PHOENIX — The National Cybersecurity Alliance says, “If you connect it, protect it.” Currently, two out of 10 people work remotely from home full time, according to Owl Labs — blurring the lines between business/personal environments. This can expose both teleworkers and their businesses to unique cyberthreats and attacks. That’s why creating cybersecurity policies and procedures to reflect this new normal is essential.
Here are the top five areas to consider when writing new cybersecurity remote workforce policies and procedures.
A secure, sustainable telework policy requires all employees to work from corporate-owned devices. However, even if an organization has such a policy in place — and many don’t — additional security considerations must be addressed.
One of these is how these remote devices will receive necessary updates and patches. Many on-site devices pull directly from the corporate intranet upon connecting to the network. On average, 48% of on-site systems receive patches within three days, but only 42% of remote devices are patched within the same window. While that difference may seem small, this raises the average patch time for vulnerabilities from around seven days if everything were on-site to around 38 days to include off-site assets. This means an organization is likely to have six accessible attack vectors for every 100 systems that can grant access to their network and data for 38 days, on average. This delay exposes these devices to exploitation and significantly increases an organization’s cyberrisk.
Another potential issue is how to address the need to retrieve devices from laid-off employees. During COVID-19, many companies have reduced their workforces, yet may not be able to physically retrieve company-owned devices due to quarantine restrictions. If an employee refuses to voluntarily surrender a corporate device, an organization must have measures in place to ensure this cannot cause a data breach or other security incident.
Address the Remote Environment
In addition to managing company assets outside of the organizations network, the environment that asset will be operating in is equally important. Working remotely, especially from home, it is easy to become lax with security practices that are routine in the workplace. Adhering to clean desk policies, and making sure to lock, log off, or shut down computers are just a few tasks that employees do while in the office that they may not do at home.
It’s important to make sure documented policies and procedures lay out the specific requirements for working in the home environment. These should then be reinforced with technical controls, like Active Directory Group Policies, to ensure compliance.
Your new remote workforce policies and procedures should also cover home network security. This is an excellent opportunity to enhance employee knowledge, increase security awareness, get employee buy-in by helping them protect their home network, and add further protection for remote work.
Ensure employees know how to:
- Change default ISP router passwords.
- Ensure ISP/home router firewalls are active.
- Get company-offered free or low-cost home network monitoring solutions.
- Recognize signs of home network attack.
During telework, most organizations have required employees to use VPNs for network security. A full-tunnel VPN routes all traffic from the employee’s computer through the corporate network for security scanning before sending it on to its destination. Due to the sudden need to transition to remote work, many companies lack sufficient numbers of company managed laptops to support a fully remote workforce. As a result, many employees are working from personal devices instead.
This dual use of devices creates significant privacy concerns if all traffic from an employee-owned laptop is routed through the corporate VPN. A telework policy must contain an explicit “consent to monitor” clause explaining that traffic resulting from personal use of a laptop connected to a corporate VPN flows through the organization’s network and may be monitored.
Failure to receive explicit consent from employees may put an organization in breach of data privacy laws.
Incident Response Policies and Procedures
Most organizations’ incident response plans are based on the assumption that incident response team (IRT) members will be able to respond in person to a potential incident. With a remote workforce, especially while COVID-19 “shelter in place” orders are in effect, this may not be possible.
When responding to a cybersecurity incident involving a teleworker, an IRT may have to rely upon the remote worker, who may have limited technical knowledge, to respond to and recover from the incident. This will likely delay response times (potentially increasing the impact of the incident) and may make recovery activities, such as reimaging the machine, much more difficult to complete. To prepare for this situation, organizations may wish to create “IR kits” containing automated scripts for common data collection and recovery activities.
Regulatory and Contractual Compliance
Many organizations are governed by data protection regulations that apply to certain jurisdictions. Depending on the location where sensitive data is being processed and potentially breached, different regulations may apply.
Most organizations have strategies in place for ensuring compliance with data protection and contractual regulations. However, these strategies likely rely upon the assumption that all employees and data processing occur on-site. With a remote workforce, this may no longer be valid, potentially impacting an organization’s ability to secure sensitive data and maintain regulatory and contractual compliance.
Organizations with remote workforces must establish policies and security controls to ensure that sensitive data is protected in accordance with contractual and regulatory requirements. Additionally, an organization should investigate how telework expands and impacts their regulatory obligations and put in place any additional security controls required to achieve compliance with these new requirements.
Developing Telework Security Policy and Procedures
Telework introduces a number of new security threats and considerations that must be incorporated into an organization’s security policies and procedures. As businesses contemplate a permanent or extended shift to telework in the wake of the COVID-19 pandemic, it is vital to update these policies and procedures and implement the security controls necessary to minimize the cyber risks associated with telework.