Our nation is in a completely unprecedented situation, struggling to figure out how to best respond to the spread of COVID-19. Companies who are able to are sending workers home to work remotely. But are you prepared for the security implications of going 100% remote?
This playbook is meant to help you find out what you should be concerned about, how to get your team working remotely, and how to stay secure while doing so.
What’s Required by Law?
First and foremost, it’s important to understand what the law requires of you when it comes to data security and protection. Only then can we start to understand how we can stay within those requirements while modifying the way our workforce connects, communicates, and collaborates.
Your business might handle quite a bit of different types of data. The first step is to understand what types of data you are working with and what rules or regulations govern that data.
For private sector businesses, there are a couple of general data types that every organization should be aware of include:
- Personally Identifiable Information (PII): This can be personal or identifying data about your customers or other employees
- Health Data: Any health or personal data protected by HIPAA regulations
- Financial Data: Information about finances for your company, your partners, clients, or your customers including bank details and login information
- Client or Partner Data: Any information about your clients or partners, including their passwords, customers, or internal systems
- Intellectual Property or Trade Secrets: Any information that is vital to how your organization works that would have a negative impact if revealed to your competitors.
Security Laws and Regulations
You are subject to specific rules and regulations depending upon the types of data you handle. The list below is not comprehensive, but an example of some of the different legal requirements for how you have to handle your sensitive data as an organization.
- Gramm-Leach-Bliley Act: This act specifically applies to financial institutions, requiring companies to have a written information security plan for three areas — employee management and training; information systems; and detecting and managing system failures.
- Fair Credit Reporting Act (FCRA): The FCRA is a set of standards that regulate the use and protection of credit information with consumer reporting agencies.
- Health Insurance Portability and Accountability Act (HIPAA): HIPAA is a set of national standards for the protection of health information monitored by the Department of Health and Human Services.
- Health Information Technology for Economic and Clinical Health Act (HITECH): This act is meant to strengthen HIPAA enforcement, addressing privacy and security concerns associated with the transmission of electronic health information.
- The Family Educational Rights and Privacy Act (FERPA): FERPA is a federal law to protect PII for students. It applies to information stored in their education records.
- The Children's Online Privacy Protection Act (COPPA): This act governs the privacy of information for children under 13, regulating website operators that collect data for children under the age 13.
- The Privacy Act of 1974: This act is the original legislation regarding safe handling of PII and establishes fair information practices for the collection, maintenance, use, and dissemination of information about individuals maintained in federal agency databases.
- Payment Card Industry Data Security Standard (PCI DSS): This standard is often referred to as PCI for short. It is administered by the PCI Security Standards Council and governs the way personal data must be handled anytime there is a credit card transaction.
Because there are so many different standards out there and they are ever-changing, most companies pick a cybersecurity framework that includes best practices and requirements that meet all of the standards listed above. In most cases, businesses choose to follow NIST standards as closely as possible.
What Equipment Does Your Staff Use?
An important aspect of choosing to have your staff work remotely is deciding what device they will work from. Some companies have already provided employees with computers specifically so they can work remotely, but many have not.
An important part of the security of remote work is directly related to the security of the devices being used to do that work. Having a solid understanding of which employees have access to secure devices and which don’t is a good first step in understanding what actions you need to take to secure your new remote workforce.
The Security Problems with Remote Work
There are a host of cybersecurity concerns with allowing employees to connect remotely. There are two main areas you should be paying attention to: technical limitations and user knowledge.
From a technical perspective, connecting remotely, rather than from within a secure network, involves using different equipment and devices to communicate. Working remotely brings with it the scary prospect of using the public internet as the main communication medium.
On the flip side is the person doing the connecting. Most of your employees who are suddenly having to work remotely won’t know that their actions could inadvertently cause security problems. Employees with limited technical knowledge would find it difficult to do complex configurations to connect.
Some of the biggest technical hurdles around the security of remote work include:
Personal Device Usage: Your employees may be connecting to your network using different mobile devices that are unsecured. Keep in mind that most personal devices aren’t set up with the correct security measures to be NIST compliant.
Wi-Fi Connections: Connections via Wi-Fi — especially public Wi-Fi — are famously insecure. The majority of your employees will be connecting from their home Wi-Fi but they might not have set any security settings on their routers. Additionally, most home networks have a variety of devices that are connected to the same network that the user is working from, printers, smart tv’s, speakers, etc. these are all potential vulnerabilities.
Eavesdropping or Man-in-the-Middle Attacks: Cybercriminals can gain access to an unsecured or poorly secured Wi-Fi router to intercept and read the data your employees are transmitting.
Some of the human behavioral concerns with remote work include:
Physical Security: The physical security of devices is just as important as the technical security. Often employees will leave their devices unsecured in vehicles where someone could easily steal them.
Password Hygiene: Most people are terrible at creating secure passwords and keeping them protected. The harder the password to remember, the more likely the person has written it down or saved it on their device somewhere. Users also commonly reuse passwords multiple times.
Scams and Phishing Emails: Employees may fall victim to attacks or scam emails. During the current pandemic, Coronavirus-related scams are on the rise. Italy has already seen a campaign where the malicious actors pretended to be officials of the World Health Organization encouraging users to download information about COVID-19 to stay safe.
Connecting Storage Devices: Employees may connect thumb drives or other external accessories that may be insecure, infected or compromised, ultimately infecting the device itself.
Installing Updates: Many users procrastinate on installing updates when their devices prompt them to, leaving their device vulnerable to attack.
How to Secure Your Remote Work Environment
Securing your company is not as simple as flipping a switch. We recommend taking a two-pillared approach to make sure your employees can work remotely without compromising security.
It’s important to make changes to your technology while also educating your employees about what they need to be doing on their end. Addressing one without the other would be a waste of time. Your secure technologies will be useless if your employees use it incorrectly or fail to use it at all.
An Organizational Approach
The strategies you can employ or the actions you can take from as a company include:
Set Up Two-Factor Authentication: Two-factor authentication (2FA) adds an additional layer of security to your logins. It involves providing a second piece of proof of identity beyond just knowing a password. The second factor can be a biometric identifier (like a fingerprint) or a temporary code sent to a mobile device. You’ll want to have 2FA set up for any application or device that handles sensitive data.
Use a VPN and Encrypted Communications: Anytime you need a device to transmit or communicate sensitive data, it should be sent via a secure Virtual Private Network (VPN) connection. VPNs encrypt data before sending it to make sure no one who looks at the data will be able to understand it except the person it’s being sent to.
VPNs come in two flavors, hardware, and software. Software VPNs require significant setup, which you may not be able to do at this point in the crisis. They rely on consistent updates and can be difficult to teach end-users to use. Hardware VPNs are typically faster to deploy, easier to use and less prone to user error.
You’ll also need to make sure your company’s network is set up to accept and handle this traffic. It can be as simple as deploying a virtual server within your existing network to manage the VPN traffic.
Configure Your Local Network to Use a VLAN: VLAN stands for virtual local area network. A typical home network setup allows all devices/peripherals to see and communicate with everyone else on the network. By utilizing a VLAN, you can create sub networks that allow for hygienic traffic isolation, ensuring that none of your home devices can interact with your work machine.
Use Antivirus Software: Make sure you are installing and regularly updating antivirus software on any work-furnished device.
Be Careful with Remote Desktop Tools: Remote desktop services may expose the endpoint computer to unnecessary risks, depending on how they are set up. You’ll want to ensure that they have been properly configured and are only accessed over a VPN connection if your team needs to use them.
Data at Rest Encryption: Make sure all of your devices have encryption for the information physically stored on that endpoint device. This helps alleviate concerns about lost or stolen devices. Any potentially sensitive information that’s stored on the device should be unreadable by malicious actors.
Data Loss Prevention (DLP): Using DLP software can help to protect sensitive data by determining what end users can share or do with the data. If a user attempted to forward sensitive information outside of their own internal network, permission could be denied. Solutions like Sharepoint and Microsoft 365 have some of this functionality built in.
