Blog | Staffing

What to Know About Virtual Assistant Security Risks

By Bill Peatman | Updated: 03 Mar, 2022

Executives looking to hire a remote virtual assistant should ask challenging security questions.

Take this warning, for example.

"A CEO's executive assistant is statistically more likely to be a very attacked person than the CEO," said Ryan Kalember, cybersecurity VP at email security vendor Proofpoint. "Anyone who can move money is a likely target."

Does your assistant have—or do you plan to provide—access to your credit cards, bank accounts, and payroll?

Home Offices and Devices Targeted 

Cybercrime has surged since the work-from-home exodus in 2020, and home offices often lack enterprise-grade network security. With many virtual assistant service providers, the virtual assistants operate from home offices on their personal computers, giving leaders even less control over potential attacks.

"For small businesses, 2020 was especially brutal," said IT security consultant and author Joel Snyder. "Just as work-from-home (WFH) arrangements and transitions to the cloud became the top priority. We can expect cybercriminals to adjust their tactics to take advantage of these changes in the profile of their small business targets."

And indeed, they did just that. A late-2021 survey by Forrester Research and Tenable found that 80% of business leaders reported their organizations have greater risk exposure today due to remote work.

It is essential to keep in mind what remote workers have access to:

  • More than 50% of remote workers access customer data using personal devices.
  • And 71% of IT security leaders lack visibility into remote employee home networks.

"This gap is well understood by bad actors, as reflected in the fact that 67% of business-impacting cyberattacks targeted remote employees," the study found.

Small businesses are an increasing target. In 2019, 43% of attacks targeted small businesses; that share rose to 66% in 2022. However, only 45% of SMBs consider themselves prepared for a malicious breach.

Here is Snyder's list of the top five threats to SMBs and how they are ramping up:  

  • Credential theft. "Stealing passwords through malware, impostor websites, keyloggers, and other tools has been popular for a while. But 2020 turned up the heat."  
  • Phishing, vishing, smishing. "Cybercriminals will try anything to convince someone to open their message or click on their link."  
  • Ransomware. "The protections that large businesses have put in place have shifted the focus to small businesses. With today's WFH focus, attacks are now targeting users far from the corporate network.”  
  • Personal devices accessing corporate systems. "The bad news is that in 2020, users began mixing personal and business computing on the same devices more than ever, and that's a recipe for a security disaster."  
  • Cloud computing. “Not unique to 2020, but certainly increasing year after year, is the discovery that hackers are going after the management tools for your SaaS applications directly."  

Unmanaged Risk and Unrelenting Cyberattacks 

"Remote and hybrid work strategies are here to stay and so will the risks they introduce unless organizations get a handle on what their new attack surface looks like," said Amit Yoran, CEO, Tenable.

"This study reveals two paths forward — one riddled with unmanaged risk and unrelenting cyberattacks and another that securely accelerates business productivity and operations."

The increase in work-from-home attacks, along with the possibility that virtual executive assistants have access to sensitive data and accounts, makes the risk of targeting a virtual assistant very real.

How to Prevent Cyberattacks on Virtual Assistants

The risk of an attack on a virtual assistant is greater if they are freelancers without IT support or independent contractors placed through an agency without IT support.

Here are some best practices you should look for when hiring a virtual assistant who will have the keys to your IT kingdom:

  • Perform background checks: if an assistant or firm does not agree to a background check, look elsewhere. For instance, in Canada, a CPIC check is commonly used to verify an individual's criminal record.
  • Confidentiality and Non-Disclosure Agreements (NCAs): Data breaches are not the only risk associated with off-site workers. They could also share sensitive sales, product, and customer information.
  • Facilities: Some virtual assistant firms (including Prialto) hire and manage their virtual assistants in secure facilities equipped with biometric access control, security guards, cameras, and encrypted virtual private network connections.
  • Devices: Employees should not access your systems on personal devices unless authorized. If a firm provides corporate computers, ensure they have up-to-date malware protection. (which is what DNS filtering is mostly used for).
  • Password encryption: Never give your virtual assistant credentials to corporate accounts. Instead, provide access via a password manager like LastPass.

Ransomware on the Rise

Ransomware—where hackers disable or compromise your servers and networks and demand cash to leave you alone—was a top cyber-attack in 2020 and 2021, accounting for 68% of attacks.

Ransomware attacks increased by 151% in 2021. The cost of a ransomware attack ranges from $25,000 for small businesses to $9 million for large enterprises.

Protection against ransomware is even more critical when considering the systems a virtual assistant typically has access to. The risk extends beyond your financial information to include customer data.

Common tools and systems that virtual assistants have access to include:

  • Email servers (94% of attacks happen via email).
  • Bookkeeping software and payment systems.
  • CRMs with sensitive customer and sales data.
  • Calendars and travel with information about your whereabouts.

You also need to worry about device security, especially if your remote or freelance workers use portable devices such as phones, tablets, and laptops. In the context of virtual assistant security, an alternative phone number typically serves several key roles in authentication, recovery, and identity verification.

  • 40% of data breaches are through lost or stolen devices.
  • Of the 70 million devices stolen each year, only 7% are found.

Bad actors can access your network using stolen devices. Can you disable or revoke contractors' or freelancers' access?

Managed Virtual Assistant Service Security

Concerned about the security of a current or future virtual assistant? Consider choosing a managed virtual assistant service instead of a freelancer or independent contractor. A managed virtual assistant service provider hires, trains, and supervises virtual assistants in secure facilities and on company-issued computers.

As the employer of the assistants, the service provider is responsible for security, providing:

Physical security

  • Secure office buildings
  • Security key cards
  • Security guards and alarms
  • Video monitoring

Electronic security

  • Secure servers
  • Encrypted passwords
  • Secure devices
  • IP protection
  • Desktop monitoring
  • Remote device control to disable lost or stolen devices

Human security

  • Background checks
  • Confidentiality and NDA agreements
  • Documented security policies

Managers and backup assistants offer an extra layer of security. Managed virtual assistant services train backup assistants so that, if your primary assistant is unavailable for any reason, a fully trained backup is available. 

Managed virtual assistant service providers have the most robust data security infrastructure, incorporating physical, electronic, and human safeguards to provide a comprehensive array of safeguards for client data.

Because the virtual assistants are employees of the service provider, the provider is responsible for supporting bulletproof security with processes developed in conjunction with industry experts and continuously updated.

Read how Prialto handles our data security and confidentiality with our managed virtual assistant service.

For an extra layer of security, look for a SOC-2 Type 2 compliant organization, like Prialto. Learn more about our extra security measures >

Virtual Assistant Security FAQs

How do I ensure data security when working with a virtual assistant?

The best way to ensure ongoing security when working with onshore or offshore virtual assistants is to use a managed service. They'll ensure access controls are in place, security training is maintained, and devices are updated. The managed service will also serve as the first and last line of defence for your data. 

Can virtual assistants handle sensitive information?

Yes, virtual assistants often handle sensitive financial and personal information when the right controls are in place. If you're going to share sensitive information, it's important to work with organizations that use NDAs, enforce data-handling policies, use a secure tech stack, and employ secure password managers. If you're working directly with a virtual assistant (not through a service), it's important to build an infrastructure that protects your data. 

How can I safely share account data with a virtual assistant?

At Prialto, we use LastPass, a secure password manager, and tiered access rules. Assistants can sign in to your accounts on approved Prialto devices as long as access is shared, but they can't see your login information. In many cases, we also limit their access with role-based permissions, require multi-factor authentication, and selective sharing.