Organizations around the world were thrown into a new reality when the Covid-19 pandemic forced a surge of employees to be sent home. With the need for de-centralized and shadow IT services, in many cases without adequate testing of network limitations; and with remote workers using new endpoints that introduce new vulnerabilities, additional attack surfaces and security risks need to be addressed. This article looks at some key factors to consider to manage these risks.
Now more than ever, it is critical that employees work at home with privacy and security top of mind. The global pandemic has resulted in an increase in phishing attempts, distribution of false information and new strains of ransomware. With the influx of e-mail communications about responses to the pandemic or back-to-work protocols, fraudsters armed with a receptive audience have successfully launched new Covid-19 themed malicious attacks that may not have penetrated networks as easily before the global crisis. Malicious kits are readily available on the dark web for criminals to buy and launch their own cyberattacks.
Employees must be made aware of the increase in threats, and phishing simulations that test employees, such as those offered by InfoSec IQ, are more critical than ever.
Many employers have had to quickly ramp up their technology infrastructure to support the majority of their workforce logging into the company network from home. There are many ways in which IT departments can manage security risks. Here are some examples:
- Require all employees to access the network strictly by using the VPN, and enable multi-factor authentication for access. 2FA has become simple for IT groups to implement, by using an e-mail address or cell phone number to send a code for an added layer of authentication beyond username and password;
- Limit employee access only to applications they actually need (review and update access controls);
- Disable or restrict the ability of employees to download files from the network to their home computer; and
- Consider expansion of endpoint protection, such as ensuring devices connected to the network are scanned for security threats.
Organizations supporting remote work should be providing best practice security guidance to educate employees on securing their home systems. Businesses remain accountable for the protection of customer personal information accessed or managed from the home environment, so it is important to impress upon employees that strong privacy and security practices reduce the risk of a data breach. Here are some key points that employees need to know, ideally through a policy or other formal communication:
- Provide direction on physically securing hardware (e.g. don’t leave your laptop or security hard token on the kitchen counter or outdoor patio table!);
- Provide guidance on security and disposal of paper records. Ideally the use of paper records should be minimized and the ability to use employee owned printers should be restricted. However, for those who must operate with a substantial amount of paper, these individuals should be provided with locked cabinets and shredders; and
- Keep your virtual desktop at home clean – close applications that are not in use and ensure your screen is locked after a short period of inactivity (e.g. 10 minutes).
File and Network Security
- Employees should continue to store documents on the company network and not on their computer hard drive;
- Require the use of a secure home network to connect to the VPN that uses Wi-Fi Protected Access II as the standard (WPA2). Employees can check the settings (to confirm WPA2 is in use) by logging into their home router; and
- Employees could be asked to set up a separate guest Wi-Fi network for all business communications so these can be tracked and monitored (next week PRIVATECH will provide a blog article on the appropriateness employee monitoring).
Employees should also be told that company policies and procedures such as acceptable Internet and e-mail use and the social media use policy continue to apply when working from home while logged into the company network.
The above are just a few examples of important points to communicate. Without clear policies and additional guidance for employees working from home, organizations are not taking the necessary steps to protect their customer data and company network. Contact PRIVATECH for assistance with your work-at-home strategy, or check out our Privacy Documentation Suite, which includes a sample procedure on work at home arrangements and laptop deployment guidelines for management and IT staff.8