As social distancing forces more employees to work remotely during the coronavirus pandemic, businesses are forced to grapple with another issue: cybersecurity.
After all, working from home may keep employees productive and companies in business, but operating away from the watchful eye of information technology pros could leave those firms even more vulnerable to technology-related issues.
ROI-NJ talked with Steven Teppler, chair of Roseland-based law firm Mandelbaum Salsburg’s Privacy and Cyber Security Practice Group, about what businesses should watch out for during this crisis.
ROI-NJ: What cybersecurity issues do companies need to keep in mind if employees are forced to telecommute?
Steven Teppler: When employees are using “BYOD” — bring your own devices — there is always a risk that those devices are not well-protected: updated — patched, not using dodgy programs — and even where cloud computing is utilized, the risk of malware attacks are heightened.
Those concerns are likewise amplified for companies that use/store sensitive personal information — financial, personal, health care and employment information and records. Business continuity and disaster recovery contingency plans — remote, air-gapped backups — should already be in place, and should be tested and strengthened where possible.
ROI: What are major issues employees should be aware of?
ST: Be aware that social engineering, in particular COVID-related phishing ‘alerts’ or ‘offers’ — think even masks, or toilet paper — are on the rise, and clicking on links or opening attachments exposes even protected networks to malware.
ROI: Are there reasons a company might be forced to keep an employee on site?
ST: Companies that are centralized and have no ability to remotely administer their networks may need to have personnel on site; in particular, if there is a malware attack, or a physical disablement or malfunction, remote admin capabilities, absent a ‘hot’ backup site, would likely necessitate on-site personnel at times.
ROI: Should companies provide equipment to remote workers, or require a certain standard in personal hardware or software?
ST: Either a protected method of using BYOD devices, or, preferably, have an appropriate number of properly configured ‘emergency use only’ laptops for employees to use at home (would be best). Company-owned laptops … can be configured to be both secure, encrypted and, in the event of loss or compromise, disabled.
Some people are still using Windows 7, which is no longer supported by Microsoft. Security risks exist even using a secure, cloud-based solution. Moreover, proper monitoring and enforcing update and patch management even for those using the latest (operating system) and software is difficult and resource-intensive at best, and illusory at worst.
(Also) where essential employees do not have broadband at home, provide them with mobile hotspots. While this is a more expensive route for an organization, the productivity loss over even a short period of time, together with enhanced security, will far outstrip the sunk cost.
ROI: Finally, is there a bottom line that companies need to be aware of right now?
ST: We’re operating in a technology environment that, to date, has only been theorized, at least in the civilian realm. Expect the unexpected.