For state/province/national leaders, coronavirus is forcing a trade-off between public health and privacy as well as balancing the saving of human lives at the cost of temporarily limiting individual liberties. The decisions government officials make also impact the economy and most businesses. Businesses leaders, in turn, are facing difficult decisions while managing the risks and challenges this situation brings. It’s all about dealing with change.
Remember the book Who Moved My Cheese? by Spencer Johnson? It’s all about dealing with change in your work and in your life. For many business leaders it’s time to recognize that there is no going back to the pre-COVID-19 era and to instead manage change and the risks it entails.
Halting all activities carries the risk of difficulties in restarting or not being able to restart at all. Avoiding telework enhances the risk for business continuity; economists worldwide forecast that several small- and medium-sized businesses (SMBs) will go out of business as they are unable to sustain an extended period of interruption.
For many organizations, unprecedented use of telework has resulted from the COVID-19 pandemic. Dark Reading noted that “many organizations worldwide have unknowingly sent employees to work from home with already-infected endpoint devices during the COVID-19 crisis.” Since the beginning of the crisis, cybercriminals have been relentless and adapted their tactics to the COVID-19 context.
Teleworking while unprepared increases security risks; in the aftermath we will find that several businesses will have fallen due to circumstances related to a lack of baseline security.
Here are some suggestions that aim to assist in setting a baseline for telework security but are in no way comprehensive. They are meant to help mitigate – not eliminate – the risks.
Teleworking with Personal Computers
To mitigate the risk that the teleworkers’ personal equipment could compromise the company’s data and applications, a prerequisite is getting teleworkers started with a clean machine by running good antivirus software. Then teleworkers should:
- Update all their software and applications.
- Enable local disk encryption option.
- Create a separate account for teleworking (not administrator).
- Set up their Wi-Fi with a strong password and WPA2 protocol, then encrypt everything they transmit from a public Wi-Fi.
- Agree with their employer on where to place a copy of the data.
- When possible, use the organization’s mailbox
- Use a password management tool.
Teleworking with Corporate Computers
Providing teleworkers with corporate equipment can empower them to achieve all their objectives, thus, dramatically reducing the risk of business interruption.
- Use VPN to connect to corporate servers.
- Adopt dual factor authentication.
- Use only the applications installed by the company.
- Use the device only for work purposes.
- Do not allow access to other people.
- Use only the solutions provided by the company to collaborate with colleagues.
- Use only the organization’s mailbox.
Teleworking with Collaborative Tools
Risks and opportunities arise with the use of collaborative tools. On the bright side, it is finally true that distance is irrelevant.
The opportunities include:
- Ability to interact by writing/text, call, videoconference, with the possibility to create chains of discussions with one or more people (Teams, Slack, Hangouts, Skype, Jitsi, Discord)
- Option to collaborate with several people in real time on the same document/file (Microsoft 365, Google Docs, Zoho)
- Ease of sharing, preserving and storing files/documents (Dropbox, Google Drive, One Drive, Firefox Send)
Some risks include:
- Lower vigilance on access management to different resources that can be altered or shared with the wrong people
- Editing a local version of a document and compromising the integrity of the official version
- Using videoconferencing tools without proper vigilance regarding the attendance
Business Hygiene While Teleworking
Whether at home or in the workplace, a number of risks can be mitigated when people adopt a few good habits:
- Make sure you are the only person who sees the screen display.
- Confirm any transaction by phone or other means.
- Always be vigilant with company data whether digital, on paper, in conversation, conferencing, etc.
- Take special care with emails, attachments and websites that can compromise device or network security.
- Use strong passwords.
- Print only if necessary, and shred paper versions after use.
- Do not do things while teleworking what you would not do on company premises.
Other Considerations
Changes in the workplace require managers to review processes, and inform or train staff to manage inherent risks.
- Set up an incident response and crisis management plan.
- Put in place a teleworker's charter with good practices.
- Verify that company insurance covers telework.
- Respect the right to privacy and the right to inviolability of the home.
- Make sure you keep a routine because it’s too easy to let go because you’re working from home.
- Have a designated area for work.
- Don’t forget to communicate with your colleagues as isolation can become heavy.
As we slowly move toward the post COVID-19 era, we will discover how many enterprises went out of business as a result of security issues. Economists worldwide forecast that several SMBs will have gone out of business as they were unable to sustain an extended period of interruption.
For many enterprises, returning to the pre-COVID-19 business model will not be an option.
Business leaders who will have emerged successfully will have learned some lessons regarding human considerations, business continuity and cybersecurity.
Looking Forward
In the aftermath of this pandemic, businesses should:
- Determine the proper mix of telework and office work, and allow their workforce to better balance professional and private life
- Evaluate their security posture and adopt a security program to implement a comprehensive set of best practices.
Editor’s note: For more resources from ISACA related to the COVID-19 pandemic, visit our Navigating COVID-19 page.