In true American spirit, companies nationwide have quickly adapted to the rapid spread of COVID-19 and transitioned employees to a work from home (WFH) model; but are they protecting data in a work-from-home world? This approach is critical to limiting the impact of the virus, and for many organizations, it is a viable workaround. The shift to WFH can be simple or challenging depending on the infrastructure and processes that were in place before the change. All organizations have sensitive data to protect, but industries like accounting, healthcare, and banking handle critical customer data daily.
In WFH scenarios, company and client data is exchanged between desktop devices and servers that reside in corporate facilities or the cloud. How that data is managed in transit and at employee homes will have a profound impact on how secure it remains. This article provides best practice guidelines for keeping company and customer data protected in WFH environments.
The most basic requirement for allowing employees to work from home is a secure remote connection. Commonly referred to as VPN (Virtual Private Network) connections. This type of network connectivity encrypts data being transmitted between the two communication sources (employee home office and corporate facility/cloud resources). When data is encrypted, it is scrambled using a predefined key that makes it impossible to decrypt without the corresponding key. As such, data sent through a VPN cannot be intercepted and read by an unauthorized source. If your firm is not using an encrypted network channel, all traffic being sent and received is at risk.
If everyone is working from home, there is still a need to have ongoing meetings to share information and make decisions. Web meetings provide a great resource for visual and audio sharing of information that can accommodate groups of many sizes. When using these virtual connectors, use reputable and secured resources. Whether a tool is subscription based or free, do your homework to ensure that the communication channels are secured. A simple verification that the tool uses links that are HTTPS-based (https://) is a good indicator that it is secure.
Remote access to company resources should be limited to devices that have been approved for such use. Employees are likely to have a variety of computer devices at home that range from iPads to desktop computers, but their access to company data resources with those devices should only occur based on prior review and approval. The simple approach is to limit remote access to only company-owned assets, but a limited number of available WFH company assets may dictate otherwise. When granting access to non-company assets, make sure the device security settings as well as the anti-virus/malware protection match the organizations requirements. Also ensure that any access to company resources is managed through company approved VPN resources.
Technology that protects company data is all well and good, but employees are on the front line when it comes to data access and they represent some of the biggest risk for loss. Policies provide specific guidelines for how employees are expected to use company network, computer, and data resources. Because remote access and employee-owned devices introduce additional risk variables, it is especially important to have written policies that define acceptable use for company resources when employees work from home. Policies should be clear, concise, and easy-to-understand. For organizations seeking guidance, a sample (MS Word) Acceptable Use Policy can be downloaded using the following link.
It’s easy to overlook the small details. With all this talk of cyber security and securing data, paper documents are also a source of risk for customer and company data. Most offices are equipped with one or more paper shredders. Unfortunately, not all home offices are afforded the same necessities. Make sure employees are protecting data by retaining (storing in a designated box) or shredding (based on equipment at home) any paperwork that has sensitive or confidential information.
Rob Cote, President
Security Vitals (Enterprise Data Security Analytics)
M: (248) 390-7293