Teleworking is an option that is valued by staff and implemented by increasing numbers of companies – and it makes even more sense during a health crisis. However, even in an emergency, the implementation of a teleworking system requires companies to take a number of precautions to avoid unpleasant surprises – especially in terms of data protection.
New rules introduced in September 2017 expanded the legal framework for teleworking in France, enabling employees to conduct their professional business outside company premises on a more or less regular basis. However, the implementation of teleworking has the potential to bring your information systems security manager out in a cold sweat.
Raising employee awareness concerning the IT risks of teleworking
Teleworking provides the employees in question with remote access to the resources and information they require for their work. But because these resources and information may be sensitive – or indeed critical – for the company, there is a need to avoid any risk of contamination, leakage or data loss in the company’s information system. Even in an emergency, certain measures need to be taken before any initiatives are implemented.
In an emergency, you can skip the training sessions: there’s no time to set them up, and a face-to-face training meeting for multiple people would seem pretty unwise right now! However, that doesn’t mean you can’t issue or reinforce important instructions via an email or easily printable A4 sheet:
- Make sure computers are updated, if that isn’t taken care of automatically.
- Check your antivirus software is running and updated.
- Protect your personal WiFi access with a sufficiently strong password which is regularly changed and – of course – not known by everyone around you.
- Remove any information which may be contained in the personal WiFi network name (SSID), as this could make it possible to identify the teleworker – and then, via a basic LinkedIn search, their company.
- Avoid USB keys which have been moved between various computers.
- And lastly, even at home, never forget to lock your session when you’re not working on the computer. Admittedly, the chances of being hit by a “croissantage” attack from a family member, housemate or cleaner are pretty low. But the risk of indiscretions by visitors, or the accidental deletion of data by a three-year-old with a desire “to work like Mummy/Daddy”, is still a possibility. Every work environment has its own threats!
Also, make sure you send your staff a link to the cybermalveillance.gouv.fr website, which has created a digital issues awareness kit (in French) for sharing best practices for personal and professional use.
Keep your laptop close at hand
To avoid being caught out, now is the time to start asking laptop owners to carry their computers with them at all times during evenings and weekends, in case of emergency quarantine.
Ideally, whole-disk encryption should be enabled on these devices, but there may not be sufficient time for this. As an alternative, remind teleworkers that they should keep the computer with them, especially when travelling, and not leave it unattended. This includes staff travelling in private vehicles, who should not leave their computer in the car boot while out shopping.
Remote access for all
Your network protection system no doubt already lets you provide secure remote access to your mobile workforce. It’s easy to set up using a simple procedure, and you are quite likely planning to do the same for the new wave of teleworkers too. Now is the time to install SSL VPN clients on the computers of users who will need them if called on to telework on an impromptu basis, and to get them to test their access as soon as possible.
But in setting up this access, don’t confuse speed and haste when performing the configurations: remember that you’ll probably want to turn them off again once the situation has returned to normal.
Maintain contact with teleworkers...
Despite the urgent recommendations and procedures you’ve written up and sent out, some staff – especially those with a less technical background – will experience difficulties. Be sure to give them clearly identified points of contact who can support them. And make sure your IT teams are available; they will spend a lot of time on user support during this period, which will negatively impact their other work.
By the way, remember not to give out your password: neither to a colleague over the phone, nor to anyone claiming to be from IT. Some clever attackers may seek to take advantage of the situation.
... and between workers
To facilitate remote communication, a number of videoconferencing solutions publishers are offering their videoconferencing services for free during these difficult times. Not only are they useful for meetings, but also for screen sharing and facilitating remote technical support without having to install various other tools. However, do a quick check to ensure their terms of service comply with your regulatory constraints, including the GDPR.
Debrief when things return to normal
This is the time for an update and a recap on lessons learned:
- What needs to be done differently, and what could be used again in future?
- Has data been temporarily stored for emergency purposes on less secure hardware and peripherals? You’ll need to make sure it has been destroyed.
- Could some quickly-drafted procedures be improved and reused?
- Where were the pain points?
Of course, this all assumes that, emergency or no emergency, all actions taken and problems faced by the company have been traced, whether in emails or through a ticket management system.
And maybe there’s an opportunity to introduce teleworking on a more regular basis... but this time with the appropriate preparations and improved security?