Coronavirus (COVID-19): Managing Cyber Security Risks of Remote Work
With cases of Novel Coronavirus (COVID-19) emerging in almost every state, several businesses are taking swift action to curb its spread. Teleworking, “remote working,” or simply “working from home,” is the core of those efforts. While remote work arrangements may be effective in slowing the spread of COVID-19 to the community from person to person, they present cyber security challenges that may be different from on-site work. Here is a list of considerations and tips to help guide companies through these challenges.
Review the existing information security and other related policies to determine whether there are any established requirements for remote work and remote access to enterprise information systems. Many organisations may have policies tailored explicitly to remote work, while others may provide for contingencies in disaster recovery plans, BYOD (bringing your own device) policies, and other related plans and regulations. If there are no relevant plans or policies in place, now is a good time to draw up at least some clear guidelines for handling remote access to company information systems and employee use of personal devices for business. For updates and relevant details please visit our dedicated Insights page to keep you informed about developments related to employment issues and COVID-19.
Managers should be familiar with existing security guidelines, plans, and policies and should ensure that relevant information is flowed down to their teams and throughout the organization. The organisation’s alignment from top to bottom is important. Also, there are many employees who may not work in security day-to-day and some may never have worked remotely before. Providing guidance to all employees is critical.
Organizations should review data breach and incident response plans to ensure that organizations are prepared to respond to a data breach or security incident. Update plans if necessary for contact information for the (now) remote incident response team and external advisors. The increased security risk of remote work reinforces the need to have a plan in place if something goes wrong.
Remote Work Cyber Security Tips:
- Remind employees about what kind of knowledge they need to protect. It also includes details such as confidential business information, trade secrets, protected intellectual property, work product, customer information, employee information, and other personal information (information that identifies a person of household).
- Sensitive information, such as certain types of personal information (e.g. personnel record, medical records, financial records), that is stored on or sent to or from remote devices should be encrypted in transit and at rest on the device and on removable media used by the device.
- Train employees on how to detect and handle phishing attacks and other types of social engineering that include remote devices and remote access to information systems for businesses. There’s an increasing number of phishing emails focused on Coronavirus going around, preying on public health issues. For more information on this particular risk please see our report.
- Do not allow work computers and other devices to be shared. Such devices should not be shared with or used by someone else in the home when employees bring the devices to home. This eliminates the risk of unauthorized or inadvertent access to protected company information.
- Virtual Private Networks (VPNs) ensure that Internet traffic is encrypted, especially if it is connected to a public Wi-Fi network. If your company has one in place, make sure that employees only use the VPN when working and accessing company information systems remotely. Make sure that the VPNs are properly patched. With more companies relying on VPNs, opportunistic malicious actors are finding and exploiting vulnerabilities. US Homeland Security’s CISA has published a timely alert.
- Company information should never be downloaded or saved to employees’ personal devices or cloud services, including employee computers, pen-drives, or cloud services such as their personal Google Drive or Dropbox accounts.
- Require security software on employee devices and ensure that all versions are up-to-date with all necessary patches.
- Consider prohibiting access to corporate information systems while using public Wi-Fi. With offices closed, employees may be tempted to work in their local cafés and coffee shops. Without a VPN company, this could lead to significant security risks.
- “Remember Password” functions should always be disabled when employees log on to company information systems and applications from their personal devices.
- Implement and enforce two-factor or multi-factor authentication (MFA). If you haven’t turned on MFA yet, now is the time to do it.
- Limit employee access to protected information to the minimum scope and duration needed to perform their duties.
- Consider Mobile Device Management (MDM) and Mobile Application Management (MAM). These solutions can help to manage and secure mobile devices and applications. These tools may also allow organizations to remotely implement a number of security measures, including data encryption, malware scanning, and data wiping on stolen devices.
- Keep IT resources healthy and well-staffed. When more employees than normal are working remotely, or remote work is new to an organization, IT resources may be strained and required IT assistance may increase.