Management

The debates have (mostly) stopped about whether remote work is here to stay. For many people, it’s just the way we work today. However, even three years later, cybersecurity around remote work is still a top concern. Both companies and employees have room for improvement in terms of protecting devices, data and apps from cybersecurity threats when working remotely.

In addition to remote working causing new vulnerabilities to attacks, breaches involving remote work are more costly. The IBM Cost of a Data Breach 2022 Report found that around the globe, remote working increased the average cost of a breach by nearly $1 million. Breaches in the U.S. with remote working cost $600,000 more than the global average.

Though companies set up remote working policies and security at the beginning of the pandemic, employees may become lax over time. Now is the perfect opportunity to revisit best practices and improve cybersecurity for your remote workers. By taking proactive steps, you can reduce your organization’s cybersecurity risk when it comes to remote work.

Build a culture of cybersecurity

Many employees mistakenly believe that cybersecurity is the IT department’s responsibility. In today’s culture of threats and connected devices, that’s no longer true. In fact, it’s even less the case when employees are working remotely. Instead, they must become their own cybersecurity expert for their remote work setup and home office.

By moving to a culture of cybersecurity, remote workers feel empowered and responsible for cybersecurity. Workers who have the knowledge and the responsibility are more likely to follow best practices and report any suspicious activities. However, creating a culture of cybersecurity takes a concerted effort, starting with organizational leaders. The transformation happens over time, with repeated messages and training, not through a single training class or memo.

Provide virtual private network (VPN) access

Organizations should ensure that employees are using a secure network for all company work. Many companies expressly prohibit doing company work on public wireless. But in today’s workforce, people often need to get work done in locations other than their homes. When you provide a VPN Transport Layer Security (TLS), your employees can create a secure network wherever they are located so they can send the client a contract or help a customer resolve a problem — no waiting to get home or to the office required.

Remind employees to change default passwords on home routers

Many people simply set up their routers and get started. If the user leaves the default password on the router, cyber criminals can easily hack into the network. Educate employees that strong passwords apply to routers, and regularly send reminders to remote workers to change their router passwords.

Require employees to password protect devices

If an employee loses an unsecured work phone, then a cyber criminal can gain access to the network with relative ease. By requiring all devices used for company business to be protected with a strong password, you reduce your risk. Some companies take it a step further by requiring biometric passwords, such as fingerprints or facial recognition. Employees who lose their devices should contact IT immediately so the device can be locked and remotely wiped to decrease risk and diminish its value to cyber criminals.

Create remote work cybersecurity policies

Once your employees are trained on best practices, put those guidelines in writing and have each employee sign them. Be sure to include any requirements for encryption and secure networks in the policy. Additionally, detail any restrictions on using personal devices for work purposes. To keep the policy top of mind, require each employee to sign an updated version each year during their annual review.

Require employees to use anti-malware software

Any device used for company data, including personal laptops and cellphones, should have anti-malware software. Additionally, the employee must regularly update the software with any new patches or bug fixes. Every device with even a single unpatched software program significantly increases the company’s risk of a cybersecurity attack or breach.

Focus on phishing

Remote workers may let their guard down against phishing scams or social engineering if they are working on their couch or back patio. The IBM 2022 Cost of a Data Breach Report found that phishing was the second most common cause of a breach, accounting for 16% of breaches. However, phishing breaches cost organizations the most money of all types of breaches, at an average of $4.91 million in breach costs.

When you provide employees with training on best practices, such as not clicking on unknown links or not downloading files from people they don’t know, they are more likely to avoid phishing scams. Be sure to also provide employees instructions on what to do if they receive a phishing email or actually click on a potentially malicious file.

Consider endpoint detection and response

While anti-virus software should be an integral part of home office security, it’s simply the first step. With endpoint detection and response (EDR) solutions, remote employees have the same protections as they did in the office. If the employee clicks on a file that begins downloading malware, the EDR detects the threat and interrupts the download.

Remote working has become standard and simply the way we work. But it’s important to prioritize cybersecurity risks associated with working from home. By routinely reviewing and evaluating your remote work processes and practices, you can keep your organization as secure as possible, regardless of where employees work.

 |  |  |  |  |  |  |  |  |  |  |  |  | 
Jennifer Gregory
Cybersecurity Writer

More from Risk Management
February 14, 2025

4 ways to bring cybersecurity into your community

4 min read - It’s easy to focus on technology when talking about cybersecurity. However, the best prevention measures rely on the education of those who use technology. Organizations training their employees is the first step. But the industry needs to expand the concept of a culture of cybersecurity and take it from where it currently stands as an organizational responsibility to a global perspective.When every person who uses technology — for work, personal use and school — views cybersecurity as their responsibility, it…

February 12, 2025

When you shouldn’t patch: Managing your risk factors

4 min read - Look at any article with advice about best practices for cybersecurity, and about third or fourth on that list, you’ll find something about applying patches and updates quickly and regularly. Patching for known vulnerabilities is about as standard as it gets for good cybersecurity hygiene, right up there with using multi-factor authentication and thinking before you click on links in emails from unknown senders.So imagine my surprise when attending Qualys QSC24 in San Diego to hear a number of conference…

February 3, 2025

CISOs drive the intersection between cyber maturity and business continuity

4 min read - The modern corporate landscape is marked by rapid digital change, heightened cybersecurity threats and an evolving regulatory environment. At the nexus of these pressures sits the chief information security officer (CISO), a role that has gained newfound influence and responsibility.The recent Deloitte Global Future of Cyber Survey underscores this shift, revealing that “being more cyber mature does not make organizations immune to threats; it makes them more resilient when they occur, enabling critical business continuity.” High-cyber-maturity organizations increasingly integrate cybersecurity…

Topic updates

 Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today
© 2025 IBM Contact Privacy Terms of use Accessibility Cookie Preferences
Sponsored by si-icon-eightbarfeature