Cyber security for Employees Working From Home
Cyber Security | Program Development
Due to work-life balance or other business considerations, more employees are working from home more than ever before. While remote work may offer benefits to both the employee and employer, there are potential cyber security risks when employees work from locations outside of the office. To help minimize these risks, consider these precautions:
Use a Virtual Private Network (VPN), not Remote Desktop Protocol (RDP).
The use of a VPN is a fundamental safeguard when users access the company’s network via their home Wi-Fi.A VPN allows for encryption of data, which adds a level of protection for information such as passwords, credit card numbers and other sensitive or private information. A VPN can also provide a level of anonymity through capabilities such as masking of location data, website history and IP addresses.
Employers should avoid using the RDP on their network. RDP may be an expedient option, but it is not a secure solution.
Implement Multifactor Authentication (MFA).
The basic principle of MFA is that an authorized user must provide more than one method of validating their identity. Even if a cyber attacker has obtained a user ID and password, MFA decreases the risk that an attacker can gain access by requiring an additional means of validation. Commonly, the factors correlate to something you have (e.g., an authenticator app on a smartphone), something you are (e.g., a fingerprint) or something you know (e.g., a PIN). For more information on the best way to implement MFA at your company, reach out to your technology staff and/or managed service provider.
Ensure remote work practices comply with internal and external policies, laws and regulations.
It is important for companies to understand their regulatory environment and ensure that remote work maintains compliance. It is possible that some roles within a company will not be suited to remote work, in which case companies should be clear with staff about remote work expectations and permissibility. For example, some teleconferencing software may not be HIPAA compliant for use by a medical provider because the software does not encrypt personal health information (PHI). Identify and address risks with storing business information in personal cloud storage or printing on home printers, etc.
Ensure systems, software, technologies and devices are updated with the latest security patches.
Employers should track the equipment to be used in a home environment and provide a means of updating software security patches. The National Institute for Standards and Technology (NIST) provides a National Vulnerability Database that offers information on vulnerabilities from many vendors. For more information about patch management and best practices to consider, reference the NIST Guide to Enterprise Patch Management Technologies.
Prevent unauthorized users on company resources (e.g., laptops, mobile devices).
Employees should not allow anyone to access company resources, including family members. Whenever possible, use a private location if you are on a call or in a meeting that involves sensitive information, such as anything HIPAA-related.
Use only company-authorized devices for remote work.
Personal devices may not have the same level of security and privacy protections as company devices. If your company has a “Bring Your Own Device” policy, be sure that your use of a personal device is in accordance with that policy. This includes home printers and personal email accounts. It may seem convenient to print work documents on your home printer or send emails to your personal device, but these actions may put your company at risk and violate company policies. Be aware of “shortcuts,” such as taking photos of company documents with your personal phone as an alternative to scanning them, as these shortcuts may introduce privacy and security risks.
Dispose of company documents properly.
Review your company’s records retention and management policies, as well as information management policies, to ensure compliance. If you must dispose of hard copies of company documents, either shred them or securely retain them for proper disposal when you return to the office. Protect physical documents that must be retained as best you can.
For more cyber security best practices while working remotely, see the NIST publication Guide to Enterprise Telework, Remote Access and Bring Your Own Device (BYOD) Security.
Cyber Risk Pressure Test
Cyber Security Management – Getting Started
Cyber Risk Management Self-Evaluation
Please contact your Professional Underwriters, Inc. agent for a quote or email us for a quote at here.
The information provided in this document is intended for use as a guideline and is not intended as, nor does it constitute, legal or professional advice. Travelers does not warrant that adherence to, or compliance with, any recommendations, best practices, checklists, or guidelines will result in a particular outcome. In no event will Travelers, or any of its subsidiaries or affiliates, be liable in tort or in contract to anyone who has access to or uses this information for any purpose. Travelers does not warrant that the information in this document constitutes a complete and finite list of each and every item or procedure related to the topics or issues referenced herein. Furthermore, federal, state, provincial, municipal or local laws, regulations, standards or codes, as is applicable, may change from time to time and the user should always refer to the most current requirements. This material does not amend, or otherwise affect, the provisions or coverages of any insurance policy or bond issued by Travelers, nor is it a representation that coverage does or does not exist for any particular claim or loss under any such policy or bond. Coverage depends on the facts and circumstances involved in the claim or loss, all applicable policy or bond provisions, and any applicable law.