By the time you are reading this guidance, your business has likely been operating under a shelter in place order or perhaps even a governmental quarantine in response to the Coronavirus pandemic, and your staff has been operating remotely for an extended period. While it may be too soon to fully assess whether remote access and teleworking is functioning optimally for your business, it is not too soon to ensure that the process of remote access and telework is being undertaken on the enterprise level in a safe and diligent fashion. Indeed, this is a responsibility that should be addressed from the Board of Directors and C-suite level down to the factory floor.
While the topic of remote access and its impact on cybersecurity could fill up volumes, there are two aspects of remote access and telework that businesses of all sizes need to acknowledge and address immediately. First, while remote access and telework were on the rise before the Coronavirus Pandemic, they are now most assuredly an integral part of your business for the foreseeable future. Your customers and staff expect you to be able to keep your business open through remote operations, and the harsh reality is that businesses that cannot operate remotely in some capacity have less chance of success during periods of shelter in place orders, governmental quarantines and social distancing.
Second, with more staff utilizing remote access and telework during the pandemic, the likelihood of your business’s information technology and the data stored thereon being exposed through cyber-breaches and attacks has grown exponentially. There are countless articles explaining the inherent dangers of remote access and telework, but the theme that permeates them all is that working remotely comes with its own set of dangers and that hackers and cybercriminals who have already been relentlessly attacking businesses through email and phishing scams, DDoS attacks, ransomware and social engineering, have already increased their attacks on businesses using remote access. Simple changes in your staff’s routines caused by new procedures can throw them off balance and create an opportunity for a hacker to exploit.
So what can a business owner do to decrease the risks associated with remote access and telework while at the same time increasing its usage to keep a business operating? Here are a few ideas to get you started:
- ASSESS YOUR TECHNOLOGY INFRASTRUCTURE: As a threshold issue, an assessment of your information technology and network capabilities should be immediately undertaken by your IT department. It makes little sense to allow your staff to have access to your network remotely if your network cannot handle the increased traffic and strain on resources. If the remote access system slows down or even worse, crashes, chaos will ensue. Determine if you have an adequate number of servers to handle access demands. Assess whether you have enough software licenses for increased access, as well as whether you have adequate bandwidth to handle multiple employees accessing your system at the same time.
- ALLOW STAFF TO ACCESS ONLY THOSE PORTIONS OF YOUR NETWORK THAT THEY NEED AS PART OF THEIR JOB REQUIREMENTS: This is essentially an extension of the Principle of Least Privilege, a well-known concept in information security. It means limiting access rights of your employees to the minimum permission they need to perform their job duties. For example, if a staff member is responsible solely for facilities and maintenance operations, that individual should not be given access or rights to access financial data and billing programs.
- IMPLEMENT A REMOTE ACCESS POLICY AND ENSURE THAT STAFF ARE FAMILIAR WITH IT: Having a comprehensive written remote access policy enhances the likelihood that everyone will act uniformly and follow the same processes. The policy will need to address eligibility for remote access, procedures for obtaining permission, what technology will be used in implementing the access, transmission of confidential information, among many other topics. A uniform policy is helpful for two reasons: First, it is easier to monitor multiple staff working from different locations and to detect problems if all staff are all expected to follow the same procedures. In other words, an outlier will be easier to spot if everyone is trained to act the same way. Second, having a remote access policy provides a defined set of standards for your staff to follow and helps to reinforce the procedures that your business has established. It is their guide on how to operate which they can refer to any time they need.
- MULTI-FACTOR AUTHENTICATION, PASSWORD MANAGERS, VPNs AND ANTI-VIRUS/MALWARE: If you intend to have staff work remotely, you must ensure that they all use multi-factor authentication to enable access to your system and install password managers on their personal computing devices that use encryption. Staff must also install up-to date anti-virus and malware software on their personal computing devices, and the use of VPNs (virtual private network) is highly recommended. Presently, many software companies are offering free versions of such software in response to the pandemic.
- PERSONAL TECHNOLOGY AND NETWORK SECURITY: Set standards regarding the level of security that your staff must have installed on their personal computing devices as well as their personal network. For example, are staff accessing your system through an unsecured wireless network in an apartment building? Are they using the family computer that anyone can access, including their children who are remote-learning? Also do not assume that your staff are using cutting edge personal computing devices. Allow them to bring their personal computing devices to your office to be configured by your IT staff and to be scanned for the presence of virus or malware.
- CONTINUED EDUCATION AND TRAINING IS VITAL: Perhaps the single most important tip for any business to act on, last, train your staff today on the threats that are associated with remote access as well as on other aspects of good cyber-hygiene, then reinforce that training continuously through on-going education. Cyber-security experts stress that while the human element of data protection is the most vulnerable part of a company’s defenses, training of staff in “cyber-hygiene” vastly improves a company’s chances of avoiding cyber-breaches.
This guidance offers just a few tips and the list could go on for several pages if time allowed. Unfortunately in light of the pandemic, business should act quickly and start the process of securing remote access today. If your business is serious about adopting a secure remote access and telework culture, it is recommended that you seek the advice of experienced counsel and information technology personnel to review your unique situation.
The members of Lindabury’s CyberSecurity and Data Privacy practice wish you, your staff and families good health and safety during the coming months and are available to answer your questions.