To date over 265 million people in the U.S. have been ordered to stay home as part of the nation’s coronavirus shutdown. Remote work is the new normal, and it’s creating new and unexpected security risks for many companies. More than one-third of senior technology executives surveyed by CNBC say that cybersecurity risks have increased as a majority of their employees work from home. 

As daily work moves from trusted office spaces to our couches, employees can inadvertently expose sensitive company data through insecure WiFi networks or poor password hygiene. And there’s no shortage of opportunists using coronavirus for their phishing scams, hoping the unwary will click through and hand over credentials or other valuable info. The FBI recently warned of an uptick in fraud tied to the coronavirus, particularly by scammers posing as official health agencies.

We’ve rounded up four risks your company should be aware of—and what you can do to guard against them.

1. Unsecured WiFi

While not many people are working out of coffee shops or other public spaces these days, remote workers need to be cognizant of the WiFi networks they connect to. Malicious actors can connect to open WiFi networks, spy on traffic that passes through them, and access confidential information from devices on the network. 

And while home networks tend to be more secure, not everyone protects theirs with a password—or at least a strong one. In these scenarios, hackers can connect to unsecured home networks and steal everything they find once they’re there.

Traditionally, users could solve this problem by connecting to virtual private networks (VPN), which encrypt traffic between computers and far-away networks (e.g., the office network). In fact, one recent study found that VPN usage has increased 165 percent between March 11 and March 23.

However, a VPN can’t make a computer itself secure; it can only make the connection between a computer and a network secure. So, if a hacker is able to get into an employee’s computer, they may be able to ride the VPN connection directly inside your organization’s network.

You can overcome this issue by making sure all software, including your VPN software, is up to date, ensuring your employees are using strong passwords for both their VPN accounts and their home networks, and enabling two-factor authentication (2FA) or multi-factor authentication (MFA) if possible (more on that later).

2. Weak and shared passwords

One of the main reasons data breaches occur is because hackers get access to account credentials. This happens for a number of reasons: People use the same password for every account, they create weaks passwords to begin with, they inadvertently hand over their credentials by responding to a phishing or spoofing request, or they don’t update their passwords as regularly as they should. Believe it or not, 61% of people refuse to change their passwords simply because they think they will forget them.

When transitioning to remote work, you need to keep good password hygiene, the practice of creating and protecting very strong passwords, top of mind. Bad actors frequently employ tactics like password spraying, a brute force attack where they try the same commonly-used password across many usernames. You don’t want to be the weak link. 

Rather than relying on remote workers to create and maintain strong passwords, we suggest using a password manager like Rippling’s RPass, LastPass, and 1Password to automatically generate, store, and fill strong passwords to increase security. Employees won’t have to remember their credentials to access their accounts.

Another important security consideration is how remote employees will access shared company accounts (like your corporate Twitter profile). Are employees sending log-in credentials to each other over unsecured channels like email or Slack? It’s much safer to use a zero-knowledge password manager like RPass, which means employees can securely share login access with their colleagues without revealing the passwords themselves.

3. Lack of access controls 

In traditional office environments, admins can check to make sure legitimate logins are coming from the same IP address. Since you can’t do that when everyone is logging in from different locations, strong authentication measures like 2FA (two-factor authentication) and MFA (multi factor authentication) become more important. In other words, employees should be using something other than just a password to access company systems. 

Identity management solutions, like Okta, OneLogin, and Rippling help organizations make sure only authorized individuals are accessing your systems—even in remote environments. More granularly, look for software that allows you to specify what kind of access each employee has to each of your company tools and systems. As an administrator, you need a way to monitor login activity, easily reset passwords or change access, and perform account maintenance in one place.

Rippling, for example, supports 2FA out of the box. If you use a service or app that doesn’t support 2FA but has single sign-on (SSO), you can connect it to Rippling and essentially shield that service from malicious actors.  

What’s more, employee accounts are automatically disabled when someone leaves your company.

4. Don’t forget about physical security

When employees start working from home, it’s easy to overlook the security of your physical offices that may be empty for weeks at a time. But in this case what’s out of sight should still be top-of-mind. 

Consider that a painting by Vincent Van Gogh was stolen this week after thieves simply smashed the front entrance of a Dutch museum that’s been closed since earlier this month. Ask yourself: How difficult would it be for someone to break into your office? 

If you haven’t done so already, be sure to check your campuses to ensure no valuables are left behind and any on-prem servers, sensitive documents, and other important IP are accounted for and adequately protected. If you work in a building that usually provides security, ask what their policies are during the shutdown. For instance, is security staff on site 24/7? Are they monitoring video surveillance? 

Employee laptops

When your team is working remotely, what happens when an employee’s company laptop that’s filled with customer data and confidential info gets stolen?

Every company should be using some kind of mobile device management (MDM) software to protect the crown jewels. If someone’s laptop is lost or stolen, leading MDM solutions like Rippling and Jamf will let you remotely track, lock, and wipe devices while ensuring employee hard drives are encrypted so your data stays safe. Crisis averted. 

Prevention is the best medicine 

The best time to think about your company’s digital and physical security is before an incident happens. If you’re a business owner or manager who’s new to remote working, we’re here to help.

Learn more about how Rippling can protect against these security risks so you can focus on your business.

Was your New Year’s resolution to get your business ready for California’s new privacy law? If not, you’re in good company.

Our recent survey of over 400 small and medium-sized businesses found that the vast majority aren’t prepared for CCPA — or the costly fines and lawsuits that come along with it. Only 7% say they’ve invested in compliance consultants or software.

CCPA was intended to target tech giants, but it’s become a headache for SMBs without the resources or in-house expertise to get up to code.

To give our customers one less thing to worry about, we’ve updated our product to make it easy for employers to meet new legal requirements.

The only way to automate employee privacy notices

Starting this month, companies subject to CCPA are required to send their California-based employees and contractors a notice that details the kinds of personal data they’re collecting and how it’s being used.

If you’re like most business owners, you might be thinking: Great! One more thing to do. Our survey found that less than 4% of companies have taken this step.

Luckily, Rippling is in a unique position to help our customers comply with CCPA notice requirements because most of your employee data is already in our platform. So we created a tool that makes it easy to customize and automatically send privacy updates to your workforce.  

This feature is the first of its kind — and it’s free for current customers.

Here’s how it works

1. Company admins can access the feature in Rippling by going to Company settings → Templates. At the bottom of the new page, click “Create a new CCPA notice”

2. You can fully customize this template form to reflect your organization’s data collection practices — and even add your company logo.

3. Once you’re happy with the form, select how it’s distributed to your workforce. For example, you can set Rippling to automatically send notices to new hires once they’ve completed onboarding.

You can also send notices to specific groups, like salespeople or full-time employees. 

4. You’re done! It’s that easy. 

CCPA notice templates are now live in Rippling — check it out and let us know what you think. In addition to privacy notices, Rippling has all the tools you need to securely manage employee data — and avoid costly fines and lawsuits:

With CCPA enforcement starting on July 1, it’s not too late to get compliant. Schedule a demo today or refer a friend to find out how our powerful platform can give you peace of mind.

On January 1, America’s first comprehensive privacy legislation, the California Consumer Privacy Act, became the law of the land and a de facto national standard. There’s just one problem: More than half of companies have no idea if CCPA applies to them, according to a recent survey conducted by Rippling.

We polled 408 small- and medium-sized businesses, 38% of which are based in California, to see how they’ve responded to the landmark regulation. CCPA applies to companies that have customers in California and meet certain criteria, regardless of where they’re located.

The results show that most companies are still woefully unprepared for the new obligations they have to customers and employees. Here are the top takeaways:

Over half of SMBs don’t know if CCPA applies to them

Ignorance of the law may be no excuse — but it is the norm. Despite the major legal and financial repercussions of not complying with CCPA, 52% of companies don’t know whether it applies to their businesses. Nearly 28% of businesses are confident CCPA doesn’t apply to them, while 20% say it does.

Those results are consistent with surveys conducted before CCPA took effect that found nearly half of business leaders had never heard of the law. But the continued lack of awareness is concerning, suggesting that many companies affected by the law haven’t taken necessary steps to change their data practices.

CCPA enforcement begins July 1, and penalties are steep — businesses can be fined up to $7,500 per incident, and are vulnerable to lawsuits if they fail to comply with disclosure or deletion requests.

Employees still in the dark on data collection

Companies subject to CCPA are required to send out privacy notices to their California employees and contractors informing them what personal data they’re collecting and how it’s being used. Less than 4% of businesses in our survey have taken this step.

