COVID-19 and the risks of an expanded remote workforce
Increased precautions to slow the spread of COVID-19 have forced unprecedented reliance on technology and remote connectivity (e.g., work from home arrangements and telehealth services) across all industries and in the private sector. This rapid and significant shift raises enhanced privacy and cybersecurity concerns.
Among the areas of focus: the expanded remote workforce.
Here are some things to consider:
Increased Remote Connectivity.
If your non-essential workforce members are still on-site, test your remote connectivity capabilities, bandwidth, and server capacity; confirm you have the IT infrastructure and concurrent licenses and subscriptions to support increased users. As companies move to work-from-home arrangements, workforce members who are not accustomed to working from home will suddenly have remote connectivity, potentially without training on the relative lack of security of personal accounts and home technology. Consider pushing out training materials and reminding the workforce of company policies on secure and appropriate remote work, including:
• Approved technology and software and communication of sensitive company information via internal electronic communication platforms
• Confirming no sensitive information is visible to non-authorized users via video conference and screen-sharing
• Use of public Wi-Fi networks
• Avoiding use of personal devices and accounts to download or transmit company information
• The ability to store, download, or copy data from company systems to personal devices
• Use of encrypted email
• Print-from-home options and storage and proper disposal of paper files
• Logging out of computers at the end of the day or during breaks to prevent non-employee access
• Consider working on and talking about sensitive company information out of earshot of those present in the home as well as virtual assistants and other visual or voice-enabled IoT devices
• Practice good security hygiene (discussed in a future installment)
• Ensuring cell phones, tablets, and laptop computers that can be used to access work systems are stored securely when not in use
Develop a list of FAQs your IT help desk is receiving, and make those available to workforce members to avoid overwhelming IT with repeat questions. Offer your virtual private network (VPN), virtual desktops interfaces (VDI), or other remote access to company systems and enable multi-factor authentication. Also, use technology where possible to enforce and enable company culture (e.g., chat, video, and conference systems to enable communication).
How COVID-19 increases cyber risk and tips to protect yourself
Broadband providers may be lifting data caps, but bandwidth limits should be considered in remote operations planning. Remote workforces are competing with other online uses, including schools moving to online learning, increased telehealth usage, and streaming services. This increased dependence on and use of technology and remote connectivity will slow users and test bandwidth limits.
If bandwidth becomes an issue, consider workforce communications and monitoring to control video streaming and other data-intensive activities. For example, ensure that workforce members know that personal online activities should be done on their own devices. Additionally, guidance to help workforce members minimize non-essential home internet use during working hours may also be effective (e.g., limit children’s video streaming to standard definition, turning off internet-connected devices like video game systems that can automatically update during the day without notice, etc.).
With an increased remote workforce comes increased exfiltration of data historically only accessible via more secure and monitored processes. While remote access is necessary for businesses to function amid the COVID-19 pandemic, it is important to consider appropriate access.
Health and life sciences entities are familiar with the minimum necessary concept, but now is a time to reassess access needs. Adjust and monitor role-based access to match job duties. Consider whether you can restrict access to high-risk systems with sensitive data or mission-critical designations to workforce members with appropriate training and need to know. You can adjust access rights as the situation continues to unfold.
Plan and Prepare for Failure
Be prepared for failures and overload on system resources. Not everything will work. Test your backups, identify redundancies, and implement your emergency mode operations plans to support business continuity.
Many businesses have sent workforce members home but keep IT personnel and skeleton operations teams on site. Businesses should prepare backup plans (a Plan C) in the event of shelter-in-place orders or workforce sickness/exposure that limit the ability of an on-site IT presence. Identify mission critical systems and team members, and set redundancies and backups where possible.
Find Your Culture
Remember your workforce may be scared, responding to lack of normal human interaction, and adjusting to a new work-from-home lifestyle. Try to find ways to foster moments of normalcy between coworkers.
Test connectivity, train workforce on remote access, consider bandwidth limits, consider effects of increased workforce exfiltration of data and reassess role-based access designations for current conditions, test redundancies and backup plans, acknowledge increased security exposure due to remote workforce, and remember your culture.
Meghan O’Connor and Simone Colgan Dunlap are attorneys with Quarles & Brady. For assistance, contact Meghan O’Connor at 414.277.5423 or email@example.com and Simone Colgan Dunlap at 602.229.5510 or firstname.lastname@example.org. For more information, visit https://www.quarles.com/covid-19-guidance-for-clients/ for comprehensive, free-to-access COVID-19 resources.