2023-09-08 - Version 2

Creating a successful remote work policy: examples and best practices

Remote work is now a key part of how many businesses operate. It offers new ways of working, like flexible hours and the chance to save money on office space. Because of this, it’s important to have a clear plan for remote employees and those who work both in the office and at home.

In this article, we’ll take a look at how to put together a remote work agreement for your company. We’ll cover why you need one, what should be included, and some helpful tips for making it work. By planning ahead, businesses can make the move to remote work smoothly, leading to a successful and energetic work environment.

What is the remote work policy?

A remote work policy is like a set of rules that bosses and workers follow when working from home or outside the office. It explains everything you need to know about working remotely, like your job duties, when you should be working, the technical help you can get, and other important information.

This policy helps to protect both the company and the workers so nobody gets into legal trouble. It sets fair rules for everyone and ensures all employees understand what they need to do when working remotely.

A remote work policy might talk about things like:

What equipment you’ll need
Making sure you have a good internet connection
How you’ll talk to your co-workers
Ways to keep computer information safe

Having a remote work policy helps businesses be more flexible, letting people work where they want while ensuring everyone does their job right and keeps information secure.

The details of a remote work policy can change depending on things like what kind of business you’re in, how big your company is, and what laws you have to follow. But no matter what, certain things are always important regarding remote work policies.

Why does your company need a remote work policy?

After the COVID-19 pandemic, there was a shift in employees’ view of remote work. A well-defined remote work agreement becomes crucial with the increasing prevalence of remote workers. Here are the main arguments for it:

Work flexibility is not a bonus but an expectation

Work flexibility is in greater demand than ever before. According to the American Opportunity Survey, when people have an opportunity to work flexibly, 87% of them take it. This is noticeable across occupations, demographics, and geographies. The data shows that the remote work trend continues to shape the future of work relationships.

According to the same research, the third most popular reason for workplace changes was a search for more flexible work arrangements. This means businesses that have already adopted remote work policies have the advantage of attracting top talent. Yet, it’s first necessary to form a remote work policy to move forward with remote work as a practice.

Remote work brings value to the company

There are tangible business benefits directly attributed to flexible working conditions. Working from home did increase productivity by 5%. This shows that giving employees the freedom to choose how they work enables them to be more efficient regarding their work scope. In this case, the business wins, as it reaps the productivity benefits.

Additionally, remote work expands the pool of potential employees. This means that the workplace can attract global talents while fostering innovation, ultimately leading to improved profitability. Far from just being something that exists to please employees, remote work has direct and quantifiable effects on business performance. Yet, it also needs a remote work policy to be viable.

Compliance must remain a priority

Remote work, just like any other job, has to follow specific laws and rules. Employers need to know where their employees are working to avoid legal and tax problems. Since these rules can be very different in various places, it can be tricky for companies with remote workers in different regions or countries.

They also have to think about things like health insurance, which plays a big part in shaping remote work policies.

It’s crucial to regularly check and update remote work rules with the help of legal, HR, IT, and other important departments. This helps to keep everything running smoothly and legally. There may be limits on where or for how long employees can work remotely, and these rules should be part of your remote work policy. By putting these rules in place, you can protect your organization against future misunderstandings and communication breakdowns.

Data security and confidentiality

Employees working from home or elsewhere can create security risks for the company’s information and digital assets. To keep everything safe, the company needs a clear policy for remote work. This policy should spell out the rules everyone must follow to protect sensitive data and other important information.

The remote work policy should also include other safety measures, like:

Making sure that remote workers are using safe, up-to-date software.
Requiring them to use virtual private networks (VPNs) to keep their connections private.
Making them use multi-factor authentication to access company systems, which means they have to provide more than one piece of information to prove who they are.
Requiring encrypted communication tools for sensitive conversations.
Regularly updating and patching remote devices to guard against possible weaknesses.

By following these steps, the company can keep its valuable assets safe and maintain the trust of its clients, partners, and stakeholders in a world where more and more work is being done remotely.

Remote work policy components and examples

To help you create your remote work policy, we drafted a potential structure that could be used as an example.

Objective

This guide outlines the conditions and regulations for staff members working from places other than designated work locations such as [office, building, floor, etc.]. It aims to ensure that both employees and supervisors know the remote work conditions and guidelines.

The relevant authorities must first approve all remote work requests [supervisor, manager, Human Resources, etc.]. This remote work regulation stays effective until [an end date is set or the policy is reviewed].

Applicability

This policy is relevant only to [full-time employees, suitable part-time employees, staff not in training, etc.].

Guidelines

Eligible staff members are required by [Company name] to work remotely on a [temporary or permanent] basis. Work can be carried out [anywhere, specific city or state, etc.].