Few have outsourced compliance – yet

While CCPA was intended to target tech giants like Facebook and Google, the compliance burden has mostly fallen on SMBs that lack the resources to invest in it. One report found that companies with fewer than 20 employees can expect to shell out $50,000 upfront to become compliant, while firms with more than 500 employees will pay an average of $2 million.

So it should come as no surprise that just 7% of companies in our survey say they’ve invested in compliance consultants or software. 80% say they have not. 

With such high stakes, many businesses would be better off biting the bullet and investing in expert help now—and avoid incurring hefty penalties later on.

Majority practice good password hygiene to avoid data breaches

Data breaches are often disastrous for SMBs, costing $200,000 on average and putting many out of business within six months of an attack. Under CCPA, they could cost considerably more. For the first time, the law makes companies liable for data breaches, including data breaches of third-party vendors with whom they’ve shared sensitive information. 

The good news is a majority of companies are already taking measures to protect their data. According to our research, 68% of companies are using password managers, more than 57% are using Single Sign-On (SSO) for access control, and nearly 47% are encrypting and redacting data. 

Given that weak and stolen credentials are linked to 80% of hacking-related breaches, improving password and access security is one of the best steps businesses can take to avoid costly CCPA penalties and lawsuits.

Are you ready for CCPA?

Ignorance isn’t bliss. If, like most businesses, you’re not sure how CCPA affects you—Rippling can help.

Schedule a demo today or refer a friend to see how Rippling can simplify HR and IT and make CCPA compliance easy for employers.

When the clock strikes midnight this New Year’s, we’ll be living in a new era of data privacy. Thanks to a California law that takes effect Jan. 1, for the first time consumers will have the right to know what personal information companies collect from them and how they use it. 

Considering how much of our personal privacy has eroded in the digital age, it’s an important step forward. But the new law, known as CCPA, has also caused uncertainty for businesses that don’t have legions of lawyers to make sure they’re compliant. One study found that only 12% of companies have achieved “adequate” compliance.

At Rippling, we want to help our customers stay on top of evolving privacy standards. Here’s what you need to know.

Does it apply to you?

The law applies to any for-profit business that collects the data of Californians and earns at least $25 million in yearly revenue, makes 50% of its revenue by selling personal information, or receives the personal information of at least 50,000 California residents. 

Small companies can easily reach the 50,000 threshold by collecting customer email addresses or using cookies on their website. Even if your company doesn’t deal directly with consumers, you may still be covered if you provide online services (like payment processing) to businesses that are subject to the law.

California employers must take action 

Employee data is exempt from most of the new requirements for one year. But all California employers are still on the hook for a few things starting in January. Employers can be sued if they don’t have reasonable security measures in place to protect the personal information of their workforce.

Employers must also notify employees and contractors what type of personal information they’re collecting and how it’s being used. Rippling customers will be able to do that automatically through our platform starting in mid-January.

You could be sued for third-party data breaches

On average, companies share sensitive information with 583 third parties. If one of them has a data breach that compromises your users’ personal information, your business is liable. 

That’s bad news — hackers know third parties are a weak link and actively target them. Vendor hacks account for over half of all U.S. data breaches including many of the biggest of 2019 (Capital One, Quest Diagnostics). These breaches cost twice as much on average and cause lasting damage to your reputation and bottom line. The best way to protect your business is to choose your vendors carefully — check out our infographic for tips.

The penalties are strict, but there’s a grace period

The law takes effect Jan. 1, but enforcement won’t begin until July 1. After that, your business can be fined $2,500 – $7,500 for each violation. For the first time, individuals also have the right to bring costly lawsuits against businesses that don’t comply with disclosure or deletion requests, or are responsible for data breaches of their personal information.

Is your business ready?

If your company does business in California, there are several steps you’ll need to take to comply with the law:

Additionally, companies that collect personal information from consumers should:

California is the first state to enact comprehensive data privacy legislation, but it won’t be the last. In fact, nearly two dozen other states have already followed suit. Whether or not you’re subject to the law on Jan. 1, CCPA will set a new standard for how businesses nationwide manage data. Don’t delay. Invest now in getting your house in order. 

Rippling now integrates with Brex, bringing the first way companies can automate their corporate card administration.

Integration Quick Look:
What is Brex:
Brex is a corporate credit card that helps ambitious companies scale
Connect Brex:
  • Automatically issue corporate cards to new employees during onboarding, and disable their card during offboarding
  • Automatically set spending limits based on employee data in Rippling (department, location, role etc.)
  • Automatically create/disable Brex user accounts
  • Who should use it:
    Companies looking to cut time managing corporate cards and expenses.

