By Michael R. Jones, Attorney
The new reality of COVID-19 has forced millions of Americans to suddenly have to work remotely. According to the video conferencing service Zoom, in December, 2019 it had approximately 10 million users. For the month of April, that figure went up exponentially to more than 300 million users. This spike was obviously due to the COVID-19 pandemic that has forced many companies and schools to retool for remote work. The surge in users has also sparked criticism, and bad PR around Zoom’s privacy and security. The company has recently announced that it is now working diligently to improve the platform’s privacy.
With much of the workforce now working remotely, the need for good cybersecurity “hygiene” has never been greater. So, what steps should you be taking to strengthen your business and your security controls for your new remote workforce? Take a deep breath, because we’ll break it down for you here.
An effective information security plan must incorporate three types of controls: administrative, physical and technical. If you consider the controls your business currently has in place under these three categories in light of the “new normal” of remote working, you can tailor your information security plan to protect what is (after your workforce) your most valuable asset—your data.
Administrative controls refer to policies, procedures, or guidelines that define how your business practices align with your business’s overall security goals, including how your personnel access and use your network resources and other assets, as well as the level of access they have been granted. If you would like a complimentary template for a remote working policy, contact us.
Here are some best practices:
- Review your current policies on remote working and the use of personal devices (i.e., BYOD or “bring your own device” policies) and incorporate best practices if they lack relevant detail. Once revised, send them to all remote personnel and ask them to acknowledge that they have read them and agree to comply with them.
- If you haven’t already, consider implementing information classifications that define which personnel have access to certain categories of information. There is no doubt that remote working increases the risk of data loss, so it is a best practice to limit access to confidential or other sensitive information to those personnel who have a documented “need to know” to mitigate this increased risk.
- Review your playbook for how you can contact your personnel quickly, say, in case of an
emergency like a security breach or other cyberattack, including by adding updated remote contact information. Note: any response plan should include a method of communication that doesn’t require use of your network, in case the network is shut down or is otherwise compromised.
- Redouble your efforts to stay in touch with your remote workforce. This will keep risk awareness elevated, where it should be. Remote personnel should be particularly aware of the increased risk of phishing attacks, especially those related to COVID-19. Remind them that your security policies are EVEN MORE IMPORTANT in the new remote working environment.
Physical controls refer to tangible processes and procedures used to control access to physical areas, systems, or assets. For example, your remote personnel should protect your information just as they do when they are physically present in the workplace.
Here are some best practices:
- Remind your remote workers that they should never download business information onto their personal devices or upload business information to personal cloud services (e.g., Dropbox, Box) or conduct business through personal email. Many businesses disable drives that allow users to copy business information to portable media, like USB devices.
- Policies that require personnel to exit programs or shut down their computers when not in use should still apply when working remotely. As always, too, laptops and other mobile devices should never be left unattended in vehicles or public areas. Other family members should not be allowed to use work devices, and you should remind your remote personnel to be aware of their environment and not expose confidential information in public areas where any physical materials or screens may be viewed or their conversations may be overheard.
- Pay attention to confidential paper documents. Employees should use the same caution with paper documents at home as they do at the office, especially those employees who handle confidential materials, and personally identifiable information. If employees
do not have a shredder at home, they should purchase one or plan to dispose of these documents at the office when stay-at-home orders expire.
Technical controls refer to the hardware and software you use to protect your information assets. Technical controls are almost always managed through your IT department and include such practices as implementing and maintaining firewalls, antivirus software, intrusion monitoring, and encryption protocols.
Here are some best practices:
- Make sure that you have, or (if you don’t) put in place NOW, technical controls for enhanced security, such as:
- requiring two-factor authentication
- using a VPN (virtual private network) and prohibiting access to your systems from public Wi-Fi connections; and
- installing security software on employee devices, including antivirus software mobile devise management software (which allows you to remotely wipe devices and which enables strong password and data encryption enforcement, as well as limiting the software and apps that can be downloaded and installed).
- Also ensure that your IT function is up to the job of handling the increased load that will surely come from more of your workforce working remotely.
In this new environment, it is more important than ever to assess your current procedures, identify any gaps or weaknesses in them, address those deficiencies by putting in place robust policies and procedures, and to communicate them to your workforce. Doing so will help to protect your most valuable asset—your data.
As mentioned earlier, Trusted Counsel has put together a form remote work policy that you can tailor to your specific business as needed (and with our help, if necessary). We suggest that you do so NOW, make the policy available to your workforce and have them acknowledge in writing that they have reviewed, and agree to abide by, it.
We don’t know how long we will be working remotely. For some, it will represent a new way of working and a lifestyle change. Companies that succeed setting up thoughtful and effective remote working policies and procedures will be well positioned moving forward.
One final note. Know that we are here to assist you and help you navigate your orization’s legal approaches to ever-growing and ever-evolving cybersecurity and ransomware riskslease contact me Michael R. Jones at firstname.lastname@example.org with any questions or for more information.