CNA EXPERTS

Managing a remote workforce? Protect your employees and your business from cybersecurity risk

By Nick Graf, ARM, CISSP, CEH | Published March 31, 2020

More than ever before, companies of all sizes are allowing employees to work remotely. Unfortunately, some organizations are not fully prepared for this sudden change to a remote workforce.  Telecommuting can potentially put your company at increased risk of a cyberattack.  


Many companies offer telecommuting and have company-owned and managed devices and robust security defence to protect remote access.  Until recently, some smaller organizations might have thought that they did not need – or lacked the opportunity - to develop this type of infrastructure. This does not have to be the case:  business of every size can take proactive steps to enhance their information security posture.


For businesses of all sizes, we recommend these basic steps to help ensure your transition to telecommuting goes as smoothly as possible:

  • Ideally, employees working remotely should use only company-issued or approved devices to securely access company resources.  If employees generate business records on their personal devices and outside the company’s control, it may not only lessen their security but also complicate your company’s compliance functions, trade secret protection, nondisclosure agreements, record retention policies, subpoenas, and legal process, among other things.
  • For company devices, consider prohibiting personal email or other non-business use. 
  • All devices should be equipped with up-to-date antivirus and anti-malware solutions, and 
  • follow regular software updates and security patch schedules.
  • All data should be encrypted, whether in transit or at rest.  Since remote workers may be operating on less secure networks at home or on the road, implementing a virtual private network (VPN) with multi-factor authentication protects these connections
  • If personal devices are used for business purposes, consider ways to educate and require employees to strengthen their security settings and firewall configuration.  For example, require strong passwords, preferably 8-20 characters with combinations of capital and lowercase letters, numbers and special characters. You may also consider a password manager solution.

 

Telecommuting employees also need to be vigilant and follow best practices. These guidelines may help protect data confidentiality:

  • When working from home, individuals should exercise responsibility for their own personal electronic hardware like Wi-Fi routers, cable modems, printers, scanners, and portable devices.  A backdoor into their home network may be a backdoor into the company network.  Consider asking them to follow your company guidelines (or, if your company does not want to undertake to issue such guidelines, then their devices’ manufacturers’ guidelines) for keeping their software and firmware up to date, for using strong passwords and security settings, and for patching device operating systems regularly 
  • Employees should keep electronic work files on company systems or on company-issued hardware, and not on their personal devices. 
  • Don’t leave sensitive information in plain view – on paper or onscreen. 
  • Make sure your device has a lockout feature after a short period of inactivity.
  • Shred all paper containing sensitive information once it’s no longer needed. 
  • Use care before clicking on links or attachments in emails.  Even if the sender looks legitimate, when in doubt utilize “out of band verification”, call the sender from a known good phone number to verify the messages authenticity. 
  • If you receive a phone call or email asking for your personal or financial information, do not share. 
  • Never share any user ID or password 
  • Verify any charity or community group’s authenticity before making a donation. 

 

The ultimate goals of information security are confidentiality, integrity and availability – ensuring that remote communications are private and unaltered, and resources are available when needed. By following these guidelines, you can help move your organization towards achieving those goals and creating a safer, more functional telecommuting environment – helping your organization stay connected. 


To learn more about how CNA’s Risk Control services can help you manage your risks and increase efficiencies, visit cnacanada.ca.

 

In Canada, products and/or services described are provided by Continental Casualty Company, a CNA property/casualty insurance company. The information is intended to present a general overview for illustrative purposes only. Read CNA’s General Disclaimer.

Nick Graf, ARM, CISSP, CEH
Assistant Vice President, Information Security, Risk Control

Nick has more than a decade of information security experience and specializes in data leakage prevention, security policies, incident response, data breach and security awareness.

He received a Bachelor of Science in Information Systems and a Master of Science in Computers, Information & Network Security from DePaul University. Nick Holds the CIPP/E which is focused on the data privacy regulations of the EU and the GDPR, Certified Information Systems Security Professional (CISSP), Certified Ethical Hacker (CEH) and Certified Information Privacy Technologist (CIPT) designation. Nick is also a Fellow of Information Privacy with the IAPP.