ADVERTORIAL | Data Protection Checklist When Teams WFH
There is more to the Work From Home (WFH) model than staff simply being away from the office. For example, a major task for IT leaders in organisations is ensuring the company’s data are safe no matter the configuration of the workforce, at any point in time. The percentage of companies with a remote workforce accessing their network has increased exponentially in Jamaica since the outbreak of the COVID-19 and has placed our productive sector in transition. Up to mid-April, more than 25 per cent of the workforce of the heavily IT-infrastructure-reliant BPO sector was operating in this manner.
Virtual Private Network (VPN) connections were already being used by many organisations, to provide employees with secure, remote access to files and email when they are away from the office. In fact, given its popularity, organisations needing to configure their infrastructure to enable WFH operations would likely subscribe to this solution in this time.
However, not in all cases a business may need to access company resources through VPN. If the resources are in Office 365, the file can be accessed directly using the secure web browser of Microsoft Teams.
No matter the access point, which a company uses to accommodate the WFH demands in the time of COVID-19, keeping the data protected should be a top priority for the employee, as much as it is for the employer.
The challenge for the employee, in this scenario, is the need to increase the vigilance about protecting the data they interface with and go beyond simply having a password, to access an end device, such as a laptop or tablet.
Employees need to broaden their knowledge about security protocols and adapt new habits when it comes to accessing the company (which at times involves the company’s clients’ information) from the comfort of their home. And more important, because they are accessing the data out of the direct day-to-day supervision of the IT leaders, back at the office.
In this regard, Collin Burgess, IT Infrastructure Manager, MC Systems, provides a useful checklist which employers can use to equip and empower their teams to be valiant data protectors.
While working remotely companies and employees should follow these guidelines:
• Implement WFH Policies: Work From Home polices may include clauses that speak to establishing the approval process for remote work, maintaining availability during normal business hours for communication via phone, email and live video/voice calls. The policy should cover adherence to company’s data privacy, security, and confidentiality policies; maintenance of safety conditions and safety habits at the home office, as established at company facilities; ensuring all work time is recorded using software designed to manage employee activities on their remote devices; completing work assignments and identifying a clear employee Code of Conduct.
• Conduct User Awareness Training: Make no assumptions about what staff might know about data protection; and ensure that they are provided with the information and support to make good decisions consistently.
• Use Two-factor Authentication: For example, setting a password for the device and the particular files being accessed on the device.
• Install Enterprise Antivirus Software and enable an Intrusion Prevention System (IPS) ensuring that advance threat protection is enabled.
• Implement Mobile Device Management Software: This will allow the company to manage mobile phones remotely with the capability to configure policies or wipe the device in the case of a breach.
• Stay Away From Free/Open WIFI as a means of protecting data: Contrary to popular belief, even home WIFI is considered free/open, if it not protected. Hackers can position themselves between you and the connection point and intercept your data (emails, phone numbers, credit card information and business data). If you must use open WIFI, then use a paid-VPN software to access the internet.
This way if a hacker captures your data it will be encrypted. Also, ensure that passwords are changed every 30 days at minimum using complex passwords. When setting passwords, have at least eight characters ––the more characters, the better. Use a mixture of both uppercase and lowercase letters, a mixture of letters and numbers, and include at least one special character, e.g., @ #? If employees are having difficulties, the process to set and change passwords is simple enough to be guided by telephone.
• Use Email Filtering: Install spam filters to detect and prevent malicious emails and limit public information. Attackers cannot target your employees if they do not know their email addresses. Do not publish non-essential contact details on your website or on any public directories, including phone numbers or physical addresses. All these pieces of information can help attackers engineer an attack.
• Carefully Check Emails: Phishing attacks are seldom perfectly executed. Often there is a telltale sign, such as a bizarre “From” address (e.g. service145@mail.145.com), unusual links (e.g. amazon.net.ru), or a high number of typos or formatting mistakes in the text. If it looks suspicious, employees should report it.
• Beware of Links and Attachments: Your employees should be sceptical whenever they receive an email from an unknown sender. Do not click on links or download attachments without verifying the source first; and establish the legitimacy of the link or attachment. Attachments are especially dangerous because they may contain malware, such as ransomware or spyware, that can compromise the device or network. Also, avoid clicking on COVID- 19 phishing email. These are links received in your email offering information or updates about the outbreak of the pandemic.
Be sure to hover over hyperlinks; never click on hyperlinked text without hovering your cursor over the link first to check the destination URL. Hackers oftentimes disguise a malicious link as a short URL.
Never enter your password unless you are 100% certain that the website is legitimate. If you are not logging into your account and you have not requested to reset your password, then password reset links are likely part of a phishing attack. Password managers, in addition to helping you use strong, unique passwords, can detect fake websites for you. It is important to conduct security awareness trainings with your staff.
• Do Not Mix Personal and Work. Employees should be encouraged to use their work devices to do work and their personal devices for personal matters.
Most business continuity experts, and others are suggesting that life as we know it has changed forever, because of the impact of “physical distancing”, which has regulated and legislated the remote-work policy which organisations have had to implement.
In fact, the impact of this pandemic has forced many business owners to look at their operations and consider how they could architect the infrastructure differently, to accommodate the new ways of working and earning in the future.
For example, consultancies that rent office spaces, that they now can’t go to, may find that using Zoom, Teams or other Cloud-based videoconferencing solutions to stay connected to their teams; take client meetings; and even make pitch presentations for new business, results in significant operational savings, if they carried on that way after the pandemic.
“If remote work becomes the new normal, then organisations must ensure that they include data protection and security training to become just as normal, right alongside it,” Burgess advises.
_______
Send feedback on this article to solutions@mcsystems.com.