As organizations prepare for certain contingency work arrangements in response to the coronavirus (COVID-19) outbreak, companies must also focus attention on ensuring appropriate cyber hygiene. Companies are anticipating more individuals working remotely from the safety of their own homes to avoid contracting the virus and other companies are planning for potential quarantines and school closings. The flexibility of working remotely, however, involves real cybersecurity risks that companies should be aware of and work to mitigate in the face of the COVID-19 outbreak. With increased remote work, there is increased risk of employees accessing data through unsecured and unsafe Wi-Fi networks, using personal devices to perform work, and not following general security protocols established by the company. As individuals are approved or otherwise authorized to work remotely, there must be a multi-departmental focus on maintaining proper controls. Management should be coordinating with the Human Resources (HR) and Information Technology (IT) departments to establish security controls and ensure employees are properly trained on those controls in the remote work context.
Companies should have a protocol in place for secured remote access to company networks. Where possible, such connections should be through a virtual private network (VPN), which routes the connections through the company’s private network, or another encrypted connection mechanism. Where employees can remotely access sensitive information on the network, VPNs should be configured with multi-factor authentication (MFA) as an added security layer. With MFA enabled, even if an employee’s VPN credentials are compromised, an unauthorized actor will be unable to connect through the VPN without a second factor (i.e., a code sent to an individual’s smartphone, token, biometric verification, etc.). The IT Department should ensure firewalls are properly configured and monitor firewall logging to identify attempted or successful connections from unauthorized or suspicious Internet Protocol (IP) addresses. If there are regions of the country and/or world from which employees would have no reason to be remotely connected to the company network, the IT Department can proactively “blacklist” the IP ranges for those geographic regions to prevent connections. This may not be possible for a multinational company where employees may be scattered throughout the world but can be an effective measure for smaller companies or those with a regional presence.
