In light of the outbreak of the coronavirus and its corresponding COVID-19 disease, many organizations have heeded the instructions of their respective federal, state, and local governments and imposed mandatory work-from-home requirements on their staff. While technology can enable highly productive remote teams, if improperly implemented, this can pose considerable risks to an organization.
Even though the technical capabilities for telecommuting have existed for several decades, many organizations, for logistical or cultural reasons, have not widely embraced flexible work environments - and now they are being forced to do so quickly. This sudden shift presents enormous operational and security challenges that must be considered to minimize further business disruptions.
From an operational perspective, the following are key questions to consider:
Your critical services might be with a cloud service provider like Microsoft's Office 365, which would lessen the concerns surrounding these questions. Despite that, many concerns remain.
From a security perspective, any change from the standard way of doing business presents a greater level of risk:
The best-case answer, of course, is that they are using laptops that you provided them. If they are using their home computers, how can you be certain those computers have any protections in place like antivirus or antimalware software? If your employees are using home computers, they should not be shared with other members of the household because their browsing activity and ability to install software cannot be reviewed or checked. If your staff is storing or processing personally identifiable information (PII) in the performance of their work, you might violate the law if the computers are not encrypted. In the Commonwealth of Massachusetts, MA 201 CMR 17.00 requires PII to be encrypted when outside the secure confines of your corporate network.
If the mandatory work-from-home period lasts more than a few weeks, do you have the capability to patch your corporate computers while they're remote? Failure to do so may leave remote workers at risk of newly identified software vulnerabilities.
Many companies administer their physical security systems that control access to their office suites. Did you assign someone to ensure that the suite now stays locked 24/7?
Lastly, phishing scammers are very busy using the confluence of the coronavirus outbreak as well as tax season as a preface to defraud unsuspecting victims. Ensure your employees are educated and appropriately skeptical with emails they were not expecting, and ones that might look suspicious. When in doubt, delete the email or contact your helpdesk.
DGC’s IT Risk Assurance & Advisory team is available to assist business owners and their organizations during the coronavirus outbreak. If you have specific questions related to COVID-19, please contact a member of your DGC client service team or Nick DeLena, CISSP, CISA, CRISC at 781-937-5191 / firstname.lastname@example.org for more information. You can also visit our coronavirus landing page which will be continuously updated with new articles and checklists to help you deal with the impact of coronavirus on you and your business.
If you would like to get alerts and insights like this sent directly to your inbox, sign up here.