6 minute read 16 Apr. 2020
ey remote man working from home

Six ways to secure your remote workforce now

By Yogen Appalraju

EY Canada Cybersecurity Leader

Committed to helping clients minimize the impact of cyber threats. Proud husband and father.

6 minute read 16 Apr. 2020
Related topics Consulting Cybersecurity

The shift to full-time remote working can expose organizations to more cyber risks. Get real-world examples of questions companies should be asking themselves. 

Uncertain times breed vulnerability. Even before our current market situation, global execs estimated cybersecurity breaches would reach US$6 trillion by 2021. Now, translate that into our current environment, where the overnight shift to remote working has spread teams, data and IT control to offsite locations, and layer in the cutbacks and downsizing that’s impacting companies right now. Suddenly: your organization may have an even bigger gap for cybercriminals to exploit.

How can you secure remote teams and enable them to stay productive in this new reality? Make your people part of the solution. In Canada, 63% of organizations say they spend less than 10% of their IT budget on cybersecurity. That means cybersecurity needs to be everyone’s responsibility in this remote working world.

Asking these six key questions and learning from real-life Canadian examples since this new normal began, can help you cope now, and plan for the future:

1.  Do we have a clear work-from-home policy in place?

Refreshing your policies and communicating them clearly matters. Define what you expect from employees now working from home, and how this will change post-pandemic. Include protocols to embrace, and troublesome practices or tools to avoid. Be sure to reinforce how confidential information should be handled, transferred, stored, protected and even discussed (i.e. never in a public space).

Case in point: One medium-sized data hosting company headquartered in Europe, and operating here in Canada, learned this lesson the hard way. With no remote working guidelines to lean on, employees lacked clarity around which tools, personal devices and software to use. That uncertainty led to a very real potential data breach in March with an investigation underway to determine the severity of the breach.

2.  Are we offering enough training?

Policies are only as strong as a team’s ability to follow them. Prioritize virtual or remote training to help make sure your employees are prepared to bring policies to life. Webcasts, short videos, and two-way dialogue work well. Using case studies and examples to illustrate any new cybersecurity risks teams may encounter, and the steps to take if they do, can bolster organizational defences.

Case in point: A Canadian financial institution located in Quebec seized the upside of this disrupted environment to develop and deploy new workforce training modules through their web-based security training platform. They’re preparing modules in advance, and deploying them as specific issues pop up. This organization gets it: employees are our first and best line of defence.

3.  Where is our infrastructure vulnerable?

If you’re not already using a virtual private network (VPN), or a mobile device management/enterprise mobility management (MDM/EMM) solution, consider one now. VPNs enable your staff to connect to the organization’s network as though they were in the office. That keeps your team off less secure web and device duplicates, while encrypting links between remote employees and internal networks. MDM and EMM solutions help you set global security standards for mobile devices which dials down the risk of data exfiltration. Don’t forget to also focus on the latest patches and updates for applications and operating systems.

Case in point: The quick shift from paper-based, on-site work to a remote environment immediately triggered a similar realization for one leading Canadian law firm. As soon as they shifted to digital data in March, their team was unable to securely access sensitive information, share it safely, or collaborate confidentially. They swiftly moved to get the right infrastructure and tools in place to safely handle sensitive digital information.

4.  Is our password game strong?

Seems basic, but something as simple as strengthening current passwords can go a long way to securing remote teams. Talk up the importance of replacing weak passwords with stronger passphrases. If you’re still concerned, consider implementing a multi-factor authentication (MFA) system to make doubly sure cybercriminals can’t get in.

Case in point: When a large mobility manufacturing company’s workforce went remote, they upgraded all password policies to stronger standards. Even so, they soon noticed an increase in malicious log-in attempts as hackers began to capitalise on the current situation last month. Because of their newly implemented use of MFA – and stronger passwords where MFA wasn’t possible – they were able to head trouble off at the pass.

5.  Are we shutting down risky emails quickly?

We’re already seeing an uptick in phishing scams that use email to get people clicking dangerous links and opening sketchy attachments. Your people are your best line of defence against these risks. Keep sharing the schemes they should watch out for. Back people up with spam filters, antivirus programs, automatically scheduled updates and encryption options to help fight the good fight.

Case in point: Turbulent times fuel phishing and social engineering schemes. In Canada, our cyber threat report shows hackers are already using the trusted names of widely-known organizations to trick businesses and employees. Organizations that talk openly and often about these risks can up their chance of fending hackers off.

6.  Are we walking the talk to enable behaviour change?

Tone from the top is one thing. Leading by example is another. Employees need to see leadership embracing similar mindsets, and joining them on the frontlines to embrace a new way of working. Identify a few stand-out leaders to operate as your cybersecurity influencers. Arm them with best practices they can use to exemplify proactivity, transparency and accountability. Establish a cross-functional governance committee to track results, and adapt the plan as situations and cyber risks evolve.

Case in point: One mid-sized financial institution we work with embraced this approach by identifying champions across the business. Each leader is now responsible for cybersecurity within their functional area. That top-down support is already making an impact since the company embraced remote working in March.

Where do we go from here?

No one could’ve predicted the kind of large-scale corporate office shutdowns we’re living through. Rallying your people to strengthen security for your remote workforce can help now, and make your organization more flexible down the road. All things considered: will you use this time to refresh your approach, or let the opportunity pass you by?

Visit ey.com/ca/cyber to find out how EY can help you protect your business.

Visit ey.com/en_ca/workforce to find out how EY can help change the way your people work.

Co-authored by:

Marco Sandoval, Manager, Cybersecurity Risk Management

Rosalie-Ann Massé, Senior Consultant, Cybersecurity Risk Management


With cyber threats on the rise, the time is now for Canadian companies to bolster their defences against the new risks remote working can bring. Asking these six key questions and learning from real-life examples can help protect your business now and in the future.

About this article

By Yogen Appalraju

EY Canada Cybersecurity Leader

Committed to helping clients minimize the impact of cyber threats. Proud husband and father.

Related topics Consulting Cybersecurity