Now more than ever, it is important for organizations of all sizes to practice sound cybersecurity hygiene. And although cybersecurity is just one of many issues challenging company operations in response to the spread of COVID-19, it is an issue for which an ounce of prevention is worth a pound of cure.
The U.S. Federal Trade Commission (FTC) and the National Institute of Standards and Technology (NIST) recently issued guidance for information security when employees work remotely. The FTC guidance focuses on what employees can do, while the NIST guidance provides recommendations to organizations. Both are summarized below. But here are some steps to take now, to reiterate to employees the importance of staying safe online:
- Communicate with employees about the increased risk of cyberthreats when working from home.
- Offer practical tips like: Don't open emails from senders you don't know ; flag suspicious emails to your IT department; if you are asked to provide sensitive information, be sure the request is legitimate (for example by calling the sender to confirm).
- Consider conducting refresher training to remind employees about the company's policies around information security.
The FTC guidance, in the form of a blog that can be accessed here, stresses good cybersecurity hygiene. Best practices mentioned in the guidance include:
- keeping software up to date (i.e., installing patches when made available);
- using strong, unique passwords;
- securing portable devices like laptops and mobile phones (including password-protection, locking after time out, and keeping the device physically secure);
- when working remotely with hardcopy versions of sensitive information, ensure that such materials are physically secured and disposed of appropriately (i.e., shredding).
The NIST guidance, accessible here, makes several recommendations from an organizational perspective, starting with the premise that all information security policies around teleworking should be based on the assumption that external environments contain hostile threats. By thinking in this way, organizations can implement measures to mitigate such threats instead of reacting in the event of an incident. The NIST guidance also recommends that companies:
- Develop telework security policies defining the permitted forms of remote access, the types of devices that can use each form of remote access, and the level of access each device will be granted.
- Ensure that remote access servers are secured effectively and configured to enforce telework security policies.
- Secure organization-controlled telework devices against common threats and maintain security regularly.
As employees become more isolated while working from home and for longer periods, the importance of communication grows. The key message for individuals is to be as vigilant, if not more, of tricksters operating on the internet, and for organizations, it is to tighten cybersecurity controls.
If you need assistance on these or other privacy issues, please don't hesitate to contact Camila Tobon.