Cybersecurity Policies for Remote Work

Sarah Hutchins , Steve Britt

|

October 1, 2020

American businesses have had to change how they operate and how their employees work amid the coronavirus pandemic. This has created unique opportunities for hackers and serious headaches for cybersecurity and IT professionals.

With the rise of remote work, vulnerabilities have increased as additional devices are introduced into companies’ data ecosystems and new phishing schemes ranging from phony COVID-19 updates to “emergency” demands for confidential information prey on pandemic-related fears and confusion. All of this comes while new technologies, like fingerprint timekeeping tools and contact tracing apps, are being incorporated into business operations, potentially triggering new data privacy laws and regulations and creating serious compliance risks. 

In this climate, it is critical for risk professionals to help their company instill an expanded and updated culture of security awareness. They must revisit best practices for data security and train employees how to be vigilant, both online and offline—indeed, they risk being found negligent if they do not. Risk professionals can also help their organization take a fresh look at how they define and analyze their data ecosystem in order to take advantage of new safeguards, some of which are readily available in existing platforms.

Securing the Remote Office

For many companies, “the office” is now a room in an employee’s home, and risk professionals often know very little about their setup and information security profile. This can be a dangerous oversight for several reasons. For example, almost all companies have sophisticated password requirements for an employee to log in to their system. But the fortress built around a company’s system does little good if an employee’s home Wi-Fi password is “password.”

Businesses should also consider how the internet of things impacts information security in home offices. Is that office within earshot of always-listening devices, such as an Amazon Echo or similar smart speaker or virtual assistant technology? Do apps on an employee’s phone default to listening mode every time they update? If so, a hacker could get into that device and monitor employee communications. Hackers do not even have to be involved. Many of these devices take random samples of what is said for quality control purposes, then send the recordings to a team of people to analyze device performance. If employees are dealing with sensitive information, this sampling can introduce risk.

Risk professionals should help their companies work through such issues and settle on common-sense restrictions for home offices that can better secure important data.

Updating Systems and Devices

The remote work environment also demands renewed focus on how data is transmitted and stored. A corporate VPN is an important security enhancement but companies can also maintain good data hygiene by ensuring that all systems and programs are up to date, including by pushing updates to all company devices. Updates frequently include important security patches and should be something that employees do not even have to think about—they should happen automatically.

Companies should also ask employees to keep their personal devices updated. This includes Wi-Fi routers and smart speakers, as well as anything used for or around company business. Consider requiring employees to set their personal devices to update automatically, at least where the devices offer that option in their settings, and withhold access to company applications and email on employee-owned devices that are not sufficiently updated.  Leaders should emphasize that all employees share the responsibility for keeping information safe in today’s environment.

Another best practice is implementing a Bring Your Own Device (BYOD) policy for employee use of personal devices on the company network. The policy should require installation of a mobile device management system on the work side of that device. Then, if the device is lost or stolen or the employee leaves the company, any company data can be remotely deleted. Consult with legal counsel before implementing such measures, however, as recent laws and cases have expanded the scope of employee rights in these areas. 

Some companies that were scheduled to upgrade devices or replace hardware this year have had to reassess those expenses due to the pandemic. But even financially strapped companies can take certain reasonable steps to improve data security. For example, companies can perform vulnerability assessments of their networks and devices to inventory all hardware and software assets and establish a monitoring strategy for them. This will also reveal common attack surfaces, such as decommissioned printers, unpatched software and miscellaneous “shadow IT,” such as that abandoned Xbox left over from a past “Take Your Child to Work Day.” 

As part of the policy update, risk management and IT leaders should periodically remind employees that they must get IT approval for any new services and software. Better yet, companies can institute blocks on what employees can download without IT approval and maintain a computer use policy that provides guidance for employees.

Instituting Training and Addressing Compliance

If businesses have not been providing employees with cybersecurity training and tips during the pandemic, they must implement a program immediately and set a regular schedule going forward. This training should include how to spot phishing emails, how to work remotely in a secure manner, and how to keep accidental home vulnerabilities from migrating to the office.   

Training is becoming more than a best practice—it may be a required legal defense. In litigation regarding data loss and exposure, courts are increasingly looking at the security measures a company implemented, including whether the company regularly and thoroughly trained its employees to spot phishing attacks and other cyberthreats. Businesses should also keep in mind that they will be measured by the best practices in their industry when they are the subject of litigation.

Risk professionals can help companies review how they stack up on best practices and also keep tabs on changing compliance requirements. According to the National Conference of State Legislatures, state lawmakers have already introduced more privacy bills in 2020 than in all of 2019. Businesses may want to partner with outside counsel to stay abreast of potential impacts from these laws, and to assess where they currently stand with regard to regulatory compliance and best practices. 

Another set of helpful reminders can be found in the Cyber Essentials Toolkits from the U.S. Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency. Recently revised in August, these two-page modules include links to external security resources, controls and FAQs. They are aimed at executives, IT teams and risk management professionals and can be printed, posted and shared with employees.

Creating a Sense of Urgency

Some risk professionals may face challenges convincing other executives to address these steps now, particularly as the pandemic has created a variety of other urgent business issues. But leaders should be reminded that the financial motivation for implementing security is not just about the monetary and reputation costs of a data breach—it is also about the risk of regulatory oversight. Such inquiries pose their own risks, including the potential for state attorneys general to investigate or, where permitted, file their own privacy lawsuits against an organization.

More than half a year into the pandemic, now is the perfect time to assess whether businesses are meeting data security best practices, training and updating employees on those practices, and evolving along with changing circumstances. What’s more, by upgrading your data security practices today, you can help head off larger problems tomorrow.

Sarah Hutchins is an attorney at Parker Poe.
Steve Britt is an attorney at Parker Poe.