The following criteria must be outlined for positions that qualify for remote work:

Work timing and presence

Specified times when remote employees must be working

Example: “Remote employees should be actively working according to the schedule outlined in their contract. If an alternative work schedule is desired, written consent from a supervisor must be obtained, and the new schedule must be communicated to the team.”

Remote work setting

Standards related to the remote working space

Example: “To ensure optimal productivity, remote workers must select an environment without distractions, with stable internet access, and conducive to focused work during working hours.”

On-location work

Steps remote employees need to follow when working on-site

Example: “If planning to work at the office, remote employees should use [Company Name] ‘s reservation system to check and reserve available workspaces to prevent overcapacity.”

Communication expectations

Preferred methods of communication and expected response times

Example: “Remote employees should be accessible through Slack or phone during working hours and should reply to emails within a day unless specified differently in the client’s statement of work. Regular check-ins with teammates and attendance at mandatory meetings are also required.”

Tools and technology

What will the company supply in terms of hardware and software

Example: “[Company Name] will furnish remote employees with the necessary tools and technology tailored to their roles and responsibilities. This equipment must be used exclusively for business and kept secure.”

Information security

Instructions for safeguarding confidential information

Example: “Remote employees are expected to follow the company’s acceptable use policy (AUP) and bring your device (BYOD) policy, taking necessary measures to reduce cybersecurity risks and safeguard sensitive and proprietary information.”

We made a helpful template for remote work guidelines

Best practices for implementing a remote work policy

Implementing a remote work policy benefits employees and employers, allowing flexibility and the ability to tap into a broader talent pool. However, to ensure success, it’s a good idea to consider the following best practices.

1. Identify which roles are suitable for remote work

Not every position in an organization can seamlessly transition to remote work arrangement. While a software developer may easily work from home, an office administrator may not fulfill all job obligations remotely. Therefore it’s necessary to outline which roles can function in a home environment without decreasing employee performance.

Secondly, it’s also important to look at the tasks themselves and determine whether they can be done remotely, even when factoring that some job roles are more suited to remote work. In those cases, setting a fixed amount of time for in-person and remote work is a good compromise.

2. Reinforce the guidelines

It’s important to know which company rules and guidelines need to be followed, even if employees are working from home. All the usual company rules still apply, but we need to make sure everyone understands that these rules aren’t put on hold just because they’re working remotely.

By providing clear and easy-to-understand guidelines, we can set clear expectations for everyone. This will help prevent confusion and make managing remote work much easier. It creates a level of openness and trust that will make remote working a smooth and efficient process for all involved.

3. Create remote work plans

Company goals need to be broken down into clear and achievable targets. Department heads can help turn these big objectives into practical tasks and responsibilities. This gives employees a clear path to follow, making their jobs easier during changes or transitions.

Managers should make it a habit to lay out these plans and talk them over with their teams. They should also keep an eye on progress to make sure everyone is on track to meet the goals. This helps prevent confusion, especially when shifting to a remote work model that may require more effort from employees outside the office. It keeps everyone on the same page and ensures a smooth transition.

4. Specify the necessary tools for remote work

Remote workers need the right technology and help to do their jobs and work together with their team. This means making sure they have what they need to do their tasks from home or elsewhere. Sometimes, you might even need to buy extra software or tools to help remote workers handle the special demands of working away from the office.

Remote work often causes communication problems and mix-ups. But by supporting remote employees with different tools, you can help them stay in touch in real-time. This makes it easier to sort out any problems that might come up.

5. Detail insurance and liability considerations

If you’re working from home, it’s essential to know your rights and how things like injuries or losses will be dealt with. A good remote work policy will cover all these details, including benefits, insurance, and liability considerations. It’s not just important for employees; employers need this too, to make sure that everyone’s working in a safe and secure way.

What does all this mean in practice? Well, it helps create a positive work environment and makes sure that the company is following the law, reducing legal risks. Plus, it shows that the company really cares about its employees’ well-being and safety. By being clear and open about the rules and policies, it can help build trust and make remote workers feel like a part of the team, boosting productivity and inclusion within the company culture.

Easier cybersecurity with NordLayer

Remote working is quickly transforming traditional employment models. Yet, in this arrangement, the company and its employees share the responsibility of maintaining security and the well-being of company data. Achieving this may only be feasible with the right tools and solutions for network management.

NordLayer offers a package for hybrid work security that enhances the safety of working remotely. We enhance collaboration between remote employees and modern businesses allowing them to control access to company resources and safeguard critical assets.

Without needing any special hardware, NordLayer provides an accessible solution suitable for businesses of all sizes and easily enables secure remote work from anywhere. Solve your remote work challenges with effective solutions to make your setup safer.

Contact our sales department to learn more about our solutions and uplift your remote work capabilities today.

About Version 2
Version 2 is one of the most dynamic IT companies in Asia. The company develops and distributes IT products for Internet and IP-based networks, including communication systems, Internet software, security, network, and media products. Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.

