Coronavirus (COVID-19): Managing Cyber Security Risks of Remote Work
With many businesses being forced to make swift action to help slow the spread of COVID-19 remote working is at the centre of those efforts. While remote working arrangements can effectively slow of spread from person to person, they present cyber security challenges that can be different than on-premises work. Below is a list of considerations and tips to help guide businesses through these challenges.
Review your current information security and other similar policies to determine if there are any established security guidelines for remote work and remote access to company information systems. Some organisations may have policies specifically geared for remote work, while others may provide for contingencies in disaster recovery plans, BYOD (bring your own device) polices, and other similar plans and policies. If no relevant plans or policies are in place, this is a good time to establish at least some basic guidelines to address remote access to company information systems and use by employees of personal devices for company business.
Managers should be familiar with applicable security guidelines, plans, and policies, and ensure that information is flowed down to their teams and throughout the organisation. Remember, many employees do not work in security day-to-day, and some may have never worked remotely before. Providing guidance to all employees is critical.
Companies should review data breach and incident response plans to ensure that organisations are prepared for responding to a data breach or security incident. The increased security risk of remote work reinforces the need to have a plan in place if something goes wrong.
Remote Work Cyber Security Tips:
- Remind employees of the types of information that they need to safeguard.This often includes information such as confidential business information, trade secrets, protected intellectual property, work product, customer information, employee information, and other personal information (information that identifies a person of household).
- Sensitive information, such as certain types of personal information, that is stored on or sent to or from remote devices should be encrypted in transit and at rest on the device and on removable media used by the device.
- Train employees on how to detect and handle phishing attacks and other forms of social engineering involving remote devices and remote access to company information systems. There are an increasing number of Coronavirus-based phishing emails going around, preying on the health concerns of the public.
- Do not allow sharing of work computers and other devices.When employees bring work devices home, those devices should not be shared with or used by anyone else in the home. This reduces the risk of unauthorised or inadvertent access to protected company information.
- Virtual Private Networks (VPNs) ensure that internet traffic is encrypted, especially if connected to a public Wi-Fi network. If your company has one in place, make sure employees exclusively use the VPN when working and when accessing company information systems remotely.
- Company information should never be downloaded or saved to employees’ personal devices or cloud services, including employee computers, USB sticks, or cloud services such as their personal Google Drive or Dropbox accounts.
- Require security software on employee devices and ensure that all versions are up to date with all necessary patches.
- “Remember password” functions should always be turned off when employees are logging into company information systems and applications from their personal devices.
- Implement and enforce two-factor or multi-factor authentication (MFA). If you haven’t turned on MFA yet, now is the time to do it.
If you would like to discuss this further if have any questions, contact us: