The Coronavirus has called into question the operational stability of our organisations:  should employees be unable to leave their homes, can businesses cope with the cultural, technological and process changes that are seemingly inevitable? 

Many businesses are encouraging or requiring people to work from home. Conferences are being cancelled and meetings are moving online.  Many businesses have a business continuity plan, but a lot of businesses still don’t.  

For those that have a plan, remote access strategies will be put to the test. For those that don’t, the urgency to create one will be pushed to the forefront and defined quickly.  If you haven’t already defined and verified your remote access solution, be sure to factor in security. 

While you certainly need to operate, you don’t want to expose the business to the risk of being compromised or to trigger an inadvertent data breach.  For example, allowing employees to take copies of data on removable drives may result in data loss should the drive be misplaced. The following should be considered as part of your strategy:

  • If your employees access sensitive data, they should be provided with a company-controlled secure laptop, inclusive of encrypted hard drives. While ideally everyone will have a laptop to work remotely, that may not be a financial reality or a necessity. If you need to prioritise, focus on the high-risk employees based on the sensitivity of the data they need to access.
     
  • Any remote access or cloud-based application should use multi-factor authentication, to validate the user’s identity. This is particularly important if you need to put emergency measures in place, such as remote desktop software to allow employees to use their own equipment.
     
  • If you have the resources, offer to have your IT department perform a security check on your employees’ home devices if the ultimate decision is that they need to work from home using their own equipment.
     
  • Try to limit the options for employees to save data out of secured locations to their own devices. The capabilities will depend on the solution you implement.
     
  • Ensure you establish and communicate clear expectations of the work-from-home strategy. While you may not be able to implement the ideal set of technical controls to manage risk, you can ensure your employees play their role and know how to work efficiently and securely when not in the office.  Empower them with the knowledge of the risk so they know how to manage it.
     
  • If possible, review and update your access policies, giving people access to only what they need.  Employing this approach of ‘least-privilege’ reduces the scope of risk should accounts be compromised.
     
  • Once the crisis begins to subside, communicate to employees that any data saved to non-standard locations during the course of the crisis be securely returned to the company and removed or destroyed from those other locations.