From Mary Ellen Seale, National Cybersecurity Society
This article was provided by the National Cybersecurity Society, a national nonprofit organization focused on providing cybersecurity education, awareness and advocacy to nonprofits and small businesses. Find out more at nationalcybersecuritysociety.org.
As the nation shudders to sustain business operations from a work from home directive, the NCSS has developed these practical steps to protect your business from cyber thieves. Cyber criminals are taking advantage of businesses who have not implemented safe business practices to manage a deployed workforce. The NCSS team has developed this fact sheet to help you develop a Work from Home policy for your specific business situation.
1. Data – if your company has not instituted a strategy to protect the transmission and storage of your critical business data – do so now! Conduct an inventory of your critical information assets. See our website – under Small Business/Resource Page/Data Management Strategy. The Data Management Strategy is a tool to help you identify the data you need to protect. Steps include: identify the data you need to protect; implement methods to encrypt data at rest; and during transit; limit access to these assets through encryption; institute a password management policy; and limit the number of users who have access.
2. Data storage – once your team has decided what needs to be protected, the next step is decide where it is going to be stored and who has access to this data. If your employees are creating sensitive documents at home, direct them to store this new data in your designated secure storage location or on a USB. Direct them not to store sensitive business data on their personal device.
3. Data transmission – Ensure your employees working from home are working on a secure communications network. Now is a good time to utilize a VPN – virtual private network. If that’s not possible, direct your staff to use their home network and encrypt all documents that are shared within your team/customers/vendors. Don’t forget to direct them not to use public wifi for company business.
4. Video Conferencing – Keeping your employees engaged is important – so conducting daily video conference calls becomes an important tool during this crisis. Data transmission is the most vulnerable area of video–conferencing since the data must travel over so many public and private networks to reach its destination. Encryption and network security are the keys to protecting data transmission during a video conference. Tell your employees to verify that their connection is safe during a video conference by checking to make sure the site security (the lock to the next of the web address) is secure. To verify the connection is secure, click on the lock and see the site’s security and certificate status. The level of encryption depends on the sensitivity of the data. For most non-military organizations, the built-in encryption that comes with the video-conferencing product or service is sufficient. The two most common encryption protocols are 56-bit DES and 128-bit AES encryption.
The other concern with video conferencing is data storage. It is not advisable to use an employee’s computer to store video conference data. The NCSS recommends companies use subscription video-conferencing services that store all video-conferencing data in special locked-down, off-site facilities.
5. Access Controls – Lock down access to your critical data and services. Direct your employees to reset all passwords and enable two factor authentication for all your critical financial services. Resetting passwords and identifying the privileged users for each online account is critical at this time. Limit access to critical data. Ensure passwords are longer than 12 characters, have an upper and lower case and at least symbol or use a password manager.
6. Work from Home Policy – Establish a work from home policy that fits your specific business situation. At this time of uncertainty, employees need a guide to help them implement these new procedures to protect your business. If your company becomes a NCSS member, your company will have access to all of the policies we have under Member Benefits. Suggested policies to review and incorporate from our site include:
- Remote Access Policy
- Password Policy
- Social Media Policy
- VPN Policy
- Acceptable Use Policy
- BYOD Policy
- How to Know What to Protect
- How to Select Access Controls
7. Acceptable Use Policy – Now is a good time to update your business’s Acceptable Use Policy. Our template on the NCSS website has a lot of detail on device security, use of corporate resources, use of their own IT devices (if allowed), login and passwords and use of wi-fi. Use it to see how it aligns with your new remote business operations.
8. Ask an Expert – Do you know if you became a member, your company would have access to technical support for a data breach or other event? We are here to help! See our website for how to join.
9. Scams – Alert your staff to be careful about clicking on links or attachments in emails. There are a number of phishing scams that target individuals about the coronavirus. Links to a number of local state health centers are hosted on unsecure websites. Inform your staff to be careful if they visit these sites and use only secure websites to get information about the virus.
10. Software Updates. If you allow your employees to use their own IT equipment to work from home, mandate that they install and update all operating and software systems. We have seen many employees who delay updating their software which opens your company up to a significant cyber threat.
The NCSS continues to monitor the coronavirus situation and how it is affecting the small business community. We are working closely with our partners (DHS and InfraGard) to stay alert for threats that may affect your business. In closing, we applaud our country’s health care providers and essential service workers who are working on the front lines to fight this awful virus.