COVID-19 & The Work-From-Home Security Playbook
Like it or not, ever evolving requirements in response to COVID-19 mean that many organizations are asking traditional office-based employees to work remotely. Work-From-Home (WFH), Work-From-Anywhere (WFA), Telecommuting – by any other name, it is here to stay.
In many cases, technology allows that to happen with relative ease. However, the vast majority of organizations are not prepared to keep their distributed workforce safe under these circumstances. By nature, that exposes their own systems to significant security risk.
Even a small data breach incident through a remote worker can cause potentially catastrophic damage and losses. It can also trigger federal and state data breach laws, regulatory audits and civil lawsuits resulting in significant liabilities and penalties for your business.
WFH RISK FACTORS
Here are just 4 of the most common ways employees can be a security risk while working remotely.
- Phishing emails: Remote workers tend to let their guard down in the comfort of their home. A fake email can trick employees into clicking on malware-laden links or attachments, giving hackers access to or control of the computer and, ultimately, access to your company’s network.
- Home office insecurity: Managing the security of employees who work from home can be a monumental task due to insecure home Wi-Fi networks that are connected to other computers and devices, not to mention the difficulty of keeping computers and work documents inaccessible from everyone else in the home.
- Bad security software: Some remote workers use their personal computer for work. Without adequate security software, along with regular checkups and oversight, it can be a gaping security hole.
- Shadow IT: Without easy access to expert technical support, employees may try to troubleshoot their own computer and network problems or ask a friend or family member for help, potentially creating big security risks and unauthorized access to confidential information.
WFH BEST PRACTICES
As employees are getting used to the new reality of working from home, organizations are under pressure to make sure they can continue to work safely while maintaining compliance with federal, state and industry data security requirements. Here are a few best practices to consider:
Network Vulnerability Testing
Setting up remote employee access to your company’s systems can introduce a number of security risks. If you open remote access on your firewall or server, ensure it’s configured properly to prevent hackers from using known vulnerabilities like Remote Desktop Protocol (RDP). Now is a good time to have your firewall or network server tested by a qualified third party to look for remote access security risks and other known exploits.
Computer and Home Wi-Fi Security
Make sure the employee’s computer and mobile devices (whether personal or corporate-provided) are locked down with approved antivirus and regularly maintained with security checkups including software updates and patches. If you don’t have the means to easily do this type of maintenance across a distributed workforce, consider sourcing external help.
Be sure to secure the employee’s home Wi-Fi network with proper levels of encryption and password strength. Encourage or help employees set up a separate Wi-Fi connection for work, isolated from all other computers and devices such as smartphones, home security systems, smart TVs, gaming systems, smart thermostats and virtual assistants.
Data Access Protection
Limit access to confidential and sensitive information with strong passwords and, where possible, multifactor authentication (MFA) for accessing the computer, cloud services and the company’s network. Using approved or company-provided virtual private networks (VPNs) should be mandatory for remote network access.
Security Awareness Training
In addition to regular cybersecurity awareness training for all employees, anyone given authorization to work remotely for any amount of time should complete training on your company’s WFH security best practices. Employees should also sign appropriate information security and nondisclosure agreements that include details of your company’s WFH policies.
Consider providing all personnel with continuous security awareness updates and alerts about the current known threats they should watch out for.
On-Demand Technical Support
Be sure to provide employees with access to remote technical support services to troubleshoot and resolve any tech or security issues with their computer or home network. Employees should be prohibited from fixing problems themselves or asking a friend or family member for help with a computer being used for work purposes.
Incident Response
WFH employees should be reminded of their responsibility to report any potential cybersecurity or data breach incident, no matter how small. Failure to report incidents in a timely manner can increase the costs of a data breach and impact compliance with data breach disclosure laws.
Breach response, containment and investigation now may involve looking at an employee’s personal computer or setups in their home environment. Your WFH plan should include policies and procedures that allow your company to conduct necessary and timely breach response activities through a remote workforce setup.
It is also advisable that you review your cyber insurance policy for any exclusions or special conditions for incidents related to remote employees.
Schedule a FREE consultation.
Have questions or concerns about cybersecurity or compliance? Schedule a free, no-obligation phone call with our security and compliance experts here at INVISUS. Our mission is to help you safeguard your business, customers and employees against data breach incidents and cybercrime.Call (801) 724-6211