About NordLayer
NordLayer is an adaptive network access security solution for modern businesses – from the world’s most trusted cybersecurity brand, Nord Security.

The web has become a chaotic space where safety and trust have been compromised by cybercrime and data protection issues. Therefore, our team has a global mission to shape a more trusted and peaceful online future for people everywhere.

Data security habits of business professionals today

In June 2023, we conducted a survey for which 500 business professionals provided answers about their data security habits.

Our key findings:

More than 50% of companies have experienced a cybersecurity incident in the last 12 months.
About 25% of respondents wouldn’t know what to do in case of a cyberattack.
Only half of the companies use encryption.
Approximately 40% of companies don’t have a dedicated person for cybersecurity incidents.
Nearly 25% of companies have never had any cybersecurity training.
About 39% of respondents have sent an email to the wrong person at some point in time.
The industry most vulnerable to cybersecurity issues is marketing.

We are all defined by our habits. Habits help us give shape and structure to our everyday lives and — when they’re good — they allow us to be healthier, happier, more productive, and more successful.

Bad habits, on the other hand, can lead to us making wrong assumptions, incorrect judgments, and poor decisions. Some habits are difficult to identify as bad until something goes wrong — however, many can be noticed when we look at our actions with an objective eye.

Below you will find the results of our survey on the data security habits of today’s business professionals. For some, these results will be a big surprise while for others, they will be a reason to re-evaluate their own cybersecurity strategies.

Here’s what we found out…

Discovery #1

As many as 54% of companies have experienced a cybersecurity incident in the past 12 months

That’s right. More than half of our respondents faced either phishing, a data breach due to a third-party vendor hack, malware infection via a malicious email attachment, or some other cybersecurity threat in the last year.

When it comes to industries, our analysis shows that the marketing industry is most likely to experience issues such as data breaches resulting from a third-party vendor compromise. Other industries, such as the legal industry, face such problems less often but none of them are totally immune to cybersecurity incidents.

Discovery #2

About 40% of companies don’t have a dedicated person in case of a cybersecurity incidents

Despite unclear responsibilities and sometimes not having one specific person they can reach out to, 75% of respondents say that they would know — based on training (52%) or employer’s instructions (22%) — what to do if there was a cyberattack in their company.

But that also means that 25% of those surveyed wouldn’t know what to do if there was a cyberattack.

Discovery #3

Approximately 24% of companies have never had any cybersecurity training

Our research shows that not only have 1/4 of our respondents never undergone cyber protection training, but most of them only attend such training once a year (25%) or once a quarter (25%) — or just once during onboarding activities (9%).

Only 17% of those surveyed conduct cybersecurity training once a month to increase employees’ awareness of potential dangers they can encounter.

Discovery #4

Many employees think that companies find them accountable for security issues

When asked about responsibility for phishing attacks, ransomware attacks, and malware infections, respondents said that companies often pointed to employees as the ones who should be held liable for these types of threats.

Discovery #5

Only 56% of respondents are required to update their software

Despite the importance of constantly updating software and devices used for business purposes, only slightly more than 50% of companies require employees to carry out this activity. In the remaining cases, respondents say that they update the software of their own volition (22%) or simply indicate that such processes are not required at their organizations. In both cases, it makes it hard to say whether they regularly update their tools or not.

Discovery #6

More than 30% of respondents store their personal information on their work computer

Although our research indicated that only 22% of respondents use work computers for personal purposes, it is still a number that can push your imagination to some unsettling scenarios.

After all, you can also read the above information like this: one in five people use their work computer for personal purposes or to store their personal data. Putting it this way adds to the gravity of the situation.

Employees using work devices for personal purposes can significantly affect the security of company data, especially when faced with threats such as ransomware attacks (hackers may try to use the information on the device to intimidate the employee into giving access to company resources).

Our research also reveals that 36% of respondents are highly concerned about their own privacy when using their work computer. Asked whether they would see a leak of their personal information as a significant threat, 61% confirmed they would.

Discovery #7

Only half of the companies use encryption

Not only do some of the respondents not use encryption (24%) or know whether their company secures documents with it (23%), but also 39% of them confirm that they had, at some point in time, sent an email to the wrong person.

In other words, it means that there is a significant probability that many unsecured documents (that can easily be accessed and exploited by hackers) are shared by company members on a daily basis. There is also a considerable danger that these documents may sometimes be sent to unintended recipients, leading to potential security breaches.

Below, you will see a graph that explains how business professionals usually share data with team members, business partners, or clients. Don’t be surprised if these findings will make you go: “hang on, how do members of my organization share business files?”

Discovery #8

42% of respondents reuse passwords for home and work accounts

The above finding may be related to the fact that less than half of respondents (41%) remember their passwords. Therefore, to save time, they use the same passwords to log in to several applications and systems at the same time — completely forgetting about the risk factor.

