By Paul Pearman, Paul PearmanAudit and Assurance Partner
30 April 2020
Over the past few weeks, many businesses are minimising office staff and requiring employees to work from home. Conferences are being cancelled and meetings are moving into the virtual spectrum. Many businesses have a business continuity plan, but a lot of businesses still don’t.
For those that have a plan, remote access strategies will be put to the test. For those that don’t, the urgency to create one will be pushed to the forefront and defined on the go. If you haven’t already defined and verified your remote access solution, be sure that you factor in security. While you certainly need to operate, you don’t want to expose the business to being compromised or trigger an inadvertent data breach. For example, allowing employees to take copies of data on removable drives from the office location to work from home may result in data loss should the drive be misplaced.
The following should be considered as part of your strategy:
Confidential and Sensitive Data
If your employees access sensitive data, they should be provided with a company-controlled and secured laptop, inclusive of encrypted hard drives. While ideally, everyone will have a laptop to work remotely, that may not be a financial reality or a necessity. If you need to prioritise, focus on the high-risk employees based on the sensitivity of the data they need to access.
Any remote access or cloud-based application should leverage multi-factor authentication. This is particularly important if you embark on rapid deployment of remote desktop software such as LogMeIn or GoToMyPC to allow employees to utilise their own equipment at home to connect to their at-work resources.
Home Security Checks
If you have the resources, offer to have your IT department perform a security check on employees’ home devices if the ultimate decision is that they need to work from home using their own equipment.
Try to limit the options for employees to save data out of secured locations to their own devices. The capabilities will depend on the solution you implement.
Remote Access Strategy
Ensure you establish and communicate clear expectations of the working-from-home strategy. While you may not be able to implement the ideal set of technical controls to manage risk, you can ensure your employees play their role and know how to work efficiently and securely when not in the office. Empower them with the knowledge of the risk so they know how to manage it.
Monitoring the use of unauthorised computers/device and their access to the network. This is especially important for companies that have adopted/allowed staff to bring use own devices.
Phishing and Scam Emails
Be more vigilant on the lookout for phishing emails and sites. Empower them with the knowledge of the risk so they know how what to look out for. The coronavirus scare is the perfect mechanism for cybercriminals to leverage and trigger that emotional response.
Secured Network and Prevention
Ensure all employees use a Virtual Private Network (VPN), or other encrypted means of communication to prevent eavesdropping on shared Wi-Fi, along with reviewing firewalls and antivirus software. Securing of the home router will also minimise unlawful access.
Data Management Post Crisis
Once the crisis begins to subside, communicate to employees that any saved data to non-traditional locations during the course of the crisis be securely returned to the company and removed or destroyed from those other locations.
This is without question a scary time with potentially devastating consequences to human life and the operational stability of businesses. However, know you are not doing it alone. If you need assistance in establishing a secure working-from-home protocol or creating a cybersecurity program designed to be resilient regardless of the issue, we are ‒ and will remain ‒ available to assist you.
For more information or any advice on establishing cybersecurity protocols for your work-from-home arrangements, please contact one of our IT and Risk Management specialists.