The pandemic is far from over. Even if it were, the sea change in corporate work forces that COVID-19 has facilitated will forever change how work is done, with more of that work being done from home. This means that corporate governance policies and security risk management strategies and protections must be equally malleable.
Here are six questions chief information officers should ask themselves to assure that corporate governance and security are up to the task for remote work:
1. Have you performed a risk assessment of your networks and remote work configurations?
- How well protected are your network endpoints and IoT (Internet of Things)? Endpoints are the most likely entry points for malware and data theft, and these vulnerabilities can increase exponentially when employees work with devices from home.
- Do you use a trusted network for home access? A majority of trusted network use is occurring within corporate walls. Trusted networks admit only properly authenticated users, and only to the degree that their access levels allow them to be admitted. These networks use firewalls and encrypt data. There is a strong case for trusted networks being extended out to home workers to strengthen overall network security and data protection.
- Do you have a well-defined and orchestrated IT policy for maintaining current operating system updates for all the devices that your employees are using, and is it automated? Every time Microsoft, Apple, or any other device provider upgrades software to patch a security “hole,” the update should be synchronously pushed out to all the devices your employees are using to access your systems. In some cases, employees might be on different release versions of software for the same device. Ensuring that the plethora of devices employees are using at home are on the same software release and that all devices are at current software update levels is vital.
2. Do your employees understand your security and governance requirements?
If you don't already have a formal work from home policy, now is the time to develop one. If you already have a work from home policy, you should plan to review it.
Once developed or reviewed, work from home policies should be disseminated to employees, so they understand the conditions of working safely and securely from home.
An IT work from home policy should minimally mandate strong password selection and no sharing of passwords. The policy should instruct employees about what they should do if their devices are lost or misplaced and inform employees of the methods they should use when they need to transfer or store files. Storing files on local drives at home should be discouraged in favor of storing these assets on the cloud under company management. Home PCs, MACs and other devices should also be equipped with company-authorized security and malware protection software.
Finally, IT should plan to stay in touch with home workers by providing a helpline for security questions and concerns, and by issuing periodic messages with security tips and reminders.
3. Do your vendors and business partners understand and conform to your security and governance requirements?
For so many companies, the COVID-19 crisis created a mad dash to work at home where there wasn’t time to ensure that every security and governance measure was in place.
This created security and governance exposure points not only within companies, but also in companies’ extended networks of business partners and vendors with which information was being exchanged.
Now is the time to touch base with all your business partners and vendors to see whether the governance and security policies that they have created for their own remote work forces correspond with your own.
4. Are you actively monitoring employee data access?
“IT today is challenged by the huge amount of data that is being generated each day,” said Rick Jones, founder and CEO of Iconium, which provides IBM System z data protection software. “Keeping data owners informed of who, where and when the data is being consumed requires tools that are specifically focused on data. These tools require advanced data science methods in order to provide insight into how data is being used. Data has become a new focus in IT because of governing and compliance requirements, insider threats and company policies.”
Tools like these can tell you where and how a user is accessing data, whether he is downloading it to a thumb drive or a DVD disk, and where and when the data is being accessed. They are invaluable to IT when it comes to monitoring remote employee data access and behavior patterns.
5. How well protected is your IP?
Data encryption and multi-factor authentication should be used if it is necessary to stream or transfer any company-sensitive information or intellectual property.
The “catch” with this is that many employees don’t know which information they are working with is intellectual property, so they may inadvertently send information to parties who should not have it.
It is up to IT to identify IP-sensitive assets in the network, and to put in place data encryption and hardened security access to protect that data.
Identifying these assets and protecting them can be a laborious task -- but it’s necessary.
6. Are you ready for a security breach incident now?
There is high likelihood that your company will experience a security breach with employee remote access now or in the future.
What will you do?
The IT disaster recovery plan should include a step-by-step procedure to intervene and to mitigate a remote access security breach. This might entail an immediate shutdown of device access, communication with the end user, and/or other steps.
Including this scenario in a disaster recovery plan and in IT operational procedures is paramount so that governance, security and employee privacy rights remain uncompromised.
For more coverage on IT's response to the pandemic crisis, start here: