Best Cyber Security Practices for Working from Home in the Age of COVID-19
With the spread of COVID-19 continuing across North Carolina, additional restrictions for residents were announced on Monday, March 23, 2020, by Governor Roy Cooper. Restrictions include the closure of more businesses by 5pm on Wednesday, March 25, 2020, and a ban on gatherings of more than fifty people.
Employers have had to quickly adjust many aspects of their businesses, including how and where their employees work. An increase in telecommuting comes with a unique set of security risks that could put company data in jeopardy. Below are some areas of priority and best practice suggestions for employers to keep in mind when setting up employees to work from home.
Employers should require all remote work to be done through the use of a Virtual Private Network (VPN). VPNs allow employees to work from home while still providing them safe and secure access to the company network. VPNs protect online privacy. Data that is exchanged on the network is encrypted.
Working with a VPN service provides employers with flexible secure options including: (1) allowing employees to mask their IP addresses, (2) permitting multiple and simultaneous connections to the company network, and (3) utilizing a “kill switch” feature that can protect company data from being leaked in the event the VPN connection times out or fails.
Avoiding Phishing Campaigns
If communication is being done largely over email, an employee’s inbox is at risk of being used against them and the company. It is possible that phishing attempts will be hidden on websites that purport to have COVID-19 reporting, updates, or advisory messages. Attacks being sent across networks include:
- Fake security check emails where someone purports to be a member of the IT team noticing “suspicious activity” from the employee’s account.
- Emails that look like they were auto-generated by the employer to sign the employee up for a database or service.
- Links in the email asking the employee to click on it for more information or to act quickly.
Employees should always:
- Look to the sender. The sender may use a name of someone in the company but the actual email address is foreign.
- Hover over the hyperlinks in the email. Are the links going where they say they are going?
- Forward and ask. When in doubt, have it checked out. Ask a member of the IT team to confirm an email or website’s legitimacy before going there themselves.
Connecting to the Network
Working from home means using the home WIFI network. Employees should ensure that their home networks are secure, which includes:
- Making sure that the router is password protected.
- Regularly changing the router password to something secure. This means not using the password that was provided when the router was first installed.
- Setting the router to the highest level of encryption.
- Restricting use to only known devices.
The average amount of time spent on one’s mobile phone is largely increasing. Besides Outlook and other email clients, mobile phones are being used to house applications that support workflow such as a “key” for secure authentication applications, finance, accounting and payment applications, and other project management applications. That means that private and confidential information can live on employees’ phones. Mobile phone security is essential. Ask employees to check their phones for the following:
- Is auto-lock enabled?
- Does the lock require a passcode, password, or fingerprint prior to use?
- Are downloaded applications coming from vetted and/or reputable developers?
- Are the downloaded applications up to date? Have the updates, including security updates, been installed as they are released?
- What wireless network is the mobile phone connected to?
- Is it a home network or an unrecognized and unsecured network that allows for automatic connection (and eavesdropping by unknown users)?
Taking security steps such as these can greatly reduce a company’s exposure to potential cyber-attacks. Creating security focused telecommuting habits may take time and expense but the risk reduction is well worth it. Please feel free to contact one of our attorneys if you have any questions or concerns.
This update provides general information and does not provide tailored legal advice or establish an attorney-client relationship.