    What is Brex?

    Brex is the corporate credit card that helps ambitious companies scale. Built on the Mastercard network, Brex accelerates entrepreneurs and their companies by offering no personal guarantees, instant online signup, higher limits, best-in-class rewards, and automated expense management.

    How Brex Integrates with Rippling:

    Brex now integrates with Rippling to bring you the first way to automatically issue corporate cards to your employees during their onboarding process. With this integration you can easily issue and manage corporate cards directly from your Rippling dashboard. Define criteria to pre-determine which new employees will be issued corporate cards and then configure their spending limits so that they are up and running with Brex on day 1. The employees’ departments and locations also will flow through from Rippling to Brex, so all their transactions will automatically categorize correctly in their Brex account. Additionally, card policy management extends to changes in employee status in Rippling, such as transfers or title changes. For example, if an employee gets promoted, their spending limit can increase, or when they leave, their card will automatically cancel. These automations saving you and your team hours in administration.

    Get the most out of Brex + Rippling:

    Here’s how you get started:

    1. Take 5 minutes to create your Brex account.
    2. Sign into your Rippling account.
    3. Go to the Rippling App Store, select Brex, and click “Connect.” You can go directly to the Brex app here.

    Today, we’re opening Rippling (and our benefits administration software) to every employee benefits broker in the country, so they can go head-to-head against digital brokers — and win.

    For the first time ever, brokers — and their clients — can work together in one integrated, modern HR and BenAdmin system that can successfully compete with the new wave of digital brokers, like Gusto and Namely.

    No more duct-taping disconnected BenAdmin systems (like EaseCentral, Employee Navigator, and Bswift) together with legacy HR systems (like ADP, Paychex, and Paylocity) to meet their clients needs.

    No more forcing businesses to leave their current broker for a digital broker, just so they can use modern, all-in-one HR software.

    With Rippling, you and your clients can get the best of both worlds: our modern all-in-one HR and IT software and your high-touch service.

    How Rippling is changing the game for brokers

    Many of the top 20 national firms, as well as smaller brokers across the country, are already using Rippling to:

    What makes Rippling different from other all-in-one HR Platforms and BenAdmin systems?

    Rippling takes benefits management one step further

    Your clients can get all the benefits (pun intended) of working with a powerful all-in-one HR system, while still getting the traditional broker experience throughout the year and at renewal time, including:

    Rippling can scale with your clients, from 2 to 1,000 employees

    Most BenAdmin platforms are built specifically for brokers and offer a wide range of functionality, but they often lack the sleek and modern UI that companies and their employees love. With Rippling you don’t have to compromise — we’re the first platform to offer all the feature functionality brokers need with the design to make your customers and their employees excited about the software their broker brought to the table.

    Rippling can also compete feature-to-feature with robust platforms like ADP Workforce, BambooHR, and Ease so your clients won’t have to switch systems as they grow from startup to medium-sized businesses. Rippling can fully support employees and contractors, in all 50 states and internationally — customers only need one system for a global workforce.

    Manage all your clients in a single dashboard

    Whether you have dozens of clients or hundreds, you can manage all of them in a single place.

    Rippling goes beyond HR, and helps companies streamline their IT, too

    Rippling is the world’s first way for businesses to manage their HR and IT — from their employee’s payroll and benefits, to their computers and apps — all in one, integrated system.

    In just 90-seconds, a company can set up (or disable) an employee’s payroll, health insurance, work computer, and access to third-party apps like Gmail, Microsoft Office, Slack, and Salesforce. And, when a company updates an employee’s department, for example, that update instantly cascades across all of those same systems. It’s a huge time saver for you and your clients. You’ll find that for many of your clients today, the same folks you have relationships with across HR and Finance are responsible for managing the IT admin work in their company as well.

    Introducing The Rippling Broker Program

    Our new Broker Partner Program makes it easy for you to work with us.

    No fancy certification programs, no exclusivity, no rev share partnerships. Just the idea that our mutual customers should get to choose the best technology solution for their business, and not be forced into a broker relationship they don’t want.

    If you’re interested, we’d love to talk. Simply request a demo here and a member of our Broker Partner Team will schedule a 1:1 introductory call.

    *Only for qualified Broker Partners