With cases of the COVID-19 emerging worldwide many businesses have taken swift action in an effort to curb its spread. Teleworking or “remote working,” is the centrepiece of those efforts. While remote working arrangements slow the community spread of COVID-19, they present cybersecurity challenges that differ from on-premise work. Organisations could face challenges and considerations to secure both their data and their customers’ information.
In order to mitigate the risk of data leaks and enforce the Information Security of teleworking, organisations should adopt a three-step approach.
1. Prepare
Review your data breach and security incident response plans to ensure that they are current and can be implemented under a teleworking scenario. Update or adapt the plans if necessary. The increased security risk of remote work reinforces the need to have a plan in place.
2. Policy
Review your current Information Security and similar policies to check for established security guidelines for remote work and remote access to company information systems. Some organisations may have policies specifically geared for remote work, for example in line with ISO27001 ISMS controls A11 and A9. Other policies may provide for contingencies in disaster recovery plans; such as BYOD (Bring Your Own Device) policies. If no relevant policies are in place, this is a good time to establish at least some basic guidelines to address remote access to company information systems and how employees should use personal devices for company business.
3. Communicate
Ensure all CxO level, Heads of Departments and Managers are familiar with applicable security guidelines, plans and policies, and are cascading all pertinent information to their teams. It is essential that the organisation is aligned from top to bottom. Remember, many employees do not work in security day-to-day, and some may have never worked remotely before. Providing guidance to all employees is critical.
Teleworking Information Security – actions to take now:
- Train employees on how to detect and handle phishing attacks and other forms of social engineering involving remote devices and remote access to company information systems. There are an increasing number of Coronavirus-based phishing emails going around, preying on the health concerns of the public.
- Prohibit the sharing of work computers and other devices. With employees taking work devices such as laptops home there may be the temptation for other family or household members to use these devices. Communicating clearly that this must not happen will reduce the risk of unauthorised or inadvertent access to protected company information.
- Inform all employees that company information should never be downloaded or saved to employees’ personal devices or cloud services – including personal computers, thumb drives, or cloud services such as their personal Google Drive or Dropbox.
- Make sure employees exclusively use the VPN when working and when accessing company information systems remotely. Ensure that VPNs are properly patched and passing through a different layer of security and authentication.
- Secure all computers and devices with a security software as well an Advanced Endpoint Threat Detection.
- Implement and enforce two-factor or multi-factor authentication (MFA) and enforce the access control to resources by implementing hop-on servers
- Consider Mobile Device Management (MDM), These solutions can help manage and secure mobile devices and applications. These tools can also allow organisations to remotely implement a number of security measures, including data encryption, malware scans and wiping data on stolen devices.