Back to Resources

Securing a Remote Workforce: Startup + SMB Edition 2025

Securing a Remote Workforce: Startup + SMB Edition 2025

Securing a Remote Workforce: Startup + SMB Edition 2025

The remote workforce has become the norm in the new generation of Startups and SMBs, and older ones are adapting by embracing the technology era. The COVID-19 pandemic accelerated this, and while we’ve seen the worst gone and people returning to the office, many companies still chose to keep or adopt the remote work model. While this model has its advantages, it brings several security considerations that we’ve seen many SMBs and Startups continue to ignore – either because they see cybersecurity as too expensive or are unaware of the threats. This blog will dive into the most pressing security issues based on what we’ve seen hackers (and ourselves) exploit in the wild, as well as easy strategies and tips to help mitigate them.

The Trend Towards Remote Work

While remote work has declined slightly since the pandemic, Upwork predicts that an estimated 32.6 million Americans will work remotely, accounting for about 22% of the workforce. While no available data is specific to Canada, we can assume a similar percentage for Canada in 2024. Startups and SMBs see the numerous benefits of remote work, one of the most significant being the ability to hire and retain top talent regardless of geographical location. This, in turn, leads to significant cost savings on physical offices (e.g. liability insurance, rent) and enables higher levels of workspace satisfaction. We are confident the remote work benefit is not going anywhere, and with the right strategies in place, businesses can effectively manage the risks associated with it.

The BYOD Delimena

With the advent of remote work, we’ve seen personal device adoption for work skyrocket – especially for smaller companies that may not have the budget to supply corporate-issued devices. This trend, known as Bring Your Own Device (BYOD), brings a number of security challenges. One of these challenges is insecure human behaviour, which can increase the risk of cyber incidents. For instance, if the employee uses their personal computer for a lot of risky personal activities (e.g. downloading malicious files accidentally, torrenting software) – they can open themselves up to getting hacked, in turn allowing the hacker to use any data on their local computer including their credentials to attempt to access/connect to your company resources. Another one of these challenges is the lack of visibility due to the diverse operating systems and software across all their devices, also known as ‘endpoints’, allowing for little visibility. Furthermore, employees are worried about companies installing software on their devices, which may be considered intrusive or restrict the functionality of their devices (which we’ve also seen as the traditional approach to security), creating a further barrier to adoption.

Remote Access Concerns

While post-Covid 19 Startups and SMBs most likely did not have some type of On-Prem or other infrastructure where remote access was required, businesses that operated heavily in their office and maintained their network equipment and infrastructure had to find ways to allow remote access to their tools and data. The problem? Wide-spread 0 days, weak password habits, and other insecure behaviour wreaked havoc on companies that did not account for security about remote access. At a foundational level, the zero trust model must be embraced, and remote access should be allowed listed to specific IP addresses (ideally a VPN as there is a single shared IP regardless of location, but if it’s not in the budget, home IPs work just as well albeit adding extra overhead). Users should not just be supplied with a password manager; the passwords should be audited regularly, and users must be informed if their credentials are compromised in a data dump or traded in the dark web. Using Managed Detection & Response (MDR) software across all endpoints can further reduce the risk as it may detect malicious remote network attacks, and the right cybersecurity partner can mitigate these threats on your behalf.

Increased Risk of Social Engineering

Let’s be honest – social engineering threats pose a much lower risk when everyone works in an office. Impersonation attacks were more challenging because if you received a call from a ‘work colleague’ or a spoofed email, you could easily verify their authenticity as they were likely nearby. However, with the increase in remote work and the rise of AI-generated content, such as deepfake videos and voices, attackers have started exploiting this and enhancing their techniques. According to CISA, 90% of all cyber attacks start with phishing or other forms of social engineering, making it a significant issue for companies with remote workers. It’s crucial to partner with a vendor that offers personalized security awareness training tailored to address the specific deficiencies of your employees and contractors instead of a one-size-fits-all solution that mandates annual training and uses ineffective phishing emails that don’t replicate current threat actor techniques. Furthermore, it’s essential to choose a vendor that regularly updates its training materials to cover new techniques like deepfakes, voice spoofing, etc. Implementing an email security firewall, or at least enabling DMARC, to reduce the number of phishing emails you and your employees receive can further protect them from social engineering attacks like phishing.

