A Texas CEO’s Guide to Privacy & Security Best Practices for the Remote Workforce
Nearly two years from the onset of the COVID-19 pandemic, it’s likely that a portion of your employees are still working remotely some or all of the time. As CEOs lead these distributed teams, the first challenge that comes to minds is often the team’s productivity and cohesion. But there’s another key concern that no CEO should overlook: implementing robust privacy and security controls for their company’s—and client’s—data while employees are offsite.
For all its benefits, remote work can open your organization to potentially catastrophic cybersecurity breaches. Fortunately, you can prevent the vast majority of these by ensuring you take these five essential measures.
Remote work can open your organization to potentially catastrophic cybersecurity breaches.
1. Invoke Multi-Factor Authentication at All Times
Multi-factor authentication (MFA)—or its subset, two-factor authentication (2FA)—should, without question, be invoked when a user connects to the corporate network and any other critical systems. MFA requires two or more forms of credential before a person logs in to an account, which is an important safeguard. Cybercriminals have more than 15 billion stolen log-in credentials to choose from, so if they choose yours and are able to get in with just one credential, they have the ability to take over bank accounts, healthcare records, company secrets, and so much more.
Setting up MFA or 2FA is a simple process that most IT personnel can quickly implement, so there’s no excuse for not having it. What was once a market with dozens of players is now down to two major providers, Duo and Okta. They’re similar in many regards, both offering industry-leading authentication credentialing and seamless integration with almost any IT platform, along with relatively straightforward deployment, implementation, and management.
With so many external websites now accessed by employees, it’s nice to know that a great deal of them now offer some form of MFA, which helps users safeguard access to accounts if their password is breached or stolen. Regaining access to such accounts once a password has been compromised can be difficult, as thieves will enable multi-factor options themselves and tie the account to a device they control!
2. Keep a Mindful Eye on File-Sharing Sites
From WeTransfer to Dropbox and far beyond, employees upload, download, and share valuable company data via third-party file-sharing and work-collaboration sites now more than ever. Sure, there are many upsides to these sites—ease of use, cost-effectiveness, adequate security—but there’s one big, thorny issue that’s not to like: access control. It’s time to get serious about developing comprehensive policies regarding which users have access to these platforms. Measures that must be stated in such a policy include the following:
- A listing of all file-sharing/work-collaboration sites being used by the organization.
- List of users who have privileged/administrative rights and can establish accounts on such sites, along with clear responsibilities for creation, modification, and termination of other users.
- List of current users who have access to such sites and their applicable roles and responsibilities.
- And most important, a regular review of access rights and purging of users who should not have access for any number of obvious reasons (e.g., they have been terminated or their job responsibilities have changed).
3. Who’s Zoomin’ Who?
Video conferencing, whether with Zoom, GoToMeeting, Google Meet, or otherwise, is more common than ever. Unfortunately, so are the the attendant security and privacy issues:
- Unauthorized access to private meetings, because authentication isn’t often required.
- Data transmission that isn’t secure.
- Threat actors using the chat feature on these tools to spread malicious links and files.
- Hackers potentially uploading videoconferencing credentials on the dark web, thus exposing a company’s sensitive and business-critical information.
- Noncompliance with a laundry list of security and privacy regulations.
The solution? CEOs need to ensure that HR and IT work together in formulating best practices for video conferencing—a checklist that includes the following:
- Enforcing meeting startup rights and attendee verification.
- Not reusing meeting IDs.
- Adding meeting passwords.
- Providing privacy disclosures if meetings are being recorded.
- Using caution when using meeting chat rooms.
- Disabling unnecessary features.
- Using encryption at all times possible for ensuring meeting security.
4. Create a Clear Remote-Work Policy
Surprisingly, many businesses don’t have a sound policy for remote work, but they need one now more than ever. CEOs should encourage HR and IT personnel to develop a well-written, enforceable, and comprehensive policy, which may include following:
- Home Networks: Employees who telework often store, process, and transmit sensitive company information over their personal networks. As such, initiatives should be in place to secure the home network. It’s wise to use tools like WPA2-Enterprise certification program to secure employees’ home WiFi connections, as well as encouraging them to turn off discoverability options.
- Malware Protection and Network Security Requirements: Anti-virus and anti-malware solutions used by employees who telework should be from an approved vendor, one that offers ongoing customer support pertaining to the installation and maintenance of the applicable software.
- Backups and Business Continuity: While teleworking, employees should be required to save information to a shared network, thereby allowing IT personnel to back up the data. Employees should be forbidden from saving information on local equipment (desktops, laptops, etc.), as such devices could be easily destroyed during a disaster or lost in a variety of ways.
5. Create Awareness Among Your Workforce
A quality cybersecurity awareness training program can provides general, enterprise-wide knowledge along with subject matter specifically relating to the specific compliance requirements or any other necessary mandates. Ultimately, a sound security awareness program should implement the core components of awareness, training, and education.
Awareness refers to keeping all employees knowledgeable and vigilant for security threats that affect the organization, especially when people are working from home.
Training refers to a set of practical resources that show employees exactly what is expected of them as they work remotely.
And lastly, education refers to continuing instruction on security issues and solutions. Cybersecurity threats are dynamic in nature—and your cybersecurity program should be too.
• • •
Remote work is now a permanent way of life for many businesses across the globe. Keeping sensitive data secure in this environment begins with a culture change in your organization. CEOs need to challenge their HR, IT, and legal departments in developing comprehensive, forward-thinking policies, procedures, and practices that deal with these sensitive issues. The challenges will only grow from here on out.