Implement a model cybersecurity program. This also includes regular cyber training and security awareness updates, which will not only help employees adopt best practices in their day-to-day activities such as good password hygiene and management, privacy settings, end-user verification, and more, but will also help them learn how to identify dangerous and potentially costly scams. For example, some of the most nefarious threat attacks cleverly leverage social media to attack a firm via phishing. A routine cyber test in this regard could help identify employees that need additional training.

Adopt a “zero trust” strategy. This strategy follows a “never trust, always verify” approach. Organizations can no longer just rely on network firewalls and VPNs to isolate and restrict access in a workforce that operates beyond traditional network boundaries, especially when using cloud-based services.

Deploy multifactor authentication (MFA). MFA can help weed out threats by requiring an additional layer of end-user verification across various employee activities, including remote and administrative access.

Prioritize vulnerability management: Traditional patch management cycles are creating too large of a window for potential threats. Modern, risk-based vulnerability management tools include prioritizing vulnerabilities on reducing the biggest risks to your business to address any new or known exploited vulnerabilities via the CISA.

Protect personally identifiable information (PII). Use a secure file transfer system to encrypt PII such as Social Security numbers, bank account number, or email address combined with the password or security question and answer and only allows the authorized recipient to access it.

Know where your data is. Your data may be “in the cloud,” but the importance of knowing exactly where your data is stored and where it travels to cannot be overstated. It’s critical to “gate” data from leaking outside of a corporate infrastructure, whether this be cloud or physical service based.

Approach cybersecurity risk management with layers. There is a misconception that deploying one technology stack or set of tools puts firms in a better cybersecurity posture. The best defensive strategy leverages technologies and services that augment and complement a cybersecurity program designed to protect a firm’s data within the new hybrid workforce.

Use a complex password in conjunction with a user verification policy. Include both upper and lowercase letters, numerals, special characters, and make sure the password is at least 10 to 11 characters long. Most importantly, understand that the strongest passwords can still be compromised, and leveraging two-factor or multi-factor authentication will further protect an organization’s distributed workforce.

Never connect to public Wi-Fi on work devices. There is no scenario in which you should connect any devices — work or personal — to a public Wi-Fi network. If you have to get work done in a public space, use a VPN to create a secure connection to a trusted network, which will shield your browsing activity from prying eyes and potential threats.

Lock computers and devices. Lock the screens on any work computers and other devices when away from your desk or when not in use to prevent unauthorized access.

Apply privacy settings on personal social media accounts. When it comes to Facebook, Twitter, etc., make sure your contacts can only see limited personal information. This will reduce the effectiveness of spear-phishing attacks.

Do not leverage corporate/business computers for personal use. Employees can inadvertently cause a breach when using a company computer for personal needs. Whether it be for streaming videos, doing the kids’ homework, or just surfing the web, understand your responsibilities to the company when leveraging company issued equipment.

Do not store personal files on work-issued equipment. Every security expert will agree that storing your personal files risks opening the threat vector for the employer. Often, personal files have not been scanned for malicious content and may compromise data security and/or introduce new threats into the environment.

Report all lost or stolen devices, or if you suspect a cybersecurity issue. Communication is the first priority when dealing with a possible cybersecurity event. The quicker your employer can react to a cybersecurity incident, the better their chances of minimizing any potential damage. You can be part of helping to secure your firm from a larger threat event.