COVID-19 has caused the most significant shift in working conditions experienced in peacetime. Many companies have been caught on the back foot in terms of their cybersecurity for remote working. With up to 30% of workers now suddenly working from home, employers need to ensure that their employees are working securely.
The sudden change in working patterns caused by COVID-19 presents ample opportunity for cybercriminals to strike. Inexperienced employees are now working from home on potentially unsecured technology systems, and IT departments are rushing to keep up.
Now, more than ever, HR and IT need to work together to ensure the security of sensitive information. Those companies without strong cybersecurity policies and business continuity plans already in place will be the most vulnerable right now.
Areas of vulnerability include:
- Lack of existing remote working policies for employees to consult.
- Unsecured Wi-Fi and personal devices.
- Weak password and authentication rules.
- Scams and phishing attacks.
- Collaboration tools.
Create and Circulate Your Remote Working Policy
If you already have a policy that covers cybersecurity and remote working, that’s great. Keep in mind that you may now have many more employees working from home who won’t be familiar with it as they’ve never worked remotely before.
If you have no existing policy, now is the time to make one to address the accessing of company information by remote workers.
The importance and successful enforcement of any policy must be a collaborative effort from IT, HR, and management. It is not only the job of the IT department to enforce these policies; managers also need to ensure that they are communicating and implementing these policies within their teams with support from the top.
Employers should be aware that in the last few years, GDPR and the California Consumer Privacy Act made considerable changes to how Personal Identifiable Information (PII) is to be collected, handled, and stored safely. More recently, the Colorado Protections for Consumer Data Privacy law created one of the most stringent data breach notification regulations in the U.S. and takes away any exemptions for small businesses.
The penalties for breaching these regulations are serious and could halt or severely cost your business.
Disconnect from Unsecured Networks
Employees may try to use unsecured public Wi-Fi to connect to company systems, which is one of the easiest ways for confidential information to be intercepted. Discourage employees from doing this.
If they are working from their home Wi-Fi connection, educate them on how best to secure it with a strong password.
Best practice would be to circumvent this threat entirely and use a secure Virtual Private Network (VPN) with end-to-end encryption. Ensure VPNs are regularly updated with security updates and patches and implement two-factor authentication to access the VPN.
Secure Personal Devices
In an ideal world, all remote workers would be using equipment supplied and set up by the IT department. Unfortunately, many people may be required to use their personal devices to access company systems under a Bring Your Own Device (BYOD) approach.
Personal device use presents several problems for data security. Employees may be saving sensitive information to their own hard drives or their personal email accounts.
Their devices may be vulnerable to malware and viruses due to out-of-date anti-virus and lack of firewalls.
If employees need to use their own devices, you need to sharpen up your BYOD policy as a matter of priority. Make it a policy for employees to have up-to-date anti-virus and firewalls, two-factor authentication, and a strong password.
Arrange for periodic remote IT audit sessions that temporarily allow the technician to remotely access and audit a workstation to ensure safety settings have not been changed or have received recommended updates. Conversely, there are third-party apps that can be used to monitor employees’ home networks and identify any security issues. This will need to be rolled out in conjunction with HR as employees may be wary of this kind of monitoring on a personal device.
Limit the ability to access certain types of information or store it on a hard drive or USB drive.
Introduce Stricter Authentication
A sudden move to remote working only increases the need for access controls and multi-factor authentication. Identity and access management can allow teams to gain rapid, secure access to the systems they need and block access to those they don’t.
Evaluate and Secure Collaboration Apps
Teams have rapidly adopted collaboration apps to communicate, often without evaluating the security of these new systems. A good example is Zoom, which millions of workers across the world began using for video calls. Then it emerged that Zoom might not be secure as it seemed, and now many companies are banning its use.
Discourage employees from downloading or using apps that have not been approved internally.
Look Out for Scams
Educate, educate, educate.
Scams targeting home workers are already increasing. If an employee doesn’t know how to recognize BEC scams, let alone know what they are, your organization is at risk, whether the employees are phished for confidential information, are being sent brute force attacks, or are just prone to opening suspicious links.
There are a number of organizations that provide online training and support to ensure your workforce can protect itself and the organization if you don’t have the internal resources to do so.
Remember: Properly educating employees on how critical cybersecurity is to your organization and that criminals will be targeting them is an ongoing effort, not a one-time event.