For any company, shifting employees to a fully or partially remote working environment is a challenge. Amidst all the turmoil, ensuring the safety and security of employees, business operations, and data is a top priority. Here are some suggestions on how to keep information and employees safe and secure while working remotely.
Revisit Your Policy
While many companies may already have a remote worker policy in place, creating a policy or updating your current policy to address new risks and trends is the first step toward organizing and instituting safe practices. Companies that have remote or working from home structures in place typically have employees sign an agreement that outlines company policy for conduct and behavior while working outside of the office. This allows companies to set standards and hold employees accountable to follow policy, procedures and protocols for information security and data transfers while accessing company systems or data while working remotely. This policy should be communicated to all employees as soon as possible and should be a point of emphasis.
Implement Best Practices for IT Security
Establishing strong security measures is at the forefront of maintaining data and network safety as employees work remotely. The following controls should be incorporated into your basic IT security protocol:
- Use strong passwords and multi-factor authentication (MFA) on laptops and work applications that are used for daily activities.
- Use a Virtual Private Network (VPN), which creates additional security around an internet connection to protect the data employees are transmitting electronically.
- Remind employees to install updates, patches, and anti-virus software at regular intervals, or when prompted.
- Require employees to use a secure Wi-Fi network and discourage the use of free or public Wi-Fi, such as at a coffee shop. Networks that are private and password protected are the most secure. You may even suggest using a hardwired connection if possible to ensure security.
- Remind employees to back up information on network drives. This way, if the information is lost, devices or damaged, or an employee falls prey to a scam, all data is retrievable and backed up on company storage.
Watch for Email Security
Now more than ever it’s important to encourage employees to heighten their awareness of email security. Scams and misinformation have become an increasing concern during the COVID-19 pandemic.
Highlighting the importance of critical thinking when reviewing emails (and their links and/or attachments in particular) is a tried and true method for minimizing cyber risk. It’s easy for employees to lose focus and forget to review emails critically as they work from home. One way to educate employees on safe practices is by distributing an email phishing checklist or a reference guide of some sort to help them better identify scams and phishing emails. Some key tips to include are:
- A reminder that hackers pay attention to what is normal or part of employees’ “day to day” work environment and try to mimic it as best they can to trick employees.
- Review all email addresses to make sure the sender name and email address match (and the email address is not from a different domain than the sender’s company, etc.).
- Hover over all web addresses and hyperlinks within the email prior to clicking on them to ensure they are legitimate and match the expected link/destination/website.
- Check for accurate and appropriate branding and logos, spelling, contact information, grammar, etc. as these are telltale signs of a scam.
- Recognize “out of the ordinary” requests. Personal or account information is not typically emailed to you, and you should never be asked to share account numbers via email. When in doubt, always call and confirm first.
- Identify any pushy language, hard sell or sense of urgency; these can also be indicators of a scam.
If employees are on a VPN, most emails and information are secure. However, when sending sensitive or confidential information, such as personally identifiable information (PII), employees should make sure that this information is encrypted and sent via secure email or utilize a secure file transfer protocol (SFTP).
Physical Security Considerations
While physical security is often handled by an employer in the office, some of that responsibility shifts to the employees in remote work situations. Encourage your team to evaluate their at-home work environment and the physical security controls they have in place, and take the following additional precautions:
- Lock computers when you step away, even from people in your own home so that sensitive information isn’t accessible to others. Most employees handle sensitive and confidential information that should be protected even from roommates and family members.
- Assess the physical security of your devices. Do not leave equipment by windows, around food or pets, and, if you are traveling, lock devices in the trunk of a vehicle or keep them with you.
- Companies can implement compensating or mitigating controls and be the fallback by configuring:
- Computers to auto-lock after a certain amount of time has elapsed without activity.
- Applications, specifically those that are commonly used for accounting, sales, or human resources (Ex. Oracle, Concur, Salesforce, etc.), to timeout if left unused or inactive for a period of time.
Creating an educational, collaborative, and supportive culture around cybersecurity will help generate an awareness among employees and consequently produce a strong defense against cyber attacks — with employees and management working together towards a common goal. Your organization should communicate on the topic of cybersecurity daily, or as frequently as possible and necessary, during the COVID-19 pandemic, as this acts as a reminder to employees to be vigilant during this turbulent time.
Regardless of the scenario we’re operating in, your organization should also encourage employees to report any security incidents or potential breaches to your IT team as soon as possible. It’s better to catch these types of things early and be overly cautious than to wait — which could ultimately result in a much larger, more impactful outcome. Having strong practices and education in place will help bring awareness and keep risk at bay as people navigate these new waters. If we can be of assistance, please contact us.
Looking for more COVID-19 resources? Visit our resource center for expertise on impacts to expect and how your business can respond.
Ray Gandy is a Director and Leader of the IT Risk & Assurance Practice at CBIZ & MHM New England. He can be reached at firstname.lastname@example.org or 617.761.0722.
Copyright © 2020 CBIZ & MHM (Mayer Hoffman McCann P.C.). All rights reserved. CBIZ and MHM are separate and independent legal entities that work together to serve clients. CBIZ is a leading provider of tax and consulting services. MHM is an independent CPA firm providing audit and other attest services. This article is protected by U.S. and international copyright laws and treaties. Use of the material contained herein without the express written consent of the firms is prohibited by law. Material contained in this alert is informational and promotional in nature and not intended to be specific financial, tax or consulting advice. Readers are advised to seek professional consultation regarding circumstances affecting their business.