June 18, 2020
Mitigating Cybersecurity Risks in a Remote Work Environment
Organizations who have transitioned to hybrid or remote work settings must actively evaluate their cybersecurity defenses and strategies to support their evolving mode of operation and the associated risks.
Some shifts to virtual work environments have been more challenging than others, particularly when employees have had to shoulder responsibilities previously spread across multiple team members, or when streamlined processes have been replaced by less efficient work-arounds.
Even organizations with a history of remote work capabilities may have overlooked certain aspects in their rush to accommodate a fully remote workforce — the primary concern was ensuring that the solutions were functional, but were they secure? Was the selection and configuration process thoroughly vetted? Do the current solutions align with the organization’s security standards?
Consider the following action plan to proactively address cybersecurity risks in today’s virtual IT environment:
- Management should start with an analysis of what has changed since the transition to wide-scale remote work.
- A risk assessment and plan of action should then be established. This will demonstrate due diligence, to provide a clear answer on when an issue was identified and that the organization did not defer taking action.
- A cybersecurity assessment will help identify those changes and potential gaps at each layer of defense. For example, most organizations assume an unsecure wifi connection, and virtual private network (VPN) with multifactor authentication is a common access strategy. VPN establishes a secure, encrypted connection between your device and a private server; however, endpoint security is still a risk. Personal devices may be used, and not be updated with the latest security patches. Also, each member of a household may have multiple devices, gaming systems, smart speakers, etc., expanding the digital footprint. Phishing and ransomware attacks are on the rise, requiring preventative and detective controls.
- Policies and procedures should be reviewed to ensure they sufficiently address remote work, asset management, use of personal devices, authentication, encryption, data handling, privacy, and monitoring. Security awareness and training should also be updated to remind users of their responsibilities and tools available to them.
- Compliance with privacy laws, including HIPAA, should be evaluated in light of team members working from home in shared spaces, printing documents, collaborating with third parties, and discussing confidential information on calls. Sensitive data that is accessed and shared must be controlled and auditable. File download and sharing must be secured. Also, changes in third party access controls and physical security should be assessed, including detailed review of SOC reports for updates related to changes due to the coronavirus impacts.
- Have business processes like accounts payable changed as a result of the new work locations? Some organizations had manual approval processes that now need to be performed electronically. What risks do these process changes introduce, and are they effectively mitigated?
- Now that business continuity and disaster recovery plans have been exercised, organizations should perform post-mortem analysis to identify lessons learned, perform root cause analysis, and update their plans. Critical dependencies of personnel, third-party service providers, technology, and physical locations should be analyzed, along with the sufficiency of communication plans.
Just as we have settled into a new routine, organizations are continuing to update and rethink their work environments: Do people need to come back to the office, do they want to, and are they able to return?
As hybrid work continues to be the new normal, management must be ready to support a remote team long-term. Policies and procedures should be established to ensure security awareness and compliance. Management must be equipped with the tools to support monitoring and deliverable management to measure productivity, and also maintain the firm culture and employee morale during this stressful time.