Non-Existent/Untested Incident Response (IR) Plan

What will you do if you face a ransomware attack? How about detecting if one of your employee’s endpoints was hacked? These questions are often left unanswered, or when they are, they are done via an Incident response (IR) plan that may not have been tested. Startups and SMBs cannot afford dedicated staff to monitor their network, perform cybersecurity investigations, or hire third-party experts who charge an arm and leg once you get hacked and tell you what to do. A solid Incident Response (IR) plan can not only document what to do in the event of an incident but also who to contact, who to report it to, and more. One solution to this problem is working with a third-party vendor that can monitor your network on your behalf, investigate issues, and reach out to your users proactively at any time of the day with the required steps to take (if required). A good partner can even stop ransomware attacks from spreading by isolating the affected device rapidly before it can wreak havoc across your network. This is the approach most Startups and SMBs take to hold off hiring their first full-time security lead, who would likely not possess all the skills to manage an entire cybersecurity strategy. Doing a tabletop exercise periodically to simulate incidents is also a great way to determine holes in your strategy and what changes need to be made.

Physical Security Considerations

In Toronto, it’s summertime (kind of), and the flock of remote workers are hitting up their favourite patio, restaurant, cafe, or friend’s house. This can even include being a digital nomad for more adventurous remote workers. While it’s fun, opportunistic cybercriminals prey on these devices. After all, if your employees use their own devices for work, how do you know if they use a passcode? Or if they encrypt the contents of their hard drive? This is why physical attacks are on the rise, even more so when attackers can unsuspectedly put a USB (e.g. Rubber Ducky) into a computer and perform nefarious actions such as opening a backdoor. Consider the story of the Canadian teenage hacker who hacked Rogers through social engineering and accessed a ton of corporate data (and access to their internal network). He started by finding a tablet an employee lost and extracted company data, which he leveraged to social engineer their way into their accounts. It is vital to ensure devices are encrypted so data cannot be read on them and have visibility into the status of various best practices (including the automated fixing of them). Mobile Device Management (MDM) tools like Microsoft InTune can play a crucial role, providing a centralized platform for managing and securing personal devices used for work. However, it’s important to note that MDM tools can come with a hefty price tag. Another alternative is contacting employees with basic requirements to secure their workstations (e.g. restrict physical access, encrypt the hard drive, lock screen).

Your employees are the #1 target — and businesses face constant risk from AI deepfakes, misconfigurations, and more. Start today with our unified trust, compliance, and security platform, free-for-life, and get access to:

  • Cybersecurity training – 50+ animated micro-courses
  • Unlimited employees on the free plan – no credit card required
  • Policy, risk, and vendor management -publish, distribute, and track with ease
  • Inventory manager -track, categorize and organize all your assets

Get started free today – no credit card required.

1. How can SMBs secure remote workforces effectively?

Our Workspace Defender package is the only solution on the market that can allow you to easily and effectively secure your remote workforce. We’ve created our proprietary versions across popular tool categories, focusing on the foundational and required functionality without the unnecessary extras and bundling them into a single affordable subscription. Most importantly, we’ve consolidated and mapped all the data in a dashboard, translating security jargon into plain English and allowing technical and non-technical users to take full advantage of our insights.

2. What are the best practices for managing a BYOD device’s physical security?

At the very minimum, it should involve having employees enable device encryption using native functionality (e.g., Bitlocker for Windows or FileVault for macOS devices), configuring an automatic lockout after a period of time has passed, and enabling automatic software and Operating System updates. While there are many more vital settings on top of this, for non-Active Directory-reliant Startups and SMBs, these can help protect against physical attacks.

3. Is remote working a cyber threat?

Simply put, it depends; given that every company has different needs and deployments, it’s safe to say remote working is a threat, but the amount of threat is relative to the company’s infrastructure. Mo’ Infrastructure Mo’ Problems: the more remote systems, SaaS apps, and other platforms are used, the more the attack surface increases. This is multiplied when users use their devices for work, and your organization has no visibility into them. Thankfully, WatchDog Security’s unique ability to provide easy security and complete visibility for remote workers stands out from other tool vendors who may only solve part of the puzzle. We offer the complete solution, ensuring your security needs are fully met.

4. Does my company need a VPN?

If you have an on-premises infrastructure, then yes, it is advisable to have a VPN (e.g., OpenVPN) configured with MFA access. However, a solution such as Tailscale can work perfectly for a smaller organization that just needs a secure way to access cloud apps remotely (e.g. staging environments) and does not need to connect on-prem resources to remote workers.