When asked how often they change their passwords, respondents said they do so once a year (11%), once every six months (26%), and once a quarter (39%). However, we cannot be sure whether these new passwords are actually new, unique, and difficult to detect, or if they are passwords the respondents have already used before.

A worrying piece of information is that nearly 40% of respondents still keep their passwords in an open file on their computer or in a notebook. And even though many people keep their passwords in browser-based (27%) and third-party (28%) password managers, the fact remains that statistically almost two-fifths of users store their passwords in a place that is not safe.

What does it all mean?

It means that the data security habits of many business professionals leave much to be desired. Although a significant part of employees probably use encryption, password managers, or encrypted cloud storage platforms to protect company data, many of them risk the security of their organization by sometimes acting in an irresponsible way.

So, if you want to take matters into your own hands and do something to increase the level of cybersecurity of your company right now, you can get a tool that will help turn some of your employees’ bad data security habits into good ones.

That tool can be NordLocker, an encrypted cloud storage platform that will allow you and your team members to safely store, manage and exchange sensitive company data. Thanks to features such as end-to-end encryption, multi-factor authentication, and admin control panel, using the platform is tantamount to introducing high cybersecurity standards in the company.

It also involves putting in place a safety policy that your employees won’t be able to ignore and, at the same time, one that won’t make them feel less comfortable working. This is because NordLocker, with its drag-and-drop, intuitive interface, is very easy to use and proves that maintaining a security-first company culture does not have to be difficult and time-consuming.

If you want to check for yourself if what we say is true, you can go to our website and get a 14-day free trial. And who knows, maybe this will be your first step towards improving your company’s cybersecurity. There’s only one way to find out.

Important note: If you suspect that your employees have bad password use habits — similar to those described in the results of our survey — or you just want them to store, manage and share passwords, passkeys, and payment information with others in a secure way, you can use NordPass, our fully encrypted password manager. Visit our main page for this product to learn more about it and also get a 14-day free trial to try it out with your team.

Methodology

Data presented in this article was collected from a survey on June 8-13, 2023 by researchers from Nord Security.

The survey examined the cybersecurity habits of 500 business professionals from small to medium-sized companies (up to 100 employees) in the finance, accounting, law, tax consulting, and marketing sectors.

This size and sector range was selected to represent businesses that often face unique cybersecurity challenges compared to their larger counterparts.

All data were collected anonymously to encourage honesty and openness from participants about their cybersecurity habits. To ensure impartiality and diversity, an independent third-party panel of respondents was used.

These days, cybercrime is rampant. It’s no longer a matter of “if” you’re going to suffer an attack but “when” it will happen. All companies want to be ready for any crisis. And this is where a business continuity plan comes into play.

But what is a business continuity plan exactly? Why is it important? What should one include? Today, we’re exploring all these questions in-depth.

What is a business continuity plan?

A business continuity plan (BCP) is a document that sets guidelines for how an organization will continue its operations in the event of a disruption, whether it’s a fire, flood, other natural disaster or a cybersecurity incident. A BCP aims to help organizations resume operations without significant downtime.

Unfortunately, according to a 2020 Mercer survey, 51% of businesses across the globe don’t have a business continuity plan in place.

What’s the difference between business continuity and disaster recovery plans?

We often confuse the terms business continuity plan and disaster recovery plan. The two overlap and often work together, but the disaster recovery plan focuses on containing, examining, and restoring operations after a cyber incident. On the other hand, BCP is a broader concept that considers the whole organization. A business continuity plan helps organizations stay prepared for dealing with a potential crisis and usually encompasses a disaster recovery plan.

Importance of business continuity planning

The number of news headlines announcing data breaches has numbed us to the fact that cybercrime is very real and frequent and poses an existential risk to companies of all sizes and industries.

Consider that in 2021, approximately 37% of global organizations fell victim to a ransomware attack. Then consider that business interruption and restoration costs account for 50% of cyberattack-related losses. Finally, take into account that most cyberattacks are financially motivated and the global cost of cybercrime topped $6 trillion last year. The picture is quite clear — cybercrime is a lucrative venture for bad actors and potentially disastrous for those on the receiving end.

To thrive in these unpredictable times, organizations go beyond conventional security measures. Many companies develop a business continuity plan parallel to secure infrastructure and consider the plan a critical part of the security ecosystem. The Purpose of a business continuity plan is to significantly reduce the downtime in an emergency and, in turn, reduce the potential reputational damage and — of course — revenue losses.

Business continuity plan template

Password security for your business

Store, manage and share passwords.

Get NordPass Business

30-day money-back guarantee

Business Continuity Plan Example

[Company Name]

[Date]

I. Introduction

Purpose of the Plan
Scope of the Plan
Budget
Timeline

The initial stage of developing a business continuity plan starts with a statement of the plan’s purpose, which explains the main objective of the plan, such as ensuring the organization’s ability to continue its operations during and after a disruptive event.

