Among the many changes COVID-19 has brought, one far-reaching change for employers has been transitioning their workforces to work from home wherever possible. Unfortunately, there has been a rise in phishing and hacking attempts to take advantage of vulnerabilities that arise from these adjustments.
Even where employees had experience working remotely prior to COVID-19, it is a critical time to support all employees with reminders about appropriate privacy and security measures. In particular, now is the time to remind employees of the following:
- Use VPN when accessing the Internet from work devices. A Virtual Privacy Network (VPN) is important when employees are on non-secure networks, such as those at home or those available in other public settings. Although VPN can slow down users’ Wi-Fi speeds, using VPN helps protect activity by encrypting users’ internet traffic. Employees should log on to VPN as soon as they begin work.
- Beware of phishing attempts. Phishing emails—those pesky messages from impersonators requesting information or asking users to click links—can infect user devices and, sometimes, travel through an entire network. In recent years, the attempts have become increasingly sophisticated with the correction of many of the grammatical and typographical errors that once flagged the messages as fraudulent. Given this, it is important to remind employees of a few things, including to (a) always check the sender’s email address before clicking hyperlinks or downloading attachments; (b) never follow links to secure sites where entry of usernames and passwords are required — instead type in the web address; (c) if there are any questions regarding the sender, separately email or call the sender before downloading content or providing information; and (d) hover over hyperlinks and spot-check the destination URL before clicking the hyperlink itself.
- Where possible, only allow company-approved applications and devices—particularly for video conferencing. Employees may be tempted to use their home computers or download a plethora of publicly available office-support applications, such as pdf scanner mobile applications, video conferencing tools, and messaging platforms. Remind employees that only company-approved applications should be used for work-related activity. There have been several reports tied to security vulnerabilities from video conference technologies, including uninvited guests appearing on private conversations and instances where hackers gain control of cameras. IT should explore all settings available on video conference tools and control settings, help set up accounts and account permissions, and require the use of tools available, including password protection, ensuring only invited users are able to join. Employees should also be cautioned to refrain from opening unexpected video conference invites and links. For more tips on video conference security, the Federal Trade Commission has also provided suggestions here.
- Log off devices when not in use. Roommates and family members may inadvertently access sensitive information if employees leave their devices open in the home. Employees should use the settings function on their devices, including laptops and mobile phones, to automatically lock after a short period of time —consider having screens lock after 5 minutes of inactivity. Mobile phones should have passwords set (ideally with at least 6 numbers), and display functions should be altered so that notifications of a new email do not contain content on the locked screen.
- Save work to the system. Employees should continue saving their work on the employer’s network. Often, glitches and frustration with connection to network folders may veer employees to save work locally. Remind employees to continue following regular electronic filing system policies, even if it takes a few additional minutes to process.
- Shred documents with sensitive content. Paper files at home should be treated with the same confidentiality as they are treated in the office. Employees should take care to ensure documents with confidential information are kept out of view from family members and shredded as soon as possible. Encourage employees to use locked filing cabinets when possible and keep work files separate from personal files.
- Audit. The security process should not end after the initial set-up of basic work-from-home necessities. The IT department should perform regular audits and consider hiring third-party penetration testing consultants to identify any gaps in security. Continual monitoring and proactive identification of security weaknesses is key.
- Education and Training. All employees should receive education and training on company procedures and best practices for working from home. Consider making a remote working handbook available and easily accessible to all. Note, all levels of an organization should receive this training, including senior executives. Studies have shown that upper management are more frequently prone to commit security mishaps.
- Two-factor authentication for passwords. Many companies have implemented two-factor authentication to ensure the strength of log-in security. Some two-factor authentication password systems require mobile application downloads while others simply text a code to users. If two-factor authentication for login has not already been implemented, quickly work with IT to identify a two-factor authentication password system appropriate for the business’s workforce.
- Review incident response plan. A common saying in data breach response teams is “it’s not if, but when.” The saying stems from the fact that incidents occur quite regularly. Therefore, it is important to be prepared. Ensure the company has an incident response plan and consider updates to address vulnerabilities that arise in the remote working context. It is also important to ensure that members of the response team are properly trained to spring into action. Likewise, employees should be trained to quickly recognize suspicious activity and know exactly who needs to be contacted in order to report a potential incident. It is especially important that employees report suspected incidents immediately to their IT teams or management when working from home. A larger remote workforce means incident response can be slower or take more resources to investigate, particularly because employees are spread across a decentralized network that may now include networks and devices that the company does not own or manage.
Though these ten points contain important recommendations, we want to remind employers that one of the most important things they can ask employees to do is to stay vigilant and alert. Employees should always report any suspicious activities and when in doubt, ask for help!