By Rickard Jorgensen, FCII, ARM, ACIArb.
Many firms permit staff to work from home or at least work while on the road. but the number of remote users may increase in the wake of the current coronavirus (COVID-19) outbreak.
Consequently, it’s crucial not to allow the precautions designed to protect the physical health of your staff turn into a threat to the firm’s cybersecurity health.
If you have a staff member who needs to work from home specifically due to a “quarantine” situation then you can no longer use the past approach of getting them to come in once to collect their new laptop and phone, and to receive the on-site training that you hope will make them a safer teleworker.
You will need to set remote users up from scratch, entirely remotely, and that might be something you’ve not done a lot of in the past.
The following are five suggestions for working from home safely.
1. It should be easy for staff to get started.
Look for security products that offer an SSP, that is a “Self-Service Portal.”
You need a service that allows remote user to connect, perhaps with a brand new laptop they ordered themselves, and set it up safely and easily without needing to hand it over to the IT department first.
Many SSPs also allow the user to choose between different levels of access, so they can safely connect up either a personal device (albeit with less access to fewer firm systems than they’d get with a dedicated device), or a device that will be used only for firm work.
The three key things you want to be able to set up easily and correctly are: encryption, protection and patching. Encryption means making sure that full-device encryption is activated, which protects any data on the device if it gets hacked; protection means that you work with known security software, such as an anti-virus, configured to your needs; and patching means making sure that users get automatic security updates, so they’re not overlooked.
If you do suffer a data breach, such as a lost laptop, you may need to disclose the fact to the data protection regulator in your State. If you want to be able to advise clients and regulators that you took the right steps to protect data!
2. Ensure your staff can do what they need
If users genuinely can’t do their job without access to your servers then there’s no point in sending them off to work from home without access. Ensure your remote access solution works reliably first before expecting your users to using it. If there are any differences between current and upgraded systems, explain the difference clearly – for example, if the emails they receive on their phone will be stripped of attachments, let staff know to avoid staff trying a “workaround.” If you’re the user, try to be sympathetic if there are things you used to be able do in the office that you have to manage without at home.
3. Monitor what staff are doing.
Don’t just leave your users on their own. If you’ve set up automatic updating for them, make sure you also have a way to verify that it’s working, and our IT team should be prepared to spend time online helping them fix things. If their security software produces warnings that you know they will have seen, make sure you review those warnings too and what you expect staff to do about any issues that may arise.
4. Have somewhere where staff can report security problems
Set up an easily remembered email address, such as “security911@ yourcompany.com”, where users can report security issues quickly and easily. Remember that a lot of cyber attacks succeed because the crooks try over and over again until one user makes a mistake – so if the first person to see a new threat has somewhere to report it where they know they won’t be judged, criticized or ignored, then it helps everyone else.
Teach all staff – both office-based staff and teleworkers – only to reach out to you for cybersecurity assistance by using the email address or phone number you gave them. Consider physically distributing a card or a sticker with the contact details printed on it. This way they are less likely to get scammed or phished.
5. You should know about “shadow IT” solutions
Shadow IT is where non-IT staff find their own method of addressing technical problems. If you have a team of colleagues who are used to working together in the office, but who end up in diverse locations and unable to meet up, it’s quite likely that they might develop their own ways of collaborating online – using tools they’ve never tried before.
Sometimes, you might even be happy for them to do this, if it’s a cheap and happy way of boosting team dynamics.
For example, staff can set up an online whiteboarding service – perhaps even one you approve – on their own credit card and plan to claim it back later. The initial risk in cases like this is, “What if they make a security error or leak data they shouldn’t?”
But there’s another problem that lots of companies forget about, that is: what if, instead of being a security disaster, it’s a conspicuous success? A temporary solution put in place to deal with a public health issue might turn into a vibrant and important part of the company’s online presence.
So, make sure you know whose credit card it’s charged to, and make sure you can get access to the account if the person who originally created it forgets the password, or cancels their card.
So-called “shadow IT” isn’t just a risk if it goes wrong – it can turn into a complex liability if it goes right!
…if you and your staff suddenly need to get into teleworking, be prepared to meet each other half way.
For example, if you’re staff member, and your IT team suddenly insists that you start using a password manager and 2FA (those second-factor login codes you have to type in every time)… …then just say “Sure,” even if you hate 2FA and have avoided it in your personal life because you find it inconvenient.
And if you’re the IT manager, don’t ignore your users, even if they ask questions you think they should know the answer to by now, or if they ask for something you’ve already said “No” to… …because it might very well be that they’re asking because you didn’t explain explicitly the first time, or because the feature they need really is important to doing their job properly.
The stress from dealing with coronavirus is bad enough without compounding this by creating an issue that inhibits effective cyber security.
Jorgensen & Company are not attorneys and do not offer any form of legal advice. Consult with appropriately qualified local counsel for more assistance. Rickard Jorgensen is President and Chief Underwriting Officer for the CPAGold™ program and may be contacted at (201) 345 2440 or firstname.lastname@example.org.
- Posted by jorgcpa
- Posted in Accountants' professional liability insurance, Coronavirus, Cyber Liability, Cyber resources, Cyber risk management, data breach, Data protection, email risk management, insurance, professional liability claims, social engineering, Uncategorized, working from home
- Apr, 06, 2020
- No Comments.
- Our first COVID-19 related claim against a CPA Client
- COVID-19 and management liability: how can D&O coverage help in this pandemic
- Cyber risks of working from home (in light of COVID-19) and how to mitigate them
- The Coronavirus Aid, Relief, and Economic Security (CARES) Act – Good Faith Certification
- Section 7216 – requesting client permissions