Follow Best Practices for the Tools That You Actually Use: Many companies rely heavily on the Microsoft Office suite or Google products. Do your research and make sure you are crafting policies appropriate for your specific environment. If you are primarily using software-as-a-service (SaaS) offerings, the requirements will be drastically different than if you are managing all of your own data.
Now that you’ve taken steps to secure your network and institute the technology you need to do so, it’s time to make sure your employees are doing their part to keep your data safe. It’s important to place a big emphasis on training to ensure employees know what’s expected of them and how to maintain all of the security measures put in place.
Training on the Basics: Train your users on security basics that they need to know with regards to best practices including password strength, phishing emails, and sites, physical use of devices, etc...
Instructions for Connecting: Give your employees clear instructions on how they should connect, what requirements you have from their home router, and what type of connections are safer than others.
Provide a Solution That’s Fool-Proof: While it should never replace training, providing users with a solution that requires no special technical knowledge and can be secure over any connection can go a long way in reducing the problems users are able to introduce.
It’s incredibly important to remember that it does you no good to blame your employees or give up on their ability to help keep you secure. It’s your responsibility to find solutions that will be as simple and effective as possible for them to use with as little training as possible.
For those who need training, make sure they get it and make sure that you’ve clearly defined what is expected of them and why.
Provide Employees with Proper Equipment: If your employees are routinely working with sensitive data, you should consider providing them with pre-configured routers for their home use to ensure that local networks are secured properly.
Supply Chain and Partners
Now that you’ve taken care of your own network and your employees are well-positioned to keep you secure, your work isn’t done. Now you need to consider anyone else you work with, like supply chain partners or vendors that have access to your network and data as well. Target learned this lesson the hard way with their HVAC vendor.
You should make sure that vendors or partners who have access to your sensitive data are also set up with a secure VPN solution to access your network securely from a remote location.
What Can You Implement Quickly for COVID-19?
Unfortunately, you don’t have the luxury of time to implement new remote work procedures. You need actions you can take immediately to help those who are working from home. So what can you do right away to help make your workforce more secure?
Find a Solution That Doesn’t Require Heavy Support
You can’t call your entire IT team back into the office to implement a large scale solution that takes days or even weeks to set up and deploy (much less maintain while they are all remote). You need a solution that’s plug-and-play.
You need a secure virtual server that can be up and running quickly, and virtually eliminates the need for centralized IT support for configuration and activation. It should have low overhead for maintenance and support so your team doesn’t need to deal with constant upgrades, updates, and patches.
Find a Solution That’s Device and Architecture Agnostic
Given that you may have multiple different types of endpoint devices that need to connect to your network, you’ll need a solution that works with all of them.
You also won’t be able to pick and choose elements of your existing network, like operating systems and servers, that you can change to support a new solution. You’ll need to make sure whatever solution you pick can work with the architecture you currently have in place.
Deploy a Solution That Requires Little Training
The best thing you can do to ensure users stay secure is to take as much of the guesswork out of it as possible. Especially in the current atmosphere, a requirement for lengthy or intense training won’t work.
Instead, give them the basics. Provide a brief Cybersecurity 101 (remotely) that teaches them some of the most important basics (e.g. always use the VPN, how to identify spam, etc...). Make sure everyone feels comfortable enough to ask questions.
Your team should know how to report problems. Create a culture of “if you see something say something.” If a user notices suspicious activity on their device or a malicious email, they should notify the security administrators or systems administrators.
What Does COVID-19 Mean for the Future of Remote Work?
COVID-19 has taught us how woefully underprepared we were for a pandemic. It has made it clear that we need to have better contingency plans in place so that it’s possible to immediately deploy a remote workforce at a large scale in the future.
In the wake of COVID-19, when the world starts to return to normal, we’ll find that all government agencies, contractors and public sector businesses alike will need plans in place for remote work. Similar to the requirement for organizations to have a disaster recovery plan in place, organizations will need to have a remote-work plan.
They will need a documented set of policies and procedures, as well as the supporting underlying technology to allow for immediate and widespread remote work. That means you should start building a solution that will support you in the immediate response to COVID-19, but be prepared to build a long term plan as well.