The Scope of the Plan outlines the areas or functions that the plan will cover, including business processes, personnel, equipment, and technology.

The Budget specifies the estimated financial resources required to implement and maintain the BCP. It includes costs related to technology, personnel, equipment, training, and other necessary expenses.

The Timeline provides a detailed schedule for developing, implementing, testing, and updating the BCP.

II. Risk Assessment

Identification of Risks
Prioritization of Risks
Mitigation Strategies

The Risk Assessment section of a Business Continuity Plan (BCP) is an essential part of the plan that identifies potential risks that could disrupt an organization’s critical functions.

The Identification of Risks involves identifying potential threats to the organization, such cybersecurity breaches, supply chain disruptions, power outages, and other potential risks. This step is critical to understand the risks and their potential impact on the organization.

Once the risks have been identified, the Prioritization of Risks follows, which helps determine which risks require the most attention and resources.

The final step in the Risk Assessment section is developing Mitigation Strategies to minimize the impact of identified risks. Mitigation strategies may include preventative measures, such as system redundancies, data backups, cybersecurity measures, as well as response and recovery measures, such as emergency protocols and employee training.

III. Emergency Response

Emergency Response Team
Communication Plan
Emergency Procedures

This section of the plan focuses on immediate actions that should be taken to ensure the safety and well-being of employees and minimize the impact of the event on the organization’s operations.

The Emergency Response Team is responsible for managing the response to an emergency or disaster situation. This team should be composed of individuals who are trained in emergency response procedures and can act quickly and decisively during an emergency. The team should also include a designated leader who is responsible for coordinating the emergency response efforts.

The Communication Plan outlines how information will be disseminated during an emergency situation. It includes contact information for employees, stakeholders, and emergency response personnel, as well as protocols for communicating with these individuals.

The Emergency Procedures detail the steps that should be taken during an emergency or disaster situation. The emergency procedures should be developed based on the potential risks identified in the Risk Assessment section and should be tested regularly to ensure that they are effective.

IV. Business Impact Analysis

The Business Impact Analysis (BIA) section of a Business Continuity Plan (BCP) is a critical step in identifying the potential impact of a disruption to an organization’s critical operations.

The Business Impact Analysis is typically conducted by a team of individuals who understand the organization’s critical functions and can assess the potential impact of a disruption to those functions. The team may include representatives from various departments, including finance, operations, IT, and human resources.

V. Recovery and Restoration

Procedures for recovery and restoration of critical processes
Prioritization of recovery efforts
Establishment of recovery time objectives

The Recovery and Restoration section of a Business Continuity Plan (BCP) outlines the procedures for recovering and restoring critical processes and functions following a disruption.

The Procedures for recovery and restoration of critical processes describe the steps required to restore critical processes and functions following a disruption. This may include steps such as relocating to alternate facilities, restoring data and systems, and re-establishing key business relationships.

The Prioritization section of the plan identifies the order in which critical processes will be restored, based on their importance to the organization’s operations and overall mission.

Recovery time objectives (RTOs) define the maximum amount of time that critical processes and functions can be unavailable following a disruption. Establishing RTOs ensures that recovery efforts are focused on restoring critical functions within a specific timeframe.

VI. Plan Activation

Plan Activation Procedures

The Plan Activation section is critical in ensuring that an organization can quickly and effectively activate the plan and respond to a potential emergency.

The Plan Activation Procedures describe the steps required to activate the BCP in response to a disruption. The procedures should be clear and concise, with specific instructions for each step to ensure a prompt and effective response.

VII. Testing and Maintenance

Testing Procedures
Maintenance Procedures
Review and Update Procedures

This section of the plan is critical to ensure that an organization can effectively respond to disruptions and quickly resume its essential functions.

Testing procedures may include scenarios such as natural disasters, cyber-attacks, and other potential risks. The testing procedures should include clear objectives, testing scenarios, roles and responsibilities, and evaluation criteria to assess the effectiveness of the plan.

The Maintenance Procedures detail the steps necessary to keep the BCP up-to-date and relevant.

The Review and Update Procedures describe how the BCP will be reviewed and updated regularly to ensure its continued effectiveness. This may involve conducting a review of the plan on a regular basis or after significant changes to the organization’s operations or threats.

What should a business continuity plan checklist include?

Organizations looking to develop a BCP have more than a few things to think through and consider. Variables such as the size of the organization, its IT infrastructure, personnel, and resources all play a significant role in developing a continuity plan. Remember, each crisis is different, and each organization will have a view on handling it according to all the variables in play. However, all business continuity plans will include a few elements in one way or another.

