Employees transitioned to remote work about as quickly as fears of the coronavirus spread across the globe. Downtown offices emptied as the workforce learned to juggle the challenges of working from home.
Jordan Fischer, Managing Partner for XPAN Law Group, helps her clients protect against cyber and privacy pitfalls. Additionally, her law firm has been remote-based from the beginning, so she has plenty of first-hand experience with the remote workforce.
Fischer appeared in our series of SecureWorld Remote Sessions to share her expertise about what is uncharted territory for many organizations.
Remote work vulnerabilities are top of mind for employers, and Fischer has excellent advice for mitigating risk, and helpful suggestions to consider, including: understanding regulations, clearly communicating policies to employees, and having a Work from Home Policy plan.
Regulations (HIPPA, FERPA, GDPR, CCPA) and remote work compliance
A letter sent out recently concerning HIPPA read, "…protections of the Privacy Rule are not set aside during an emergency."
Fischer explains you need to be aware that any changes made to the back-end of your infrastructure could affect your compliance with required regulatory policies.
Now that your workforce is remote, are you using different servers, shifting data around, or using a different infrastructure entirely? According to Fischer:
"The number one takeaway from the regulation side is these regulations are not going to go away, or be exempted, or stop being enforced during this critical time period. It's very important that you continue to follow the requirements of the law while you are also dealing with a very exceptional circumstance. As a reminder, these regulations are going to apply to both your internal operations and to any data that you are collecting."
Do remote employees understand your Work from Home Policy?
Rather than implementing technological safeguards alone, you should also be explaining to your staff what they can or can't do regarding remote work.
If you already have a Work from Home Policy in place, Fischer recommends reviewing it right now. There is a high likelihood it does not account for the extreme situation companies are facing during the COVID-19 pandemic and beyond.
There is a big difference between having one or two employees work from home for a day or two, versus having the entire company work remotely for several weeks or months.
Fischer emphasizes the importance of having a Work from Home Policy, BYOD Policy, and Business Continuity & Disaster Recovery Plans. These topics can all be conveyed in one document, or stand alone, but you should have something in writing because the law looks for documented evidence.
Fischer suggests if you don't have a policy, just start with guidelines and consider the following questions:
- Is it okay for employees to use a personal cell phone and/or number for work calls?
- Is any kind of home Wi-Fi allowed?
- Is working alongside a spouse or child with sensitive data on the screen okay?
- Can employees FaceTime each other, or should you require using a corporate account for work-related conversations?
- What about working in other locations, such as coffee shops, airports, and libraries?
Additionally, Fischer emphasizes another reason for documentation, especially now: it can help guide you in updating policies for the future.
How are you communicating with remote workers about security?
When it comes to our suddenly remote workforce, Fischer recommends telling end-users that no one will be in "trouble" for a mistake.
Did your 10-year-old accidentally download something onto your work computer? Did you forget your password? Things are going to happen, especially in this new world we are all adapting to, and it's far more important to report incidents than be afraid of repercussions.
Do employees know who to contact if something has been compromised? Do they know how to report an incident? Be sure to include contact numbers in your remote work policy.
If your company is able to take a personal device and do an audit in the instance something happens, do your employees know about this policy? Fischer explains that you must articulate this point up front in writing.
Finally, don't underestimate the importance of cybersecurity and privacy awareness education. This is a great time to send around a video for employees to brush up on their security practices, especially with all the coronavirus phishing attacks making the rounds.
"Unfortunately, we are inundated with news, we are tired and exhausted, and we're anxious, and that's the time we're going to make mistakes that are going to cause cyber breach incidents. It really is critical that you keep top of mind for your employees that they need to be very aware of where they are going, what websites, and what they are clicking on."
Web conference: remote work privacy and cybersecurity risks
To help secure your organization's employees and teams, we highly suggest you take a few minutes to watch the SecureWorld Remote Sessions episode where Jordan Fischer does a deep dive on mitigating risk in the remote work world.
Thank you, Jordan, for helping serve in SecureWorld's mission of connecting, informing, and developing leaders in cybersecurity.