COVID-19: Managing Cyber Security Risks of Remote Work
As cases of the Novel Coronavirus (COVID-19) are increasing over the country, most of the companies are changing their workforce to home-working to curb the virus spread. Teleworking, “remote working,” or simply “working from home,” is a centerpiece of those efforts to reduce the risk of contact with COVID-19, complying the Movement Control Order. While remote working arrangements may be effective to slow the community spread of COVID-19 from person to person, they present cybersecurity challenges that can be different than on-premise work. Here is a list of considerations and tips to help guide businesses through these challenges:
Review your current information security and other similar policies to figure out if there are any established security guidelines for remote work and remote access to company information systems. Some companies may have policies specifically regulated for remote working, while others may provide for contingencies in disaster recovery plans, BYOD (bring your own device) polices, and other similar plans and policies. If there is no relevant plans or policies are in place, this is a good time to create at least some basic guidelines to address remote access to company information systems and use by employees of personal devices for company business.
Managers should be familiar with applicable security guidelines, plans, and policies, and ensure that pertinent information is flowed-down to their teams and throughout the organization. It is necessary that the company is aligned from top to bottom. This is because many employees do not work in security day-to-day, and some may have never worked remotely before. Thus, providing guidance to all employees is critical.
Companies should analyse data breach and incident response plans to ensure that organizations are prepared for responding to a data breach or security incident. Update the plans if necessary for contact information for the remote incident response team and outside advisors, especially now under the Movement Control Order. The increased security risk of remote work reinforces the need to have a plan in place if something goes wrong.
Remote Work Cyber Security Tips
Remind employees of the types of information that they need to safeguard.
This often includes information such as confidential business information, trade secrets, protected intellectual property, work product, customer information, employee information, and other personal information which identifies a person of household.
Sensitive information should be encrypted.
Sensitive information such as personal information including personnel records, medical records, financial records, that is stored on or sent to or from remote devices should be encrypted in transit and at rest on the device and on removable media used by the device.
Companies should train them on how to detect and handle phishing attacks and other forms of social engineering involving remote devices and remote access to company information systems. There are an increasing number of Coronavirus-based phishing emails going around, preying on the health concerns of the public.
Do not allow sharing of work computers and other devices.
When employees bring work devices home, those devices should not be shared with or used by anyone else in the home. This reduces the risk of unauthorized or inadvertent access to protected company information.
Virtual Private Networks (VPNs)
VPNs ensure that internet traffic is encrypted, especially if connected to a public Wi-Fi network. If your company has one in place, make sure employees exclusively use the VPN when working and when accessing company information systems remotely. Ensure that VPNs are properly patched. As more companies rely on VPNs, opportunistic malicious actors are finding and exploiting vulnerabilities. US Homeland Security’s CISA has published a timely alert.
Secure company infromation
Company information should never be downloaded or saved to employees’ personal devices or cloud services, including employee computers, thumb drives, or cloud services such as their personal Google Drive or Dropbox accounts.
Avoid public Wi-Fi
Consider prohibiting access to company information systems while on public Wi-Fi. With offices closed, employees may be tempted to work from their local cafes and coffee shops. Without a company VPN, this can lead to significant security risks.
“Remember password” functions should always be turned off when employees are logging into company information systems and applications from their personal devices.
Mobile Device Management (MDM)
Consider MDM solutions as it can help manage and secure mobile devices and applications. The solution allows companies to remotely implement a number of security measures, including data encryption, malware scans, and wiping data on stolen devices.