Clearly defined areas of responsibility
A BCP should define specific roles and responsibilities for cases of emergency. Detail who is responsible for what tasks and clarify what course of action a person in a specific position should take. Clearly defined roles and responsibilities in an emergency event allow you to act quickly and decisively and minimize potential damage.
Crisis communication plan
In an emergency, communication is vital. It is the determining factor when it comes to crisis handling. For communication to be effective, it is critical to establish clear communication pipelines. Furthermore, it is crucial to understand that alternative communication channels should not be overlooked and outlined in a business continuity plan.
Recovery teams
A recovery team is a collective of different professionals who ensure that business operations are restored as soon as possible after the organization confronts a crisis.
Alternative site of operations
Today, when we think of an incident in a business environment, we usually think of something related to cybersecurity. However, as discussed earlier, a BCP covers many possible disasters. In a natural disaster, determine potential alternate sites where the company could continue to operate.
Backup power and data backups
Whether a cyber event or a real-life physical event, ensuring that you have access to power is crucial if you wish to continue operations. In a BCP, you can often come across lists of alternative power sources such as generators, where such tools are located, and who should oversee them. The same applies to data. Regularly scheduled data backups can significantly reduce potential losses incurred by a crisis event.
Recovery guidelines
If a crisis is significant, a comprehensive business continuity plan usually includes detailed guidelines on how the recovery process will be carried out.

Business continuity planning steps

Here are some general guidelines that an organization looking to develop a BCP should consider:

Analysis

A business continuity plan should include an in-depth analysis of everything that could negatively affect the overall organizational infrastructure and operations. Assessing different levels of risk should also be a part of the analysis phase.

Design and development

Once you have a clear overview of potential risks your company could face, start developing a plan. Create a draft and reassess it to see if it takes into account even the smallest of details.

Implementation

Implement BCP within the organization by providing training sessions for the staff to get familiar with the plan. Getting everyone on the same page regarding crisis management is critical.

Testing

Rigorously test the plan. Play out a variety of scenarios in training sessions to learn the overall effectiveness of the continuity plan. By doing so, everyone on the team will be closely familiar with the business continuity plan’s guidelines.

Maintenance and updating

Because the threat landscape constantly changes and evolves, you should regularly reassess your BCP and take steps to update it. By making your continuity plan in tune with the times, you will be able to stay a step ahead of a crisis.

Level up your company’s security with NordPass Business

A comprehensive business continuity plan is vital for the entire organization’s security posture. However, in a perfect world, you wouldn’t have to use it. This is where NordPass Business can help.

Remember, weak, reused, or compromised passwords are often cited as one of the top contributing factors in data breaches. It’s not surprising, considering that an average user has around 100 passwords. Password fatigue is real and significantly affects how people treat their credentials. NordPass Business counters these issues.

With NordPass Business, your team will have a single secure place to store all work-related passwords, credit cards, and other sensitive information. Accessing all the data stored in NordPass is quick and easy, which allows your employees not to be distracted by the task of finding the correct passwords for the correct account.

In cyber incidents, NordPass Business ensures that company credentials remain secure at all times. Everything stored in the NordPass vault is secured with advanced encryption algorithms, which would take hundreds of years to brute force.

If you are interested in learning more about NordPass Business and how it can fortify corporate security, do not hesitate to book a demo with our representative.

About NordPass
NordPass is developed by Nord Security, a company leading the global market of cybersecurity products.

2023 NordLocker Nord Security

How the next ransomware attack will hurt you: The numbers are in

75% of organizations have been victims of at least one successful ransomware attack in the past year, disrupting them operationally and financially.

These attacks have become a constant battle between ever more sophisticated attackers and the IT and cybersecurity professionals tasked with keeping them at bay.

In fact, a new survey (co-sponsored by Keepit) tells us that 65% of those IT and cybersecurity professionals name ransomware among the top 3 threats to their organization’s viability, and 13% of those even name it the biggest threat.

If you are responsible for protecting your organization’s data, are you prepared for the next ransomware attack? If you are concerned about gaps in your strategy, you’re not alone. Many feel their organizations do not have the proper preparation in place to handle the increase in frequency and impact of attacks. So read on, learn where attacks are being targeted, and how to increase your level of preparedness.

The statistics are fresh and based on a new Enterprise Strategy Group survey of 600 European and North American IT and cybersecurity professionals personally involved with protecting against and recovering from ransomware attacks.

Get all the latest numbers on ransomware attacks in the full report. Download it for free.

What ransomware attackers go after

We have reliable data both on which parts of your IT environment are at risk, and which data classes the attackers are most likely to go after. So, let’s take them each in turn.

The parts of your IT environment most at risk

Attackers can enter your network at many different points, placing a significant burden on IT departments. But with this data, you will have a better idea of where to strengthen your defenses.

