Any arrangement where employees are permitted to work remotely poses cybersecurity risks and challenges. Those risks are heightened when the majority of employees are away from an office and when anxiety and disinformation are rife.
There are recent examples of phishing emails mimicking the US Centers for Disease Control and Prevention and World Health Organization. These emails attempt to lure individuals into opening attachments or redirect them to enable fraudsters to steal personal information. Phishing emails can also be used as a delivery mechanism for malware or ransomware.
Remote work means an increase in the number of devices employees are using. This provides cybercriminals with a larger number of potential targets. Cybercriminals will also be aware that many employees are now working from home, who have never, or have only infrequently, done so before. This will lead to an increase in email communication in a setting where it will be less convenient for recipients to check the authenticity of these communications. This in turn creates an opportunity for cybercriminals to prey on the unwary.
What steps can be taken to maximise safety?
It is vital that appropriate technical and administrative safeguards are in place before launching a wide-scale work from home programme. There are some measures all businesses should consider:
- Provide all remote user employees with company devices, where possible. Ensure a reliable inventory of who receives what is maintained.
- If employees must use their own devices for access, consider having them sign a proper use policy or renew their agreement to proper use and consider whether you can add an enterprise mobility software on the personal device that will be used to access company networks.
- Ensure continuity of phone message recording and logging for call centres. Have a system that users will have to call or log in to as opposed to using their own devices.
- Require access to your internal network through a VPN. Implement multifactor authentication as well as strong password policy enforcement.
- If a VPN is unavailable, encrypted web access is the next best option. Again, introduce multifactor authentication and strong password policy enforcement.
- Consider having a pop-up upon login that reminds users that the information they are accessing is confidential, belongs to your company and should not be used for any purpose other than related to their job.
- Ensure any method of connection has strong access controls. Employees should only have access to information based on their needs/position and not open access to data irrelevant to their job.
- Ensure that remote workers are subject to strong confidentiality agreements. Consider having them renew the agreement before remote usage if one is already in place.
- Retrain on cybersecurity before permitting remote access. Consider also sending out a short FAQ or reminder notice to employees as to best practices on a regular basis.
- Prepare IT teams to increase monitoring and testing of the network to be able to quickly identify and diagnose anomalous user activity. Consider regular scans of data flows for any leakage and ensure IT is prepared for ransomware/spam/phishing attacks.
- Ensure that audit trails for all actions on a VPN/web platform are maintained including, but not limited to, logins, failed login attempts, impossible IP address logins, user activity while active and upload/download activity.
Kelly Hagedorn is a partner in the data privacy and cybersecurity team at Jenner & Block