As many employers are considering sending employees home to protect them and other employees from the threat of the COVID-19 virus, it is extremely important to not increase your data security risk while you attempt to reduce the risk to employee and customer health. The following are some best practices for any employees working remotely, whether temporarily or permanently from locations outside your office and (hopefully secure) network.
- Establish clear guidance and expectations to your employees.
- All remote computer and data use should happen in accordance with the same privacy and security policies as you have in your company office. Working remotely should not weaken safeguards for company data.
- No expectation of privacy. Employees should already know that any use of your company systems or data is subject to monitoring or review and they should not expect privacy on such systems.
- Establish alternative communication channels. In accordance with your business continuity plan, make sure you have the ability to communicate with employees through non-company devices, such as personal cell phones to convey all updates, especial in view of a security incident or inability to access or use company information systems.
- Employees must remain vigilant!
- Remind employees to remain aware of their surroundings when using company computers or discussing company information in public spaces.
- With the concerns and constant news coverage about COVID-19, employees might be subject to phishing attacks and other attempts to obtain access to company data masquerading as public service announcements or even company updates. A reminder about such emails and best practices is always appropriate, specifically:
- Always be wary of emails or texts containing links or attachments from unknown senders.
- Do not click on suspicious links or open suspicious attachments. Report all such content to the company IT department.
- Employees should be encouraged to report all suspicious or known security incidents as soon as possible in accordance with your company’s incident response plan.
- Establish a secure connection to your company network.
- All remote connections to your company network should happen via a secure connection or virtual private network (VPN). Such a connection encrypts the communications between your employee’s device and the network, and requires authentication of the employee before access is provided.
- All remote connections should be authenticated using multifactor authentication. Such steps help prevent a bad actor from using stolen credentials to access your company network (very common these days).
- Public wi-fi networks, such as those at coffee shops, airports and hotels should be avoided unless a company VPN is in place and used.
- Company computer use.
- Whenever possible, all such remote work should be completed using company-owned devices and computers. Such use ensures existing security policies are being run on such devices and all system patches and malware protections are up to date.
- Ensure your devices are running antivirus software with the latest updates from the manufacturer. When possible, updates should happen automatically.
- Whenever possible, all portable devices should be encrypted at the hard drive level with a key maintained separately from the device. Such protections safeguard company data in the event of theft or loss, and may also prevent the need to issue notice under various state data breach laws.
- Whenever possible, documents and sensitive files should be saved or uploaded to the company network and not on the company laptop or device, itself.
- Physical security.
- Employees must always protect against unauthorized access to their devices and company data in remote locations, including from family members, friends, and others.
- Hard copies of company sensitive material should be shredded prior to disposal or recycling. Such documents should be crosscut shredded whenever possible or otherwise rendered incapable of re-assembly or reading.
- Home or remote offices, closets, or desks in which company data and devices are being used or stored should be physically secured using locks or other means to prevent theft or unauthorized use.
- Employees must always protect against unauthorized access to their devices and company data in remote locations, including from family members, friends, and others.
Lastly, if any of these terms or practices are foreign to your organization, take time to understand the benefits, risks and impacts of each. Rash decisions made in an effort to keep the business running in the face of a crisis can have severe consequences and open the door to security vulnerabilities that can harm the very business and customers you are seeking to protect.