As businesses institute widespread remote work policies and procedures to facilitate social distancing and “flatten the curve,” they should be mindful of increased data privacy and security risks. The risks can range from pandemic-related phishing emails to increased pressure on network architecture to user oversight as we all try to find ways to be efficient under new and stressful conditions. Hackers will try to take advantage of uncertain and sometimes chaotic circumstances.
Below is a checklist of fundamental measures businesses and employees should implement to mitigate the data privacy and security risks associated with working remotely. Most of these measures require an investment of time, not money, through adoption of sound policies and behavior adjustment. You can maintain good privacy and security as we respond to COVID-19. Here’s how:
- Multi-Factor Authentication (“MFA”). Implement MFA to ensure no unauthorized party is remotely accessing the company’s networks or user accounts. The popular Microsoft Office 365 service includes MFA for free.
- Sound Transfer Procedures. Implement two-step verification for wire transfers or other transfers of data. For example, if you get an email with an invoice, verify the request by placing a phone call to a known individual (not just a number in the email) to confirm and obtain authorization. Work with business partners to send and receive test transfer payments of small amounts (a few cents or a dollar) before transferring substantial sums.
- Maintain Confidentiality. Employees should be instructed that confidential conversations should take place in private and relatively secluded areas. Such conversations should not occur within range of virtual assistants or other IoT listening devices. For example, the Office of Civil Rights for the Department of Health and Human Services has relaxed certain rules to make it easier to use technology to facilitate remote services, but requirements of privacy and security must still be met.
- Work from Home Means Work from Home – Your Local Café Is Cheating and Risky in Many Ways. Employees should have a secure workspace with reliable connectivity. Remote workspaces should be secure from eavesdropping. Employees should not leave work computers unattended to reduce the risk of theft, and unsecured (“public”) wireless networks should be avoided, such as free wi-fi at coffee shops. If there is no other option, ensure employees are trained to first connect using their VPN client before doing anything else.
- Who You Gonna Call? Employees should readily have access to company IT policies, procedures, and contact information of critical IT personnel to whom security incidents can be reported and who can assist with technical issues.
- Don’t Proliferate. Employees should avoid saving data locally on their computers and instead utilize on company-approved network and cloud storage locations – the ones your company backs up regularly – as much as possible to store data. For convenience and perceived efficiency, employees might be tempted to save data locally or on machines that are not business-issued devices. Remote workers and businesses should resist this temptation as much as possible and adjust expectations and deliverable timing to promote sound practices as we adjust to new realities.
- Does Our Insurance Cover the New Normal? Companies should review the scope of their insurance policies and coverage limitations to ensure their policies cover incidents stemming from employees working remotely.
- Keep In Touch While Staying Distant. Companies should adopt and implement policies for supervising remote employees, such as instituting frequent team calls to facilitate transparent communication, encouraging employees to report security incidents and risks, learn from experience, and provide tips and training for secure work from home, etc.
- Don’t Get Hooked – Beware of Phishing Attacks. When employees receive emails or other electronic communication, they should be trained to identify potential phishing emails. Specifically, employees should be educated and reminded to (1) verify that the sender’s email address matches the address of a known contact (especially on mobile devices, select the sender to see the real address); (2) hover over any link before clicking it to identify the destination; (3) be wary of emails that are unusually brief, unexpected, or out of character; and (4) refrain from opening suspicious attachments. If a seemingly normal email or communication is from an unverifiable or suspicious sender, then employees must be trained to report such phishing incidents to the company. Taking these precautions can reduce the effectiveness of phishing attacks.
- Minimize Printing Confidential Information. Employees should not print confidential information, including protected health information, at home. If such information must be printed, then the paper copies of such information should be properly secured until they are properly disposed – for example, by using a level P-4 or better cross-cut shredder.
- Use Appropriate Encryption. Employees should not share protected health information or other types of information requiring elevated protection via email or other unsecured modes of electronic transmission. Such information should only be shared using transmission technology that provides guaranteed end-to-end encryption.
- Share These Tips and Other Useful Insight. Share this announcement and other resources discussing data privacy and security measures with all employees, team members, business partners, clients, customers, suppliers, vendors, etc. We are all in this together!