Rapid response to potential threats and security incidents is essential to minimizing their cost and impact. Cybersecurity policies and procedures help to speed incident response by ensuring that all parties involved know their responsibilities and how to carry them out. As businesses now consider adjusting their permanent workplace model to accommodate telecommuting, writing new remote workforce policies and procedures for cybersecurity requires special considerations, which we explore in this article.
Many companies have found allowing employees to telecommute has advantages the organization wants to adopt on a permanent basis. In fact, Gartner Research found in a recent survey of 317 CFOs and finance leaders that 74 percent plan to move at least 5 percent of their previously on-site workforce to permanently remote positions following the COVID-19 crisis.
Telework creates new security concerns and risks for an organization. Updating cybersecurity policies and procedures to reflect this new operating environment is essential.
Here are five areas you should consider for writing new remote workforce policies and procedures for cybersecurity:
A secure, sustainable telework policy requires all employees to work from corporate-owned devices. However, even if an organization has such a policy in place - and many don’t - additional security considerations must be addressed.
One of these is how these remote devices will receive necessary updates and patches. Many on-site devices pull directly from the corporate intranet upon connecting to the network. On average, 48% of on-site systems receive patches within three days, but only 42% of remote devices are patched within the same window. While that difference may seem small, this raises the average patch time for vulnerabilities from around 7 days if everything were on-site to around 38 days to include off-site assets.
This means an organization is likely to have six accessible attack vectors for every 100 systems that can grant access to their network and data for 38 days, on average. This delay exposes these devices to exploitation and significantly increases an organization’s cyber risk.
Another potential issue is how to address the need to retrieve devices from laid-off employees. During COVID-19, many companies have reduced their workforce, yet may not be able to physically retrieve company-owned devices due to quarantine restrictions. If an employee refuses to voluntarily surrender a corporate device, an organization must have measures in place to ensure this cannot cause a data breach or other security incident.
In addition to managing company assets outside of the organization's network, the environment that asset will be operating in is equally important. Working remotely, especially from home, it is easy to become lax with security practices that are routine in the workplace. Adhering to clean desk policies, and making sure to lock, log off or shut down computers are just a few tasks that employees do while in the office that they may not do at home.
It’s important to make sure documented policies and procedures lay out the specific requirements for working in the home environment. These should then be reinforced with technical controls like Active Directory Group Policies to ensure compliance.
Your new remote workforce policies and procedures should also cover home network security. This is an excellent opportunity to enhance employee knowledge, increase security awareness, get employee buy-in by helping them protect their home network, and add further protection for remote work.
Ensure employees know how to:
During telework, most organizations have required employees to use virtual private networks (VPNs) for network security. A full-tunnel VPN routes all traffic from the employee’s computer through the corporate network for security scanning before sending it on to its destination.
Due to the sudden need to transition to remote work, many companies lack sufficient numbers of company-managed laptops to support a fully remote workforce. As a result, many employees are working from personal devices instead.
This dual-use of devices creates significant privacy concerns if all traffic from an employee-owned laptop is routed through the corporate VPN. A telework policy must contain an explicit “consent to monitoring” clause explaining that traffic resulting from personal use of a laptop connected to a corporate VPN flows through the organization’s network and may be monitored.
Failure to receive explicit consent from employees may put an organization in breach of data privacy laws.
Related Reading: Gauging Risk Tolerance for Remote Workforce Security Versus Privacy
Most organizations’ incident response plans are based on the assumption that incident response team (IRT) members will be able to respond in-person to a potential incident. With a remote workforce, especially while COVID-19 “shelter in place” requirements are in place, this may not be possible.
When responding to a cybersecurity incident involving a teleworker, an IRT may have to rely upon the remote worker, who may have limited technical knowledge, to respond to and recover from the incident. This will likely delay response times (potentially increasing the impact of the incident) and may make recovery activities, such as reimaging the machine, much more difficult to complete.
To prepare for this situation, organizations may wish to create "IR kits" containing automated scripts for common data collection and recovery activities.
Related Reading: 3 Differences in Incident Response for a New Remote Workforce
Many organizations are governed by data protection regulations that apply to certain jurisdictions. Depending on the location where sensitive data is being processed and potentially breached, different regulations may apply.
Most organizations have strategies in place for ensuring compliance with data protection and contractual regulations. However, these strategies likely rely upon the assumption that all employees and data processing occur on-site. With a remote workforce, this may no longer be valid, potentially impacting an organization’s ability to secure sensitive data and maintain regulatory and contractual compliance.
Organizations with remote workforces must establish policies and security controls to ensure that sensitive data is protected in accordance with contractual and regulatory requirements. Additionally, an organization should investigate how telework expands and impacts their regulatory obligations and put in place any additional security controls required to achieve compliance with these new requirements.
Telework introduces a number of new security threats and considerations that must be incorporated into an organization’s security policies and procedures. As businesses contemplate a permanent or extended shift to telework in the wake of the COVID-19 pandemic, it is vital to update these policies and procedures and implement the security controls necessary to minimize the cyber risks associated with telework.
Check out our webinar-on-demand, “Remote Workforce + Data Breach: A Perfect Storm”, to listen to legal, data privacy, and cybersecurity experts as they discuss how to adapt an Incident Response Plan for the remote workforce model so you can Show No Weakness.
Corey is the primary point of contact and consultant for Avertium's largest enterprise security customers and he directs a team of highly skilled consultants providing a full stack of expertise to security and compliance projects.