It’s Time to Write a Telecommuting Policy

When risk analysts evaluate a crisis situation, the first thing we look at is health and life safety – that’s always priority number one. But once a situation has moved beyond the immediate danger, how do we keep the business running while minimizing risk?

This week when speaking at the WSJ Pro Cybersecurity conference, our pre-panel discussions naturally turned to the current pandemic situation. Some attendees greeted each other with elbow bumps rather than handshakes, and hand sanitizer was on every table. But some of our panel discussion centered on the impact of a pandemic on cybersecurity.

For the first time, we have companies who have never encouraged or considered telework before telling employees to work from home. This addresses that first protocol – health and safety. But to protect the resiliency of your business, you have to do more than that.

Any time a crisis situation makes the news, we see an uptick in spam and phishing emails attempting to get users to give up information or dollars in either to “protect themselves” or to support of a cause. Emotionally, we are all feeling additional strain and the risk of an employee clicking on a malicious link to learn more or providing information they shouldn’t is already elevated.

Now we have hundreds of thousands of employees who may have never worked outside an office being sent home with a laptop and (hopefully) a VPN connection and told to work from home. If I’m a potential attacker, this is a great opportunity for me: unsecured connections, lack of encryption, users unfamiliar with secure remote work, and all that confidential data floating around.

How do companies manage the additional cyber risk? If you have a stake in running a business or managing your company’s IT, here’s what to do today:

1. Get Ready. Remind employees of basic security protocols – don’t click on links, get news from legitimate sources, don’t provide information in response to unsolicited emails OR phone calls.

2. Get Educated. Review your telework or remote access policy and user rules of behavior.  It is absolutely critical for employees to know what to do (i.e. use the company VPN) and not to do (don’t connect to open wi-fi or let their kids use their work computer). If you don’t have one, get to writing. The National Institute of Standards and Technology (NIST) Guide to Enterprise Telework, Remote Access, and Bring Your Own Device (BYOD) Security is a great place to start if you don’t have one. Send it out so employees have it for reference.

3. Review Security Protocols. When there is a significant change in a system or the threat levels change, risk management best practice is to review the current security protocols in place to ensure effectiveness. In other words, are we still doing enough or do we need to lock down a little tighter? If your company doesn’t have a VPN, how will employees securely access information needed? Evaluate your auditing protocols, spam filters, access controls, and VPN capabilities.

These three things are a great start to lower the risk in teleworking. Communicating expectations and educating users will go a long way in keeping your business (and employees) healthy and more resilient.

WSJ Cybersecurity Pro
Heather Engel is a strategic advisor to government and industry clients on risk management, cyber planning, and security program development; and is an author and a keynote speaker at industry events around the country. She is the founder and Managing Partner at Strategic Cyber Partners, LLC and a recognized subject matter expert in NIST frameworks, FedRAMP, and Payment Card Industry security standards. She has over 18 years of experience in information technology and security and is experienced in both the private and government sectors. Ms. Engel graduated from the Pennsylvania State University and holds a Master of Business Administration from Florida Institute of Technology. She is a governor-appointed member of the Board of Directors of the Virginia Economic Development Partnership, where she chairs the Legislative and Policy Committee. Volunteer work includes Mary Baldwin University’s Cyber Security Program Advisory Committee and the Coastal Virginia CCI Leadership Council as subject matter expert on cybersecurity. She is also a member of the CIVIC Leadership Institute Class of 2020.