On episode 73 of the CCO Buzz, Compliance Consultant Adam Stutz walks us through cybersecurity considerations for working from home during COVID-19.
CCO Buzz: Hello and welcome back to the CCO Buzz! As COVID-19 continues to change the professional landscape in many ways, more and more firms have shifted to working remotely. On this episode, Compliance Consultant Adam Stutz is here to address cybersecurity considerations for working from home due to COVID-19. Stay safe, and enjoy the episode!
Adam Stutz: As we live through these unprecedented times, many firms are shifting to remote working, which is allowing firms to have more flexibility in continuing business operations from remote locations and limiting employee and client exposure to COVID-19. This shift is also creating additional cybersecurity risks and vulnerabilities.
Cybersecurity is an integral component of a firm’s overall business continuity and disaster recovery plan, or “BCP,” and should be approached with the same amount of rigor and scrutiny as it would be under normal business operations. As CCOs and ISOs, some of the questions you may be asking include:
- Do I create an inventory of my employees’ personal devices?
- How do I monitor my employees’ home networks?
- How secure does a home network have to be?
- What is the best way for my employees to access our firm’s network?
- What should I do if an employee experiences a cyber-incident?
- How do I ensure that my clients’ information remains protected and secure while my employees are working from home?
During normal business operations, inventories of equipment and software are an essential component of any cybersecurity program. Inventories allow firms to track the numbers, models, and access points for all devices that are currently accessing a firm’s network, and identify risk factors and vulnerabilities with those devices and access points. Consider documenting and creating an inventory of your own devices for your employees while they’re working remotely.
When creating the inventory consider having employees complete a questionnaire. Maybe this questionnaire would request information about the devices that are being used remotely, including laptops, desktop computers, smart phones, tablets, and even the Wi-Fi routers and modems for the employees. Ask about how the devices are being used. Include questions like:
- What are the makes and models of your devices as well as serial numbers and service tags?
- How are you accessing the Internet from home?
- Is your Wi-Fi password ten or more characters and does it contain uppercase and lowercase letters, numbers, and symbols?
- What software or applications are you using? How have they been installed on your personal devices?
- What kind of anti-virus and anti-malware software do you have installed?
- Are you using wireless devices to connect to your laptop, including printers, scanners, fax machines, and/or mice?
- How are you accessing the firm’s networks? Are you using a VPN, web browser, or a desktop program?
Asking employees also about their remote workspace, is an easy way to assess whether there are privacy concerns that need to be addressed. Documents containing PII should be maintained in the same secure manner as they would within a normal office environment.
On completion of the inventory, CCOs, ISOs and IT Providers should work together to determine whether there are existing risks and vulnerabilities that need to be addressed. For example, additional or updated software might be needed to add to an employee’s personal devices. Additional security patches might need to be deployed, and companies may need to issue new hardware in order to be able to control the devices.
Training is also an important aspect of a firm’s cybersecurity program and is especially important in a remote working environment. When thinking about training for employees while they’re at home, consider subjects that you would also consider under normal business operations, such as:
- Cybersecurity threats [and] identifying red flags;
- Making sure that protection controls are in place, including encryption protocols and strong passwords;
- Maintaining device management policies;
- Understanding and allowing users access only based on their job responsibilities;
- Reviewing the firm’s incident response procedures;
- Discussing the use of multi-factor authentication for certain software and personal devices;
- Best practices for maintaining client privacy while working remotely; and
- Talking about how encryption should be strengthened and password protocols should be enabled for home networks.
Firms and their employees remain responsible for maintaining client confidentiality and ensuring that their networks remain secure. When providing training to employees as they adapt to this new remote work environment, it’s a necessity to ensure that the training strengthens their understanding of the cybersecurity program, so that cybersecurity remains robust for the firm.
CCOs and ISOs should also take into consideration some additional factors. Think about performing a focused risk assessment to help ensure potential additional vulnerabilities and risks are identified and addressed. Look to external resources, such as the SEC [and] state regulators, as well as information issued by the Cybersecurity and Infrastructure Security Agency, or “CISA”, which provides guidance for small to mid-size businesses on what to evaluate when conducting cybersecurity risk assessments. Also consider running tabletop exercises for your incident response plan, in light of changes to your business structure due to COVID-19, to determine whether their IRP’s identification, containment, eradication, and post-recovery procedures are still effective. Document any exercises based on your firm’s findings to update your IRP.
If you’re interested in finding out more information about how Core Compliance can assist you with your cybersecurity program while your employees work remotely during COVID-19, please contact us at (619) 278- 0020, or visit our website at www.corecls.com.
CCO Buzz: Well that’s it for this week’s episode. If you’d like additional information, please check out our website at www.corecls.com. You can also follow us on Facebook, LinkedIn, or Twitter @CoreCls. Thank you, and we hope you tune-in to next week's episode of the CCO Buzz.