Employees transitioned to remote work about as quickly as fears of the coronavirus spread across the globe.
Jordan Fischer, Managing Partner for XPAN Law Group, helps her clients protect against cyber and privacy pitfalls. Fischer appeared on our series of SecureWorld Remote Sessions to share her expertise on what is unchartered territory for many businesses.
Remote work vulnerabilities are top of mind for employers. Fischer has excellent advice for mitigating risk, and helpful suggestions to consider, including; technical infrastructure, access control, log monitoring, and contractual obligations.
This is the second of a two-part series. View part one here.
Endpoint security for remote work
"We have to assume there will be at least some level of personal use on the corporate device, especially in the current environment. Some people might not even have another device to use right now, and it might be their only source of news or ways of interaction. It would be foolish for us to believe that they won't be using it for personal uses," Fischer says.
Is your team using their own personal devices (BYOD), or has the company provided them? Because this pandemic progressed so rapidly, companies found employees working from home quite literally overnight, meaning there was no time to order a hundred new laptops to provide their workers.
If employees are working on their own devices, the company has far less control of who is accessing that device, where data is being stored on the device, and what is being accessed on the device.
This creates the potential for blending personal data with company assets. Because working from home may lend to kids, spouses, roommates, etc. with easy access, Fischer recommends the following device management precautions:
- Sandbox off the work environment.
- Restrict the ability for employees to save to their own hard drive.
- Consider extra password security (two-factor authentication) or other identifier to restrict other users gaining access.
- Using a Virtual Private Network (VPN).
Fischer reminds us that home Wi-Fi is traditionally not as robust or protected as work Wi-Fi. Home routers may be operating from the default settings because they were never altered, which makes it much easier for breaches to occur. Additionally, consider the risks involved with multiple individuals using that Wi-Fi.
Identity and access management strategy
Fischer recommends limiting access for employees to the smallest amount necessary for them to fulfill their role at the company. Every employee doesn't necessarily need access to every component of the business, especially in the remote workforce environment.
Also, be sure to monitor your network for someone logging in as a legitimate end-user who is not.
Since most of the country and the globe is adhering to varying forms of "shelter in place" policies, you should investigate when an employee is logging in from the UK when your company is based in California, for example. Did an employee travel to Europe, or is there something more serious happening? Keep an eye on your logs and system feedback.
Third-party security and remote work
Fischer recommends checking with your third-party vendors to see what your contractual obligations are regarding remote work. Are you required to provide company devices? Do you need to purchase technologies to ensure you have the correct encryption functionalities to fulfill agreements?
In turn, you need to perform due diligence to ensure your vendors are upholding their data security and privacy requirements as well.
“It's not a bring down the hammer moment for your vendors, but it's an opportunity to make sure that data security and privacy stay top of mind for them," explains Fischer. "We are all only as strong and secure and private as our weakest link. If you have a vendor that doesn't take this seriously as they transition to remote work, then anything you do is still going to be compromised by their potential vulnerabilities."
Cyberinsurance updates to shift risk of remote workforce
When appropriate, Fischer explains, you may need to update your insurance to reflect a remote workforce. This can add extra protection and might even be required depending on the industry.
You also might be able to transfer some risks contractually; however, the most important risk mitigation is up to management to determine how or if it should be lowered.
You may need to change where you put data, and you may need to enable stricter password policies or change where you access systems.
"We are distracted right now, and we as humans are more vulnerable to making mistakes," Fischer emphasizes.
Remote work considerations web conference
For an overview of the legal and privacy challenges of remote work, spend a few minutes viewing the SecureWorld Remote Sessions episode where Jordan Fischer does a deep dive on mitigating risk in this remote work world.
Thank you to Jordan Fischer for helping with SecureWorld's mission of connecting, informing, and developing leaders in cybersecurity.
Related podcast: Zoom, Remote Tools, Privacy, and Cybersecurity