COVID-19 has completely turned our workforce on its head. Most businesses and employees have found themselves in uncharted professional territory, with their work lives and daily routines unexpectedly disrupted. People who have worked in offices throughout their careers now find themselves working from home. For some it is a dream come true, but it presents a whole host of problems as well — working with new technology, battling with neighbors over adequate WiFi, wrangling children in the midst of meetings — and that’s just the beginning. If this keeps up, www will soon stand for the Wild West of Work. Further complicating the cybersecurity risks we face daily, we have recently seen an increase in malware and phishing schemes related to COVID-19.
Because of this environment, businesses are scrambling as their employees suddenly transition to working remotely and safely. To help, here is a practical checklist that companies should consider to aid them in avoiding cybersecurity risks:
Get a remotely-accessed digital workspace
If you don’t already have a Virtual Private Network (VPN), consider getting one. Once installed, it should enable access to email, documents and billing applications (as needed). Security is of upmost importance right now, so it should have multi-factor authentication. This means that even if the wrong person gains access to a staff member’s personal device, they cannot access the business’s digital workspace unless they also possess that second device. Of course, this tool is only helpful if your staff knows how to use it, so it may prove necessary to provide written instructions and hold tutorial sessions online.
If you already have VPN, it is still helpful to confirm that your staff actually knows how to use it and can access needed information.
Set up private telephone and conference calls
Your business may need to obtain or expand licenses for secure and reliable conference call and video conferencing services. Free services, which may not be secure, can be tempting to use, but if any confidential information could be discussed during the call, then it is not worth the risk.
Prepare staff to work from home
Do your employees have the necessary information and skillset to work from home? Make sure your staff know how to access their work voicemail (and know their passcode). Share personal telephone numbers among colleagues as a communications back-up. Verify that everyone has access to a laptop, iPad or other devices that they can use to work effectively while out of the office. Encourage them to check regularly to make sure that their devices have all recommended system updates and patches installed. These devices should require passwords (or facial recognition) for use. It is important to warn about the risks of sharing the device with family members. Educate employees on the dangers of linking to the business’s systems using insecure publicly-available WiFi or using a home WiFi connection that lacks strong password protection.
Prepare for cybersecurity risks
Employees working remotely increases a company’s vulnerability to cyberattacks. This is, in part, because the company’s efforts to prevent malware from entering the IT system have not been applied to employees’ personal devices. These devices may already be infected with malware, particularly if it is a shared device, and it’s likely they do not have the perimeter controls and virus detectors that are installed on the company’s proprietary systems.
So, what can you do to ensure that your employees are taking the proper security measures?
First, be on the lookout for employees who send copies of emails and documents through their personal email accounts. Set a policy that forbids saving confidential emails and documents directly on personal devices (they should be stored only on the firm’s system, using the remotely-accessed digital workspace/VPN). Employees should be instructed not to store or transfer confidential data using unapproved personal cloud service accounts. Additionally, you can consider requiring all staff to change their passwords frequently during the course of the remote-working period. This reduces the scope of the threat if their personal device gets hacked (or already is). It may feel a bit sneaky, but consider sending fake phishing emails, to test which of them clicks the links and may require follow-up training. Such measures may be necessary in order to keep everyone secure.
IT security should go on high alert
Whether you have internal IT department or outsource for services, they should be watching closely for anomalies in activity on your system and evidence of hacking during this time of vulnerability. Instruct them to keep better logs of network activities, to enable better information about threats, and pay particular attention to remote access. It could be prudent to consider “stress-testing” your security protocols, perhaps randomly, to determine where vulnerabilities lie and plug them before bad guys can get into your firm’s network.
Lastly, consider the challenges of running your business amid the COVID-19 outbreak as a good time to review (or create) your written Business Continuity Plan, and consider whether you have appropriate cybersecurity insurance, including for social engineering (and an appropriate amount of coverage). This is a hard time for all of us, but it is also great time to learn and improve — use it wisely.
Jacquelyn Adams, an IEEE Senior member, is a nationally-recognized leader in employee learning and development. Jacquelyn is the CEO and Founder of Ristole, a consulting business that transforms corporations through engaging employee training. Find more of her Lessons on Leadership columns here or connect with her on LinkedIn here.
Gail Gottehrer, founder of the Law Office of Gail Gottehrer, LLC, where her practice focuses on emerging technologies. She is also the co-chair of the New York State Bar Association’s Technology and the Legal Profession Committee, along with teaching Law for Knowledge Innovation at Columbia University, being a member of the IEEE P7014TM Working Group that is developing a Standard for Ethical Considerations in Emulated Empathy in Autonomous and Intelligent Systems, and a member of the ITU’s Focus Group on AI for Autonomous and Assisted Driving.