Accounting for IT Security: Working with Remote Teams

Tom Kowalski Tom Kowalski Follow Jul 31, 2020 · 12 mins read
Accounting for IT Security: Working with Remote Teams

Companies that involve offshoring in their business model tend to face unique cybersecurity threats. In other words, their formula for IT security cannot be copy-pasted from companies with a more traditional business model, either in-person or located in a single country.

When you engage with distributed teams, despite the benefits of going offshore, it is worth focusing on what security concerns a remote team can expect to face and how to prepare for them.

No Business Too Small

We see large enterprises and small companies who have invested in cybersecurity and remote working policies easily transition to a slight working force. With some industries, there are laws that demand organizations comply with necessary security measures. While this is a significant first step to secure infrastructure, the companies that genuinely go above and beyond regulatory compliance, deploying secure systems that protect their data, employees, and clients. However, many have not yet made the proper investment in IT security.

About 47% of small businesses in 2019 reported a breach. For mid-sized companies, that number went up to 63%. Industries that tend to look down upon remote work (for example, the PR industry) are most likely to have little to no specific security measures. We see this affect nonprofits, who often lack necessary security measures. Many of these organizations do not use consumer products like iCloud or OneDrive with in-built security features, let alone commercial security software for data protection. It is alarming to think about how many companies operate under high risk of a breach, not having any IT security measures.

Specializing in protecting the data and reputations of high-net-worth individuals, I can say from experience that the weakest link that will result in a breach is often the target. For example, say you have a nonprofit that keeps a database of high-net-worth donors. Cybercriminals may target that organization for that donor list. A similar scenario is prevalent with smaller businesses and startups, who embody a naive mindset of “we are too small” for a hack. In reality, you are never too small to suffer a breach. Remember, Uber was once a startup; now, the company is a multi-billion-dollar company.

Three Main Points of IT Security for a Remote Team

It is necessary to understand cybersecurity from both a technical and business perspective. It is not just about the company, but the individual units within that business. Sales, HR, and finance operate differently. Remember the previous adage; your business is only as strong as its weakest link. Employees are the first in line to defend the company and protect its data. Employees at every level of your business must be aware of and understand the risks and mitigate them accordingly.  

1. Best Practices

When starting to implement cybersecurity for a remote team, it is best first to examine the basics. There are specific frameworks for security that anyone can (and should) use. Initially, I recommend checking out the National Institute for Standards in Technology (NIST) online. As a resource, it’s highly informative and provides a foundation for your IT security policies.

2. Security Measures

When we think about security measures, we are considering what technical systems are in place to secure your data. Ideally, you should know a thing or two about become informed of these systems yourself. Still, if you do not, it is it is also beneficial best to have a security professional assess them. Sometimes IT professionals install these systems themselves, which is excellent. Still, because someone has tech expertise, it does not make them necessarily experienced in security and the risks involved in the individual or the business.

You need a cybersecurity expert to make sure the systems are managed effectively and audited frequently. It is not enough to simply do a one-time security setup and leave it - you need to continuously assess the systems to ensure they align with the evolution of the business and its activities. Auditing is especially crucial for penetration testing, a process to see how well or poorly your network will perform during a cyber-attack.

3. Culture of Awareness

Many companies punish individuals for not understanding IT security, but when a user is not aware of what to look out for, they need training—not punishment. Incentive-based training works best to get everybody on the same page. If an employee receives a phishing email and reports it instead of clicking the link, give them a gift card to reinforce that behavior. Positive reinforcement will help you build a cyber-aware culture within your company.

Still, building a security-aware environment without proper governance is like building a house without a solid foundation. Policy compliance should form the foundation of your IT security strategy, because even if you are not a security expert, you may have some protections as required by law. They’re They are there for a reason. It’s up to you to follow them and make sure your employees do, too. Laws such as GDPR (General Data Protection Regulation) in Europe, CCPA (California Consumer Privacy Act) in California, or New York’s SHIELD (Stop Hacks and Improve Electronic Data Security) Act protect companies and consumers. Businesses could get into unfavorable legal situations for not following the guidelines and subsequently fined.

What does a company risk by not handling security properly?

In other words, what should you be a little afraid of? I can break Security threats can be broken down into four main categories:

1. Data Leaks/Breaches

Remember the nonprofit example from earlier? Here is an idea of how that looks. If a nonprofit employee sends out donor lists as attachments via their email, not from the company domain email, does not use a secure CRM, and there is no encryption or password protection on the file. That employee may not have antivirus protection. Therefore, a cybercriminal is may be able to target them and breach their PC easily.

Even more innocuous than that - your printer can be hacked through your WIFI if you never changed the default password. In this case, those email directories on the attachment would have nonprofit donors (likely high-net-worth individuals).

2. Exfiltration Theft

I had direct experience with this specific type of breach. Years ago, when I was working in a corporate environment, I detected anomalies with an employee and activity related to the company’s bank account and performed an investigation. The individual had been exfiltrating proprietary information onto a memory stick. Upon confrontation, this employee grabbed a laptop and ran out of the door - and no, the computer did not have a backup. If we had a centralized monitoring system and more comprehensive cybersecurity measures in place, I probably would not have found myself chasing a rogue employee down the city streets. There is nothing worse than realizing you have been slacking on security basics, and unfortunately, many companies have not considered any of this.

