The spread of the COVID-19 (Coronavirus) pandemic in Israel and around the world has led to numerous guidelines from the Israeli Health Ministry, the latest of which strongly recommends organizations to allow their employees to work from home. ERM has addressed the labour law-related issues arising in this context in a recent bulletin. While remote working arrangements may be an important step to slow the community spread of COVID-19 from person to person, they present cybersecurity challenges and risks of data security breaches.
As a reaction to these challenges, the National Cyber Security Authority published the Telecommuting Protection Recommendations for Businesses and Organizations on March 11, 2020. These recommendations address security measures to reduce risks that could come with remote access to computer systems and the decreased possibilities to supervise employees. The following is a summary of these recommendations as well as additional measures that should be taken now to reduce cybersecurity risks.
Pursuant to the recommendations, remote access should be granted only through a device that is familiar to the company’s IT personnel, which usually means a company computer rather than the employee’s private device. Employees should log in through a secure interface only, the session should be recorded, and the recording should be saved for a certain time period.
The organization should not grant all of its employees general access to the entire information system. Instead, the advice is to separate the access to email from the access to sensitive information, which should be granted only in a restricted manner and to those employees who have a need to know such information. If such access is necessary, it should be granted only for the required period of time and only through the company’s computer. The access settings should be configured so that after a certain time in which the employee was not active the connection to the system is automatically disabled, in order to decrease the risk of unauthorized access.
Now more than ever it is important to make backups for all devices and the information stored therein. So that in the event a device is hacked or lost – both of which constitute a “security incident” – the information can be recovered.
Data Breach Response Plan
Each organization should also review its data breach and incident response plans to ensure that it is prepared for responding to any kind of security incident. If necessary, the plans should be updated to include the contact information of the IT security team and to ensure that the organization can respond adequately and swiftly also when working remotely.
Communication with Employees
In addition to the technical security measures an organization can take while enabling its employees to work remotely, another essential aspect is to hold awareness trainings with employees on how to comply with security requirements. It is essential that the organization is aligned from top to bottom on these matters, even and especially when many employees have not been involved in information security before. As the current situation does not permit face-to-face training sessions, such training or instructions may be conducted as online webinars, or sent to employees as presentations or memos. Such training should include, among others, the following points:
- Locking a device by means of a complex password or biometric means as well as locking the device automatically after it has not been used for a set period of time.
- “Remember password” functions should be turned off when employees are logging into company information systems from their personal devices.
- Enable 2-step access verification (2FA)wherever possible on any device.
- Employees should separate work email inboxes from private email inboxes and create different passwords for each account.
- Only known and secure Wi-Fi networks should be used to connect remotely.
- Warning against phishing attempts or emails that may contain malicious software.
- Limit or prohibit the use of external storage devices such as USB storage devices.
If you want to address cybersecurity risks in your organization, we will be happy to assist you.