Managing Remote Work Cybersecurity Risks
With cases of the coronavirus (COVID-19) emerging in nearly every state, many businesses are taking swift action to curb its spread. Teleworking, “remote working,” or simply “working from home,” is a centerpiece of those efforts. While remote working arrangements may be effective in slowing the community spread of COVID-19 from person to person, they present cybersecurity challenges that can be different than on-premise work. Below is a list of considerations and tips to help guide businesses through these challenges.
Review your current information security and other similar policies to determine if there are any established security guidelines for remote work and remote access to company information systems. Some organizations may have policies geared explicitly for remote work, while others may provide for contingencies in disaster recovery plans, BYOD (bring your own device) policies, and other similar plans and policies. If no relevant plans or policies are in place, this is a good time to establish at least some basic guidelines to address remote access to company information systems and use by employees of personal devices for company business.
Managers should be familiar with applicable security guidelines, plans, and policies, and ensure that pertinent information is flowed-down to their teams and throughout the organization. It is essential that the organization is aligned from top to bottom. Remember, many employees do not work in security day-to-day, and some may have never worked remotely before. Guiding all employees is critical.
Companies should review data breach and incident response plans to ensure that organizations are prepared for responding to a data breach or security incident. Update the plans if necessary for contact information for the (now) remote incident response team and outside advisors. The increased security risk of remote work reinforces the need to have a plan in place if something goes wrong.
Remote Work Cybersecurity Tips:
Remind employees of the types of information that they need to safeguard. This often includes information such as confidential business information, trade secrets, protected intellectual property, work product, customer information, employee information, and other personal information (information that identifies a person of household).
Sensitive information, such as certain types of personal information (e.g., personnel records, medical records, financial records), that is stored on or sent to or from remote devices should be encrypted in transit and at rest on the device and on removable media used by the device.
Train employees on how to detect and handle phishing attacks and other forms of social engineering involving remote devices and remote access to company information systems. There are an increasing number of Coronavirus-based phishing emails going around, preying on the health concerns of the public. For more information about this particular risk.
Do not allow the sharing of work computers and other devices. When employees bring work devices home, those devices should not be shared with or used by anyone else in the home. This reduces the risk of unauthorized or inadvertent access to protected company information.
Virtual Private Networks (VPNs) ensure that internet traffic is encrypted, especially if connected to a public Wi-Fi network. If your company has one in place, make sure employees exclusively use the VPN when working and when accessing company information systems remotely. Ensure that VPNs are properly patched. As more companies rely on VPNs, opportunistic malicious actors are finding and exploiting vulnerabilities. US Homeland Security’s CISA has published a timely alert.
Company information should never be downloaded or saved to employees’ personal devices or cloud services, including employee computers, thumb drives, or cloud services such as their personal Google Drive or Dropbox accounts.
Require security software on employee devices and ensure that all versions are up to date with all necessary patches.
Consider prohibiting access to company information systems while on public Wi-Fi. With offices closed, employees may be tempted to work from their local cafes and coffee shops. Without a company VPN, this can lead to significant security risks.
“Remember password” functions should always be turned off when employees are logging into company information systems and applications from their personal devices.
Implement and enforce two-factor or multi-factor authentication (MFA). If you haven’t turned on MFA yet, now is the time to do it.
Limit employee access to protected information to the minimum scope and duration needed to perform their duties.
Consider Mobile Device Management (MDM) and Mobile Application Management (MAM). These solutions can help manage and secure mobile devices and applications. These tools can also allow organizations to remotely implement a number of security measures, including data encryption, malware scans, and wiping data on stolen devices.
Keep IT resources healthy and well-staffed. When more employees than normal are working remotely, or remote work is new to an organization, IT resources may be strained and required IT assistance may increase.
Remember, HIPAA and other similar laws still apply during coronavirus. For a discussion of HIPAA. If the GDPR applies to your business, a number of European Union data protection authorities have issued guidance. Check the website of your functional data protection authority. Some examples: Ireland, Italy, France, United Kingdom
Stay vigilant – cybersecurity is not immune to COVID-19. If you have questions, feel free to reach out to me.