Cybersecurity Policies for Remote Work

This post first appeared on Risk Management Magazine. Read the original article.

American businesses have had to change how they operate and
how their employees work amid the coronavirus pandemic. This has created unique
opportunities for hackers and serious headaches for cybersecurity and IT
professionals.

With the rise of remote work, vulnerabilities have increased
as additional devices are introduced into companies’ data ecosystems and new
phishing schemes ranging from phony COVID-19 updates to “emergency” demands for
confidential information prey on pandemic-related fears and confusion. All of
this comes while new technologies, like fingerprint timekeeping tools and
contact tracing apps, are being incorporated into business operations,
potentially triggering new data privacy laws and regulations and creating
serious compliance risks. 

In this climate, it is critical for risk professionals to
help their company instill an expanded and updated culture of security
awareness. They must revisit best practices for data security and train
employees how to be vigilant, both online and offline—indeed, they risk being
found negligent if they do not. Risk professionals can also help their
organization take a fresh look at how they define and analyze their data
ecosystem in order to take advantage of new safeguards, some of which are
readily available in existing platforms.

Securing the Remote Office

For many companies, “the office” is now a room in an
employee’s home, and risk professionals often know very little about their
setup and information security profile. This can be a dangerous oversight for
several reasons. For example, almost all companies have sophisticated password
requirements for an employee to log in to their system. But the fortress built
around a company’s system does little good if an employee’s home Wi-Fi password
is “password.”

Businesses should also consider how the internet of things
impacts information security in home offices. Is that office within earshot of
always-listening devices, such as an Amazon Echo or similar smart speaker or
virtual assistant technology? Do apps on an employee’s phone default to
listening mode every time they update? If so, a hacker could get into that
device and monitor employee communications. Hackers do not even have to be
involved. Many of these devices take random samples of what is said for quality
control purposes, then send the recordings to a team of people to analyze
device performance. If employees are dealing with sensitive information, this
sampling can introduce risk.

Risk professionals should help their companies work through
such issues and settle on common-sense restrictions for home offices that can
better secure important data.

Updating Systems and Devices

The remote work environment also demands renewed focus on
how data is transmitted and stored. A corporate VPN is an important security
enhancement but companies can also maintain good data hygiene by ensuring that
all systems and programs are up to date, including by pushing updates to all
company devices. Updates frequently include important security patches and
should be something that employees do not even have to think about—they should
happen automatically.

Companies should also ask employees to keep their personal
devices updated. This includes Wi-Fi routers and smart speakers, as well as
anything used for or around company business. Consider requiring employees to
set their personal devices to update automatically, at least where the devices
offer that option in their settings, and withhold access to company
applications and email on employee-owned devices that are not sufficiently
updated.  Leaders should emphasize that
all employees share the responsibility for keeping information safe in today’s
environment.

Another best practice is implementing a Bring Your Own
Device (BYOD) policy for employee use of personal devices on the company
network. The policy should require installation of a mobile device management
system on the work side of that device. Then, if the device is lost or stolen
or the employee leaves the company, any company data can be remotely deleted.
Consult with legal counsel before implementing such measures, however, as
recent laws and cases have expanded the scope of employee rights in these
areas. 

Some companies that were scheduled to upgrade devices or
replace hardware this year have had to reassess those expenses due to the
pandemic. But even financially strapped companies can take certain reasonable
steps to improve data security. For example, companies can perform
vulnerability assessments of their networks and devices to inventory all
hardware and software assets and establish a monitoring strategy for them. This
will also reveal common attack surfaces, such as decommissioned printers,
unpatched software and miscellaneous “shadow IT,” such as that abandoned Xbox
left over from a past “Take Your Child to Work Day.” 

As part of the policy update, risk management and IT leaders
should periodically remind employees that they must get IT approval for any new
services and software. Better yet, companies can institute blocks on what
employees can download without IT approval and maintain a computer use policy
that provides guidance for employees.

Instituting Training and Addressing Compliance

If businesses have not been providing employees with
cybersecurity training and tips during the pandemic, they must implement a
program immediately and set a regular schedule going forward. This training
should include how to spot phishing emails, how to work remotely in a secure
manner, and how to keep accidental home vulnerabilities from migrating to the
office.   

Training is becoming more than a best practice—it may be a
required legal defense. In litigation regarding data loss and exposure, courts
are increasingly looking at the security measures a company implemented,
including whether the company regularly and thoroughly trained its employees to
spot phishing attacks and other cyberthreats. Businesses should also keep in
mind that they will be measured by the best practices in their industry when
they are the subject of litigation.

Risk professionals can help companies review how they stack
up on best practices and also keep tabs on changing compliance requirements.
According to the National Conference of State Legislatures, state lawmakers
have already introduced more privacy bills in 2020 than in all of 2019.
Businesses may want to partner with outside counsel to stay abreast of
potential impacts from these laws, and to assess where they currently stand
with regard to regulatory compliance and best practices. 

Another set of helpful reminders can be found in the Cyber
Essentials Toolkits from the U.S. Department of Homeland Security’s
Cybersecurity and Infrastructure Security Agency. Recently revised in August,
these two-page modules include links to external security resources, controls
and FAQs. They are aimed at executives, IT teams and risk management
professionals and can be printed, posted and shared with employees.

Creating a Sense of Urgency

Some risk professionals may face challenges convincing other
executives to address these steps now, particularly as the pandemic has created
a variety of other urgent business issues. But leaders should be reminded that
the financial motivation for implementing security is not just about the
monetary and reputation costs of a data breach—it is also about the risk of
regulatory oversight. Such inquiries pose their own risks, including the
potential for state attorneys general to investigate or, where permitted, file
their own privacy lawsuits against an organization.

More than half a year into the pandemic, now is the perfect
time to assess whether businesses are meeting data security best practices,
training and updating employees on those practices, and evolving along with
changing circumstances. What’s more, by upgrading your data security practices
today, you can help head off larger problems tomorrow.

This entry was posted in Uncategorized. Bookmark the permalink.
 

Leave a Reply

Your email address will not be published. Required fields are marked *