When staff works within the four walls of a traditional office, there is a certain level of control over the use of technology. But, when employees work remotely, whether from a local cafe, in a home office, or even on a pillow-filled sofa, the network connections are broadened. As the number of connection points increases, the potential risk of security issues expands.
In early March 2020, I took a seemingly normal overnight business trip. A friend had asked me to fly in and visit for the day to evaluate the security and privacy posture of his company. I was onsite early that morning and worked closely with his teams throughout the day. But, to my surprise, as the workday was drawing to a close, I was told that our evening plans were cancelled, and I was hurried out of the building. An hour or so later, while eating take-out in my hotel room, the local news finally clued me in to what had caused the upset. The governor of that state, like many others, had begun to establish stay-at-home orders because of COVID-19.
The next morning, my friend called to apologize for missing dinner. He had been abruptly called in to an emergency meeting to formulate a company-wide plan for this unprecedented event. It would clearly necessitate an immediate change in work culture. He mentioned that the business had recently been in the midst of changing VPN providers. It seemed that the system test scheduled for the following week that was intended for a small and select number of people, would now likely be tested by 100% of the company with little to no time for preparation.
At that point, I began to realize that while the companies I’ve worked with had done a great job of creating policies for disaster recovery scenarios, I hadn’t ever been part of making a pandemic or emergency declaration policy in regards to security and privacy controls. In my many years of working in this field, I had helped organizations create and review existing business continuity, emergency management, and risk communications plans, but rarely, if ever, did we evaluate the impacts of an immediate temporary reduction in workforce or a higher-than-average number of employees working remotely.
It quickly became clear that companies would need to rethink and reconsider remote working issues. Employees who had no previous experience working from home became an overnight security concern for businesses. These regularly on-site employees did not have enough training on proper use of security-based technologies in remote situations. There was a loss of a conventional, secure office setting. There was an immediate introduction of unsecure systems in the network and data flows. Understandably, employees began to use any technology and hardware was easily accessible to them in order to get their jobs done.
Let’s look at conferencing systems as an example. The biggest issue here was that employees who were untrained and unprepared for an immediate switch to working at home had to quickly decide on their own what would work for their daily jobs. Without company guidance, most just haphazardly created a single sign-on account with a conferencing system linked to their work account. In adjusting to their new work situation and attempting to be resourceful, these well-meaning employees may have inadvertently allowed others to have access to company systems. It’s been widely publicized that Zoom has struggled to support the companies and clients that initially flocked to them. “Zoom bombings” became headline news. Their encryption was not dependable. Some Zoom calls may have been hosted through untrustworthy countries. Zoom’s lack of security within their own systems caused many headaches for companies and their security personnel. In some cases, companies have blocked or removed Zoom from their list of resources available to their employees.
While adapting to meetings online, newly-remote employees were also taking the work office set up into their own hands. Many workers did not want to work long hours solely on their laptops, so they started to use personal desktops and other devices to log into sensitive company assets. This introduced untrusted systems to the company network, and unintentionally disregarded traditional system securities – were these systems properly patched? Locked down? Did they have antivirus on them? Companies, like Twilio, that swiftly reacted and equipped their at-home employees certainly helped to minimize their security risks. Before the coronavirus outbreak, Twilio had approximately 10% of its employees working remotely. Overnight that number jumped to 100%. In effort to help their employees comfortably adapt to the changes to their new work environments, Twilio provided a generous $1,500 stipend for working from home. This allowed employees to purchase proper equipment to do their jobs more efficiently and, in most cases, ensured that they were using approved company systems, software, and equipment.
Eventually, as our new coronavirus reality began to set in, I started to let friends know about these issues. I’m hoping that you, too, might find some of these recommendations for policy changes and enabling a secure work-from-home environment helpful:
- Update hardware inventory – refresh the list of devices used from home.
- Create and communicate your organization’s work-from home policies and procedures.
- Review response protocol in case of data breach due to remote work.
- Mandate two-factor authentication for all employees.
- Require VPN to access all company assets.
- Determine if any personal data will flow across borders as a result of remote work in violation of privacy regulations and contracts.
- Run mandatory online training to discuss at home privacy and security risk scenarios.
- Request employees to update the software on their home routers and personal devices.
- Keep work data on work computers.
- Never leave your devices or laptop in your car.
- Lock home doors to prevent possible break-ins. Criminals realize that more expensive technology might be in homes now.
- Don’t use random thumb drives.
- Use personal hotspots or encrypt your web connection on your home Wifi.
Remote working may become our norm for a while, if not, for the foreseeable future.
Security and privacy issues should not be overlooked while companies and their employees restructure to deal with our new way of working during a pandemic. COVID-19 may be a worldwide health concern, but it is possible to keep it from causing a security concern, too.
By Dennis Dayman, Industry Privacy & Security Officer (Advisor to US Data Privacy and Integrity Advisory Committee (DPIAC)).Join Dennis next week for the Last Thursday in Privacy on May 28th where he will be joined by other subject matter experts to help you:
- Understand how large organizations are coping with the current pandemic
- Navigate the challenges that we are all now facing
- Protect your organisation with confidence
This free to attend digital event is an opportunity to sit down with the great and the good of Data Protection, Privacy & Security from; American Express, AON, CIPL, Deloitte, Hunton & Williamson, Norsk Hydro and Refinitiv. Topics covered include;
- GDPR Two Years On
- Phishing & Cybercrime
- Cookies and Consent Compliance
- Recovering from a Breach
Register Now – Join the conversation as we discuss what, if any lessons we have learned over the last few months.