Revisit Your Policy

While many companies may already have a remote worker policy in place, creating a policy or updating your current policy to address new risks and trends is the first step toward organizing and instituting safe practices. Companies that have remote or working from home structures in place typically have employees sign an agreement that outlines company policy for conduct and behavior while working outside of the office. This allows companies to set standards and hold employees accountable to follow policy, procedures and protocols for information security and data transfers while accessing company systems or data while working remotely. This policy should be communicated to all employees as soon as possible and should be a point of emphasis.

Implement Best Practices for IT Security

Establishing strong security measures is at the forefront of maintaining data and network safety as employees work remotely. The following controls should be incorporated into your basic IT security protocol: 

• Use strong passwords and multi-factor authentication (MFA) on laptops and work applications that are used for daily activities.
• Use a Virtual Private Network (VPN), which creates additional security around an internet connection to protect the data employees are transmitting electronically.
• Remind employees to install updates, patches, and anti-virus software at regular intervals, or when prompted.
• Require employees to use a secure Wi-Fi network and discourage the use of free or public Wi-Fi, such as at a coffee shop. Networks that are private and password protected are the most secure. You may even suggest using a hardwired connection if possible to ensure security.
• Remind employees to back up information on network drives. This way, if the information is lost, devices or damaged, or an employee falls prey to a scam, all data is retrievable and backed up on company storage.

Watch for Email Security

Now more than ever it’s important to encourage employees to heighten their awareness of email security. Scams and misinformation have become an increasing concern during the COVID-19 pandemic.

Highlighting the importance of critical thinking when reviewing emails (and their links and/or attachments in particular) is a tried and true method for minimizing cyber risk. It’s easy for employees to lose focus and forget to review emails critically as they work from home. One way to educate employees on safe practices is by distributing an email phishing checklist or a reference guide of some sort to help them better identify scams and phishing emails. Some key tips to include are:

• A reminder that hackers pay attention to what is normal or part of employees’ “day to day” work environment and try to mimic it as best they can to trick employees.

• Review all email addresses to make sure the sender name and email address match (and the email address is not from a different domain than the sender’s company, etc.).
• Hover over all web addresses and hyperlinks within the email prior to clicking on them to ensure they are legitimate and match the expected link/destination/website.
• Check for accurate and appropriate branding and logos, spelling, contact information, grammar, etc. as these are telltale signs of a scam.
• Recognize “out of the ordinary” requests. Personal or account information is not typically emailed to you, and you should never be asked to share account numbers via email. When in doubt, always call and confirm first.
• Identify any pushy language, hard sell or sense of urgency; these can also be indicators of a scam.

If employees are on a VPN, most emails and information are secure. However, when sending  sensitive or confidential information, such as personally identifiable information (PII), employees should make sure that this information is encrypted and sent via secure email or utilize a secure file transfer protocol (SFTP).

Physical Security Considerations

While physical security is often handled by an employer in the office, some of that responsibility shifts to the employees in remote work situations. Encourage your team to evaluate their at-home work environment and the physical security controls they have in place, and take the following additional precautions:   

• Lock computers when you step away, even from people in your own home so that sensitive information isn’t accessible to others. Most employees handle sensitive and confidential information that should be protected even from roommates and family members.
• Assess the physical security of your devices. Do not leave equipment by windows, around food or pets, and, if you are traveling, lock devices in the trunk of a vehicle or keep them with you.
• Companies can implement compensating or mitigating controls and be the fallback by configuring:
  • Computers to auto-lock after a certain amount of time has elapsed without activity.
  • Applications, specifically those that are commonly used for accounting, sales, or human resources (Ex. Oracle, Concur, Salesforce, etc.), to timeout if left unused or inactive for a period of time.

Final Thoughts

Creating an educational, collaborative, and supportive culture around cybersecurity will help generate an awareness among employees and consequently produce a strong defense against cyber attacks — with employees and management working together towards a common goal. Your organization should communicate on the topic of cybersecurity daily, or as frequently as possible and necessary, during the COVID-19 pandemic, as this acts as a reminder to employees to be vigilant during this turbulent time.

Regardless of the scenario we’re operating in, your organization should also encourage employees to report any security incidents or potential breaches to your IT team as soon as possible. It’s better to catch these types of things early and be overly cautious than to wait — which could ultimately result in a much larger, more impactful outcome. Having strong practices and education in place will help bring awareness and keep risk at bay as people navigate these new waters.

For more information about the impact COVID-19 could have on your business, please see our COVID-19 Resource Center.

Related Reading

• Tips to Protect Your Workers from Phishing Scams Amid COVID-19

Copyright © 2020, CBIZ, Inc. All rights reserved. Contents of this publication may not be reproduced without the express written consent of CBIZ. This publication is distributed with the understanding that CBIZ is not rendering legal, accounting or other professional advice. The reader is advised to contact a tax professional prior to taking any action based upon this information. CBIZ assumes no liability whatsoever in connection with the use of this information and assumes no obligation to inform the reader of any changes in tax laws or other factors that could affect the information contained herein.

CBIZ MHM is the brand name for CBIZ MHM, LLC, a national professional services company providing tax, financial advisory and consulting services to individuals, tax-exempt organizations and a wide range of publicly-traded and privately-held companies. CBIZ MHM, LLC is a fully owned subsidiary of CBIZ, Inc. (NYSE: CBZ).