3. Reputational risk

Recently, we have seen the media’s attention on an employee from a large investment company who was involved in a racially charged incident while walking her dog in a public park. Another example is hypothetical—might be a social media attack against a CEO, criticizing them for lack of empathy during a national crisis.

When you think about it, it sounds pretty realistic—likely, even. When these incidents happen, the organization’s reputation that the individual is employed with or leads is affected. You cannot always stop people from making bad decisions. You can still mitigate any potential damage through effective hiring and managing the aftermath through carefully crafted crisis communications to fix the problem and preserve your own or the company’s public standing.

As I mentioned earlier, it is essential to adhere to all the local guidelines and policies regarding data security. Laws vary by location, so perform your due diligence. It is particularly vital when outsourcing and offshoring. Whether you are doing business in the US or Latin America, where every country there has privacy protection act(s) in place, it is essential to pay attention to where your data is traveling across the globe. Remember, just because you do business in one specific country, does not mean your data stays within that country’s boundaries.

IT Security Varies by Location

Countries typically used as tax havens tend to have strict privacy and security laws. Switzerland, for example, is one of the safest countries in terms of privacy protection. Strict laws like the Federal Data Protection Act and the Data Protection Ordinance attract many IT security companies. Many cloud security and cybersecurity businesses operate here for that reason.

Swiss companies have zero-knowledge encryption, which means that while they may store your data for you, they cannot access it themselves. No one can access it, but the end-user (that is you). For safer, secure locations to look in Europe, there is also Norway, Romania, Iceland, and the British Virgin Islands. Additionally, consider Seychelles in East Africa or Panama in Latin America.

On the other hand, there are fewer safe places to do business. There are three countries considered relatively unsafe when it comes to IT security. The first may come as a surprise to some, the United States. The other two are China and Russia. The reason is that all three of these governments monitor citizens’ activities, threatening privacy implicitly.

Three Facets of IT Security

1. Physical

People think of cybersecurity as online activities, but there is more to it. Suppose a government official or CEO of a large company wants to do business in a foreign-adversarial country. While traveling on the ground, there is a high chance they ride in an armored car. What about when they arrive back at the hotel? A pinhole camera above a desk could be recording keystrokes. Fortunately, companies in the know, such as Apple, have already begun implementing biometrics such as fingerprint scanning, which circumvents the need to enter passwords.

2. Technical

Russia, like China, processes information through centralized state servers. Many people ask, “Do I need a VPN?” Yes, you should be using one, but more specifically, one that is encrypted. An encrypted VPN that can protect your data as it travels via a tunneled, endpoint-to-end point connection is a valuable tool. Those endpoints are you (the user) and whomever you are communicating with via the network. The individual who receives your data must then decode it with something called a transmission key (done through the technology).

For an added layer of security, you should be using multi-factor authentication. Once you have authenticated yourself via a password or security question (ideally, both), you will get an alert on your other device. For example, say you are logging in on your laptop. Before you can proceed, you will get a notification on your cell phone, making sure it is you. It is a secure way to verify your identity before accessing your accounts.

3. Awareness

You may have already undertaken the proper physical and technical safety measures, but those alone will not suffice. Cybercriminals do not have to brute-force their way into your system if they can just trick you into using theirs. That is why you need to be vigilant and aware of your surroundings at all times.

Here is an example: Say you are in an airport lounge and want to connect to its WiFi, but there is a cybercriminal in the lounge. And they have set up an open network called, “The Official Airport Lounge,” If you are not paying attention, you might connect to an unofficial network, and unintentionally expose yourself to a hacker. This is called spoofing: a fake WiFi connection set up purely to obtain information from other people. (Reminder: A VPN would prevent the spoofer from seeing any data you transmit across the network.)

It could happen to you.

Many companies, willingly or unwillingly, have implemented comprehensive remote working policies. Not only those who are mandated by the laws I mentioned earlier but due to industry-specific regulations such as HIPAA (Health Insurance Portability and Accountability Act), as well as company-specific policies, which contribute to this.

I have also seen many small businesses, startups, and nonprofits who have the wrong mindset about security. The mentality of “It cannot happen to me” makes them more vulnerable to an attack because they tend to lack the necessary security measures. I cannot overemphasize the need to embrace a security culture and implement awareness training for any business, big or small.

Even if your business does not have a lavish budget to dedicate to cybersecurity, you should at least be leveraging the free features available to you. For example, if you are using a service like Gmail, you already can enable multi-factor authentication. Most services offer that. Furthermore, any vital file stored on your PC should be password-locked so that only you or the recipient can open it with the access code. Everyone can do this, and it does not cost a thing! Deploying these small measures can significantly reduce your risk of being compromised.

Tom Kowalski
Written by Tom Kowalski Follow
Tom Kowalski is the Founder and CEO of Purchase Hill Group, an advisory firm that specializes in preserving client’s reputation and assets through cyber and media risk intelligence.