This is a follow-on post about remote working from a Linkedin article I wrote a few days ago as the threat of the Coronavirus/COVID-19 continues to affect citizens all over the world. Many organisations have taken the decision to let their workforce work from home or away from the office. Whilst it is likely that self-isolation is a safer option as opposed to working in a congregated environment, this also presents additional challenges around information security as well as increases opportunism to take advantage of organisations operating in “crisis” mode. This blog posts continues to look at what those threats might consist of and offers a few tips to protect your workforce and your organisation from unauthorised access to company information.
If your organisation suddenly has to work outside of its normal practices and distant-working is enforced, potential risks associated with access to company information from those working remotely include:
- Connecting to company servers via an unsecured connection from home
- Accessing folders and documents that you wouldn’t normally have access to when logged in on the company network
- Lack of security controls when it comes to accessing company information such as via Remote Desktop software or Anti-Virus software on devices
- Employees accessing websites and applications on the same device that they’re using to access company servers and files via their company email application – either through their company-owned device or (if they’ve been entrusted to use their personal smart device) through their personal device(s).
Of course, the opportunity to test and (potentially) exploit organisations’ information security infrastructure in such uncertain times means that it is vital to train employees on the risks, and implement the appropriate controls to maintain a safe and secure working environment for remote workers.
With this in mind, here’s a few tips from GDPRPLAN.com which you may wish to consider before authorising your workforce to work from home:
1. Set up a Virtual Private Network (VPN) between the user’s device and the organisation’s network (the organisation should have a segregated zone for VPN access to designated applications and resources).
2. Set up Roles-based Access Controls so that only nominated personnel have access to files, folders and applications on the company server/s. Organisations should consider what files, records, applications are essential to the workforce away from the office. Maybe consider issuing devices that are hardened and settings are protected from further re-adjustment for staff who need access to sensitive company information and/or personal data.
3. Don’t rely on just username & password controls for access to the company network and information or company-specific applications. Think about Multi-Factor Authentication (MFA) as a more protective measure.
4. Implement a Bring Your Own Device Policy for staff who have been authorised to use their own device, which includes parameters for acceptable use and accessibility to websites and applications during office hours.
5. If staff start receiving emails with requests or attachments/links from unfamiliar senders or unfamiliar requests from recognised senders, then the organisation needs to ensure that they’re aware of what to do and who to contact if they receive suspicious emails or requests that seem unfamiliar (even if that request comes from a reliable source).
The biggest risk when working remotely usually relates to information security being compromised (as a result of human error), so training and awareness plays a huge part in ensuring that distant-workers are aware of their obligations to protect the Confidentiality, Integrity and Availability of personal information of their customers, employees, and suppliers just as they would be expected to when in the office.
Of course, each organisation will have to tailor their working from home/remote working policy in accordance to their specific business requirements and tolerances when it comes to information security but in these uncertain times, the law still applies and personal information still remains just that – personal. After all, it is a legal requirement that you protect the data that you’ve been entrusted with. The UK Data Protection Act 2018 and the EU GDPR also mandates that organisations “implement appropriate technical and organisational measures for ensuring that, by default, only personal data which is necessary for each specific purpose of the processing is processed.”
GDPRPLAN.com has helped organisations with the creation and implementation of an Information Security policy as well as with training company employees and management to help with their compliance objectives and legal obligations, and even in these challenging times we have a number of options to help you too. Training can be provided via video conference or through our online training programme (which is instant and you can contact us for any current promotions/offers for multiple licences).
For more information, contact us and we will respond to your enquiry within 1 hour of working hours (Mon-Fri 8.30am-5.3opm, exc public holidays).