With cases of COVID-19 arising in almost every country, several companies are taking action in an effort to limit its spread. ‘Working from home’, is the main point of such efforts made from organisations. Although remote work arrangements can be successful in slowing the spread of COVID-19 from one person to another, they pose data protection obstacles that can be different from on-site work. Below is a list of considerations and suggestions to better assist companies in addressing such obstacles.
Review your information security and other related procedures to decide whether there are any established security standards for remote work and remote access to the company’s information systems. Many organisations may already have procedures related to remote work, whilst others can provide for contingencies in disaster response strategies, BYOD (bring your own device) policies, and other related strategies and policies. In case there are no appropriate procedures or policies in effect, it is now the best time to set out at least some clear rules for addressing remote access to company’s information systems and the usage of personal devices by employees for company work.
Security managers should be familiar with the appropriate security guidelines, plans, and procedures, and make sure that important information is transmitted to their departments as well as throughout the whole company. Many employees may have never worked remotely before, therefore, providing guidance and advice to all employees is essential.
Organisations should evaluate data breach and incident response policies to ensure that they are well prepared for responding to a data breach or security incident. The increased security risk of remote work highlights the need to have a policy in place in case something develops in an undesirable way.
Remote work data protection tips to keep your information secure:
- Employees should be made aware of the types of information they need to safeguard. This includes information such as sensitive company documents, trade secrets, protected intellectual property, client and employee personal information etc.
- Sensitive information such as employee data, client data, health records, financial records retained on or transmitted to or from remote devices should be encrypted.
- Employees should also be trained on how to identify and handle phishing attacks. An increasing number of Coronavirus-based phishing emails are going around lately preying on the public’s health concerns.
- Sharing of work computers and other devices should not be allowed. When employees carry work devices at home, those devices should not be shared with or be used by someone else. This eliminates the risk of unwanted or accidental exposure of clients’ confidential information.
- A two-factor or multi-factor authentication (MFA) is recommended to be implemented and enforced.
- Virtual Private Networks (VPNs) ensure that internet traffic is encrypted. If your company has one in place, it should be ensured that employees exclusively use the VPN when working and when accessing remotely company’s information systems.
- Company information should never be downloaded or saved to employees’ personal devices or cloud services, including employee personal computers, thumb drives, or cloud services such as their personal Google Drive or Dropbox accounts.
- Employee access to protected information should be limited to the minimum scope and duration needed to perform their specific tasks and duties.
The content of this article is intended to provide a general guide to the subject matter and does not constitute legal advice.