A Blog About FTC regulations and happenings
Telework: Businesses Need Smart Practices ASAP to Reduce the Threat of Data Security Incidents. Here’s the Quick and Dirty of Smart Practices
COVID19 is not the only viral threat we face these days. Malware is a very real vulnerability for businesses large and small, among a host of other data security threats.
We have rapidly transitioned to telework. For many (perhaps most) businesses, that transition took place without a clear inventory of hardware leaving the office and without a clear telework policy for employees. As a business, data security may not seem like your most pressing concern (as you pivot to survive a new economic reality). But a data breach could be the proverbial straw that breaks the camel’s back. Data breach was an inevitability for most businesses before the fire drill switch to telework. The new remote work dynamic heaps loads of new data security risks atop the earlier “inevitability.” And to complicate matters, data breach laws across the states have been trending toward more stringent breach notification requirements. Last year, many states—including Illinois, New York, Texas and Washington—expanded the categories of information that could trigger breach notification to impacted individuals and regulators and shortened the time frame by which companies need to send out breach notifications.
If your company has transitioned to telework without addressing data security, we strongly recommend you undertake measures to address data security and soon. We outline some initial measures to push out … today.
Company property: You should get an inventory from your employees of what hardware they took from the office to work from home, including laptops, tablets, external storage drives, and hardcopy files. Their responses should be compiled and the inventory should be tracked for ultimate return to the office or secure destruction of sensitive1 information (hardcopy shredding or data encryption).
Personal devices used for work: You should get details on what devices employees are using to telework, from company-issued to personal devices. You should also get details on how they are communicating and sharing data. Are they using their personal email? Are they sharing company files from personal cloud accounts? Also, what kind of internet connection are they using (home router? public WI-FI? personal hotspot?). If you have a BYOD policy in place, it would be a good time to recirculate that policy to remind employees of that policy. If you do not have a BYOD policy, that is something to develop and circulate along with a broader telework policy.
Software and apps: What have employees downloaded (on company-issued as well as personal devices) to communicate for work and share data?
These rudimentary details can help you triage data security issues and to develop your long–term telework policy.
2. Initial Telework Policy.
You ultimately should craft a telework policy that matches your company’s needs. But in the interim, you need employees using smart practices now. Employees should be aware of data security risks, and thinking about those risks from a variety of angles: what sensitive information can be seen, overheard, or erroneously lost or destroyed? Employees should not be taking confidential work calls within earshot of others (including cute kiddos) or leaving open screens where sensitive information is shared. Here are general pointers on smart practices to push out to employees before you establish and circulate a more thorough and tailored policy. We also encourage you to keep up to date on FTC guidance via their consumer blog. They provide further thoughts in a user (and employee) friendly format.
- No Phish: Phishing attacks are a significant threat these days. Online scams generally are on the rise. Employees should be wary. They should not download or access any links sent via email without confirming the sender (and looking at the sender email address, not just the handle/alias).
- Software: Make sure employees have loaded the latest updates for antivirus programs and operating systems. Employees should check with IT before downloading collaboration apps or services (Zoom anyone???).
- Hardware: Devices should be in a safe location and locked or turned off when not in use, especially when they have sensitive information. Devices should have effective access controls, such as multi-factor authentication, strong passwords, or encryption. Employees should avoid using external storage drives, which are easily lost or misplaced. If they do use them, those drives should be encrypted.
- Internet connection: Employees should not be using a public WI-FI. If possible and practical, they should be using a company-established VPN.
- Cloud: Employees should not be sharing work files on personal cloud storage.
- Personal device use: If employees are using their own devices for work, all work files should be kept in one folder that can be deleted once those documents are transferred back to the office environment. Anti-virus software should be installed and updated regularly.
- Teleconference and video conference: Employees should not record conversations. They should conduct calls out of earshot of their household, if possible (especially any calls where highly sensitive information is discussed).
- Email: Employees should not use personal email for work. If there is not an alternative, they should ensure information is encrypted and remove sensitive data from the subject line.
- Hardcopy: Paper records with sensitive information should also be kept secure, either locked a file cabinet or drawer, or shredded where no longer needed.
- Data breach: Employees should report any data security incident immediately, from a lost or stolen device, to a potential phishing attack, to an inadvertent disclosure.
We cannot understate the threat of data breach in the telework environment. People are necessarily more relaxed and more distracted as they work from their sofa, in pjs, with noises of babes and pets in the background. And cyber predators are actively seeking to take advantage of the situation. You need to emphasize smart practices now as you develop your employee policy going forward. You also need to inventory hardware, hardcopy and data use to both track what is where and to help you build out your data security policies. Further, if you do not have a data breach response plan, you should develop one soon. We recognize this may seem like a lot to consider where priorities are elsewhere, but without some proactive measures in terms of data security, you could face a business-breaking data breach.