The element most affected by ransomware attacks – indicated by 38% of survey respondents whose organization experienced a successful ransomware attack – is their key IT infrastructure. Anyone who controls even a small part of your IT infrastructure has tremendous power over you. They no longer even need to kidnap your files. For example, if they can disrupt, or gain control over, your Active Directory, they can shut your operations down for all practical purposes.

For obvious reasons, your storage systems are also an attractive destination for attackers. Whether on-prem or in the cloud, there is a lot of gold in your data assets.

But the survey respondents tell us that there are also plenty of other targets under assault in their IT environments. These include networks and connectivity, cloud-based data, IoT operations infrastructure, and last but not least data protection infrastructure.

Especially the last one deserves a special mention. Ransomware attacks are increasingly targeting backup copies of data – something that 74% of survey respondents were concerned about.

This is why at Keepit we have gone to great lengths to create backup solutions that eliminate this very risk to the data protection infrastructure by insulating your backup in our independent cloud. With our true third-party protection, your data is stored in separate, isolated, immutable storage that is physically and logically separated from the rest of your IT environment. So the risk of attackers being able to reach your backups is greatly reduced.

While the industry is slowly realizing the importance of such “air-gapped” and immutable solutions, this is not common practice within the backup solutions industry just yet.

The data classes most at risk

The data class most targeted by the attackers—cited by 58% of the respondents whose organization had experienced a successful ransomware attack —is the one that you are required by law to protect: regulated data. This hurts in any way you can imagine, both for you and those that entrust you with their data.

But a close second is sensitive infrastructure configuration data. Affecting the infrastructure at its core is a very effective way for attackers because it makes it easier for them to steal or damage data and to evade detection.

In essence, this is how many attackers first gain entry. Once inside, they “climb the ladder” to compromise an account with admin privileges. And then, they can start breaking things such as configuration settings and access rules, and start stealing.

We recently saw a brazen example of just such an attack. In this case, attackers caused major disruptions and financial losses by compromising both on-prem and cloud-based systems. The attacker:

Entered the target network by compromising an on-premises account
Leveraged that account to compromise the on-prem Active Directory
Used that access to pivot to and compromise Azure AD

All of the target’s Azure storage and compute resources were deleted. If you don’t have a backup of your Azure AD data, building your settings and access control up from the ground again will be difficult and time-consuming, leaving you vulnerable to further attacks in the interim.

Other data classes the survey respondents indicated are usually targeted are intellectual property data and mission-critical data. Any attack on mission-critical data is frustrating and costly as companies struggle to restore data and operations. But temporary or permanent loss of sensitive intellectual property information is not only hurtful in the short-term until operations are resumed, but can be enormously damaging in the long-term.

All these four types of data are highly desired by the attackers. You can see exactly how much, and a lot more, in the report itself.

As you can see, your IT infrastructure has a major bullseye on its back that bad actors constantly try to hit. Unfortunately, sometimes they will succeed. So, you had better have the right plan in place to deal with the consequences when it happens.

How the ransomware attacks hurt

When asked in the survey how all those successful ransomware attacks have impacted the respondents’ businesses, the two standout examples were data loss and data exposure.

But the list of painful effects is long. Some worth mentioning are operational disruptions, direct impact on employees, customers and partners (such as access to personally identifiable information), and financial, compliance and reputational damage.

If you want to know in more detail what pains to expect and prepare for, I recommend that you look through the the official report.

Storytime: Scary ransomware stories from the real world

Now that you know what the attackers are after, where they hit you and what the main effects will be, let’s get a bit more tangible and look at some recent examples of successful attacks.

Ransomware attackers sure are creative, so you need to be able to anticipate their moves. And for that, it is useful to follow the related news and learn what has worked (for the attackers) in the past.

Here is some recommended reading to bring yourself up to date:

An attack on one of Toyota’s key suppliers disrupted their production. During the shutdown, Toyota lost a third of its global output and suffered a significant financial loss. Read the story here.
Third-party, unauthorized access was made at Bridgestone Americas, prompting a shutdown of the computer network and production at its factories in North and Middle for about one week. Read the story here.
A ransomware attack hit agricultural equipment manufacturer AGCO, causing it to shut down manufacturing facilities. It took 17 days to return to full operation. Read the story here.

What to make of all this

Attacks will happen, and some of them will succeed—you can’t stop them all. But with the right preparation, you can take a lot of the power out of the attackers’ hands by being able to immediately restore the data you’ve lost and clean up after the attack. So it’s all about resilience and management.

Arm yourself with the right insight. The above information is a great start – you now know which data classes and elements of your IT environment to prioritize — but it only scratches the surface. Download the full report to get the full picture.

Prevention will only take you so far, so move beyond a simple defensive strategy. How much downtime and data loss can your business really afford? Ensure you can handle the disruption and keep your business operational through the storm. To help mitigate the operational disruptions and avoid the data loss that is so common-place today, you need to invest in a solid plan to protect your business-critical data.

Now is the time to secure your data and improve your resilience levels – before the next ransomware attack hits you.

About Keepit
At Keepit, we believe in a digital future where all software is delivered as a service. Keepit’s mission is to protect data in the cloud Keepit is a software company specializing in Cloud-to-Cloud data backup and recovery. Deriving from +20 year experience in building best-in-class data protection and hosting services, Keepit is pioneering the way to secure and protect cloud data at scale.

Keepit 2023

Mitigating risk – data loss prevention helps prevent security disasters

Organizations have increasingly become targets of hacking that result in massive data breaches, calling to attention both the increasing importance of proper cybersecurity software, but also an overall change in security strategy.

According to a recent report, the average cost of a data breach globally in 2022 reached a sum of $4.35 million, up from the previous year. In the United States alone, the average cost is as high as $9.44 million – a staggering number, with businesses increasing prices to accommodate for the resulting costs.

While mitigating cyber threats is challenging, having a sound security strategy to tackle threats is key. Among some of the strategies employed is data loss prevention (DLP), which should be a part of any company’s data protection repertoire.

What is data loss prevention, and how does it work?

DLP is designed to prevent accidental or intentional losses of data. The idea basically is to protect confidential data and information to prevent fraudulent access, both within a company and outside it.

Some of the ways DLP works and helps data protection is by classifying types of data into various categories, identifying security violations, and automating certain processes, so that data management becomes easier to handle. Flagging data into categories based on confidentiality or access level is just one-way DLP helps, as access management is important in mitigating potential loss in the form of unwanted leaks, for example.

For DLP to work, it can be done in-house by an internal IT team, but it can also be outsourced, depending on where the priorities of a business lie. With the sheer number of endpoint devices a company usually manages, it makes sense to use outside help to properly secure data on all of them, while letting their IT teams tackle other matters. However, just like any business, DLP companies can also be the targets of attacks.

The various types of DLP

DLP solutions are adaptable, so they can be easily configured to suit any company’s needs. Depending on this, a company can pick from different DLP types, as each one has its own strengths and weaknesses.

For example, endpoint DLP focuses on securing data on all company endpoints. It involves the implementation of user monitoring and other security policies to prevent data loss allowing for visibility into data usage on devices.

However, since data is not only stored or moves only through endpoint devices, there is also network DLP, which takes care of monitoring data in use across an organization’s network. It can easily identify and prevent unauthorized movement of data by leveraging its power to see how various forms of data move on the network, like who accessed what and when, which is very useful when looking for anomalous behavior.

Also worth mentioning is a different subsection of network DLP. While organizations are increasingly moving to adopt cloud services, protecting data stored on them is important. Hence why cloud DLP helps protect data stored by businesses on cloud repositories. Sometimes a business enables access to its cloud storage to partners, for example, in which case cloud DLP is very useful to ward off potential data security failures.

These three previously mentioned types of DLP solutions can also work together to provide comprehensive protection across different stages of data in motion – at rest, at motion, and in use. Implementing all three types can help organizations prevent data loss and maintain a proper data security posture.

Compliance – the added benefit of DLP

A company should have DLP for several reasons, including compliance with regulations, as many industries are subject to strict data protection and privacy regulations, such as the General Data Protection Regulation (GDPR), Health Insurance Portability and Accountability Act (HIPAA), or the Payment Card Industry Data Security Standard (PCI DSS) among others.

Specifically, since GDPR involves stringent measures on respecting user privacy and data, DLP gives the right amount of protection to shield companies from potential issues stemming from data breaches, for example.

ESET and Data Loss Prevention

ESET, as part of its technology alliance, has a trusted partner in Safetica, offering data loss prevention services with Safetica ONE and Safetica NXT, to prevent data leakage, guide staff on data protection, and to stay compliant with regulations.

While ESET protects you by offering award-winning endpoint security and detection and response solutions through the ESET PROTECT Platform, Safetica’s products add another layer of protection, protecting data both inside and outside a company, being tough on insider threats and data loss in an era of hybrid work, during which endpoints and data can move all around the world.

To sum it up, having a well-functioning DLP toolset can help any organization in exercising proper data control. It is an enormously important component of any comprehensive data security strategy in today’s world of ever-evolving threats.

About ESET
For 30 years, ESET® has been developing industry-leading IT security software and services for businesses and consumers worldwide. With solutions ranging from endpoint security to encryption and two-factor authentication, ESET’s high-performing, easy-to-use products give individuals and businesses the peace of mind to enjoy the full potential of their technology. ESET unobtrusively protects and monitors 24/7, updating defenses in real time to keep users safe and businesses running without interruption. Evolving threats require an evolving IT security company. Backed by R&D facilities worldwide, ESET became the first IT security company to earn 100 Virus Bulletin VB100 awards, identifying every single “in-the-wild” malware without interruption since 2003.

ESET 2023