It is difficult to find a silver lining amongst a crisis such as the COVID-19 outbreak. However, as countless organizations elect to enable the remote workforce, or are forced to do so, we as a society are inadvertently conducting the largest business continuity stress tests in the history of our tech-enabled economy.
It is likely that some organizations will realize massive financial benefits as they determine that the physical office is no longer needed for their business. Many companies will compromise on more flexible work from home policies once daily life returns to normal after this crisis. Sadly, several businesses will not be able to adapt and survive in this rapidly changing environment.
While we can’t predict whether the outcome of this mass societal experiment will prove the validity of remote work for a given company or become a major hindrance to operations, we can address a major concern throughout the process: is your organization considering the information security impacts of invoking its business continuity plan?
Hello VPN
Many organizations that already have remote employees are familiar with the concept of a Virtual Private Network (VPN). This technology uses a tunneling protocol to allow remote employees to securely send or receive data across shared and public networks as if they were directly connected to the corporate network. If your company is new to teleworking, this should be a major consideration, as it secures the transmission of sensitive information across the public internet. Implementing a VPN alone is not enough. Already, we are hearing reports of organizations that had VPN solutions in place as part of their existing remote work policy but did not anticipate the scenario in which the entire workforce would be remotely accessing
corporate resources at the same time. These organizations have had to restrict VPN usage to only mission-critical employees. The last obstacle your organization will want to address during this public health and economic crisis is a breach of sensitive data. This risk can be mitigated by accurately forecasting the capacity requirements needed to support an entirely remote workforce.
Be Prepared
Have a plan:
- Establish and maintain an inventory of all the data and information assets handled by your organization
- Classify your data and information assets
- Prioritize the groups who need access to the VPN resources based on the information classification
- Proactively inform employees which groups do or do not need to access the VPN
It is acceptable to tell certain users not to access via the VPN if they are not interacting with sensitive information. However, this communication should be proactive, rather than reactive. Otherwise, employees with a true need are put in a position where they must consider compromising the confidentiality of your company’s information in order to complete their work on time.
If your organization is new to remote work, then perhaps the need for a mobile device management policy has not yet been considered. A remote workforce is inherently more likely to lose company assets than office-bound employees. It is important to maintain the ability to wipe any device containing sensitive information - this applies to both company-owned laptops as well as personally-owned mobile devices that are used for business purposes. Many organizations already have provisions in place for bring-your-own-device (BYOD) so employees don’t have to carry an additional company phone, and many more organizations will migrate to this model as the need for a remote workforce presents itself. Important updates and acknowledgments may need to be included in telecommuting and acceptable use policies to provision the authority for remotely wiping personally owned devices in the event that they are lost, stolen, or otherwise in violation of the acceptable use policy.
New Risk
The remote workforce introduces many levels of risk to an organization’s security. As mentioned previously, remote employees are more susceptible to lost or stolen devices. Additionally, there have already been phishing campaigns launched by hackers to capitalize on the fear surrounding Coronavirus and to coerce employees into divulging login credentials or other sensitive information. Network availability issues are sure to arise as employees rely on residential wi-fi networks and spotty cell coverage. Many other potential security and availability incidents may arise without the resources and added layers of protection provided by a physical office. To address these concerns, the process for reporting and responding to security events and incidents must be robust enough to adapt to an entirely remote workforce. Without face-to-face interaction with managers, IT departments, and peers, will employees be aware of all the avenues through which to report events? These reporting channels must be proactively communicated to your remote workforce, and in some cases, administering a security awareness training specific to teleworking may be necessary.
If your city has yet to be significantly impacted by the Coronavirus outbreak, and you’re wondering how to prepare your organization for the potential impacts of remote work, utilize this time to your advantage. There are resources available such as ISO 22301 to guide the establishment of a Business Continuity Management System (BCMS), such as guides provided by the Department of Homeland Security and The Risk Management Society. Try to anticipate what major challenges will present themselves by having all employees work remotely for a day before it becomes a necessity. This trial run will air out any issues and limiting factors, which should be prioritized and remediated while you still have access to in-office resources.
As we reach an inflection point in our society, where the benefits of working remotely might prove to outweigh the drawbacks of stressful commutes and expensive office leases, some companies might never return to the office. Maybe this remote transition is only a temporary hurdle for the organization to overcome. Either way, it is critical to keep information security best practices top of mind to minimize the negative impacts of an otherwise unprecedented scenario.
About the Author: Michael Perleoni is a Consultant in the global ISO Assurance practice at Coalfire. He has experience leading a range of ISO certification engagements as well as serving as a trusted advisor to organizations seeking to build management systems. His clients include a range of multinational cloud providers varying from start-up to Fortune 500. Michael is a Certified Information Systems Auditor, as well as a certified Lead Auditor for standards such as ISO 27001, ISO 9001, and CSA STAR. Michael completed his undergraduate studies at The University of Georgia.