Q. What should businesses do to prevent remote workers from creating cybersecurity risks?
A. Businesses are rapidly transitioning to remote workforces to combat the coronavirus. For businesses that already support remote work, that transition may occur fluidly. For businesses that do not, the cybersecurity risks are more frightening.
1. Protocols: Businesses that have protocols for remote working should reinforce them with employees. Businesses that do not should create temporary protocols.
2. Laptops: Businesses should permit employees’ access to networks using only company computers, with encrypted hard drives, up-to-date anti-virus/anti-malware, strong passphrases/passwords, and locks after 15 minutes of inactivity. Employees should not have administrator privileges. Employees should be instructed to shut down when not in use, and that family members may not use company computers.
3. Virtual private network: Access to the network should be only through a secure company VPN, which has multi-factor authentication, prevents downloading to a local drive, prevents access to local printers and internet-of-things devices, and is configured with robust logging. Employees should not be allowed to use the VPN on a personal computer.
4. Mobile devices: Businesses should permit employees to access company email only using a mobile device that has a password or biometric. More effective controls exist with a mobile device management application.
5. Email: Remote access to company email and cloud storage should be allowed only using a company computer or mobile device discussed above, with a strong password and multifactor authentication. Outlook Web Access should be disabled.
6. Wi-Fi: Home and public Wi-Fi are vulnerable. Employees should be prohibited from using insecure public networks. Businesses should ensure that home networks of executives have a company monitored firewall, and other employees use a VPN described above.
7. External drives: Businesses should prohibit employees from using external or USB drives, unless encrypted and company owned. Disabling USB ports or installing an application that encrypts drives are effective protections.
8. Attacks and crime: Hackers are capitalizing on this crisis. Businesses should have safeguards against phishing and social engineering, like headers alerting employees to emails from outside the organization, a button permitting employees to forward suspicious email to IT, and a ‘sandbox” that executes links and attachments in a safe environment. Businesses also should require employees to confirm the authenticity of every monetary transaction via a secondary authorization (like voice confirmation).
9. Privacy: Privacy laws are in effect during this crisis, including laws protecting health and personal information (like HIPAA, GDPR, and CCPA). Businesses cannot disclose health or personal information about a person who is or may be affected by the coronavirus without complying with statutory requirements.
10. Prohibited activities: Businesses should remind employees that certain activities are prohibited, including handling company information using a personal email account, personal cloud (like Dropbox or iCloud), or personal computer.
Cameron Shilling is a shareholder at McLane, Graf, Raulerson & Middleton, where he is a member of the Litigation Department and the Employment Law Group.
Published in the Union Leader (3/29/2020)
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
