4 Vital Security Domains where Thieves and Hackers Attack Your Remote Workforce
“There are nation-states that are actively taking advantage of the situation, particularly our Cold War adversaries, and we need to be keenly aware that they are aware of the lack of security that is presented by everyone telecommuting.”
– Tom Kellerman, Presidential Cybersecurity Commission
Can you and your business sustain millions of dollars in fines resulting from a data breach?
Reading between the lines of COVID-19 this and Coronavirus that can be found headlines warning us of increased cyber activity and the fact that thieves and hackers would like nothing more than to penetrate the relaxed security and careless work habits of your unsuspecting remote workers. The sobering reality
is that, once you transition to a remote workforce, you shift from protecting one network at your office to protecting dozens, hundreds, and maybe thousands of networks as your workers take their work into their homes. The bottom line is this…when you transition to a remote workforce, your risk increases.
Here are 4 Security Domains that will help you avoid these attacks:
Security Domain 1: Implementing end-user physical safeguards becomes much more complicated when taking technology assets outside of the office. According to a 2015 study by Verizon, 55% of physical thefts happen in the workplace while 22% happen in an employee-owned car [1].
Take the steps to implement Physical Safeguards:
All workstations should be kept behind lock doors when unattended.
Workstations should never, for any reason, be left unattended in a vehicle or any other location rendering the workstation visible from the outside.
Never access an insecure web protocol, such as a public WIFI, through a workstation.
Security Domain 2: A study performed by Varonis Data lab found that the average employee has access to 17 million files and 1.21 million folders, and only 5% of a company’s folders are protected [2] Furthermore, 62% of breaches not involving an error, misuse, or physical action involved the use of stolen credentials, brute force, or phishing [2]. End-user technical safeguards are the most vital layer of security protecting those files.
Take these steps to implement Technical Safeguards:
All workstations storing ePHI at rest must have full disk encryption.
Purge all documents containing ePHI from a workstation as soon as the work is completed.
Home routers must have, at minimum, WIFI Protected Access II (WPA2) enabled. WPA3 is best.
Follow company password management policies.
Enable multi-factor authentication or two-step verification wherever possible.
All workstations must have anti-malware protection, local firewall protection, and all current updates installed and enabled.
Enable local web content filtering.
Disable filesharing.
Do not connect thumb drives or other portable devices.
Do not use personal devices unless unavoidable. Personal devices must be configured to company specifications to comply with the company’s security policies. Personal devices are a de facto extension of the company’s network, and as such are subject to the same rules and regulations that apply to company-owned equipment.
Security Domain 3: It is likely that your remote workforce is transmitting data from one network to another. Unbelievably, 87% of senior managers upload business files to a personal email or cloud account [3].
Take these steps to ensure Secure Data Transmissions:
Do not transmit ePHI utilizing unencrypted email.
Utilize an encrypted sync folder or encrypted email that also encrypts attachments.
Utilize a Virtual Private Network (VPN) if possible, even when accessing a web-based application. A VPN encrypts data traffic and renders it unreadable. Do not use remote desktop tools outside of a VPN. Remote Desktop Protocol (RDP) is not secure.
Security Domain 4: In business, our greatest assets are often our people. In business, our greatest liabilities are often our people. According to a 2018 study, human error results in 27% of all data breaches [4].
Take these steps to enhance Employee Awareness:
Make certain that all employees know and follow the company’s security and privacy policies. Now is a great time to conduct a refresher course.
Send out periodic security reminders to all employees.
If an employee has a question or concern, have employees submit them to the IT team or the Compliance Officer without delay. Ensure a prompt response.
We are facing unprecedented times that have required us to transition to a remote workforce. We have a duty to protect the privacy and confidentiality of our customers and patients. Use these steps as the beginning of a security framework for remote operations to deter hackers and thieves.
[1] https://enterprise.verizon.com/resources/executivebriefs/2019-dbir-executive-brief.pdf
[2]https://info.varonis.com/hubfs/Varonis%202019%20Global%20Data%20Risk%20Report
[3] https://www.virtru.com/blog/email-security-2/
[4] https://www.ibm.com/downloads/cas/861MNWN2