Increased precautions to slow the spread of COVID-19 have forced unprecedented reliance on technology and remote connectivity (e.g., work from home arrangements and telehealth services) across all industries and in the private sector. This rapid and significant shift raises enhanced privacy and cybersecurity concerns.
Among the areas of focus: the expanded remote workforce.
Here are some things to consider:
Increased Remote Connectivity
If a business’s non-essential workforce members are still on-site, it should test the remote connectivity capabilities, bandwidth and server capacity; confirm the IT infrastructure and concurrent licenses and subscriptions are sufficient to support increased users. As companies move to work-from-home arrangements, workforce members who are not accustomed to working from home will suddenly have remote connectivity, potentially without training on the relative lack of security of personal accounts and home technology. It’s a good idea to consider pushing out training materials and reminding the workforce of company policies on secure and appropriate remote work, including:
- Approved technology and software and communication of sensitive company information via internal electronic communication platforms;
- Confirming no sensitive information is visible to non-authorized users via video conference and screen-sharing;
- Use of public Wi-Fi networks;
- Avoiding use of personal devices and accounts to download or transmit company information;
- The ability to store, download or copy data from company systems to personal devices;
- Use of encrypted email;
- Print-from-home options and storage and proper disposal of paper files; and
- Logging out of computers at the end of the day or during breaks to prevent non-employee access.
It’s also important to raise employees’ consciousness of working on and talking about sensitive company information out of earshot of those present in the home as well as virtual assistants and other visual or voice-enabled IoT devices.
Businesses should work to ensure employees practice good security hygiene (discussed in “COVID-19 and Increased Cyber Risk”) and that they ensure their cell phones, tablets and laptop computers that can be used to access work systems are stored securely when not in use.
Businesses should develop a list of FAQs their IT help desk is receiving, and make those available to workforce members to avoid overwhelming IT with repeat questions. Offer a virtual private network (VPN), virtual desktops interfaces (VDI) or other remote access to company systems and enable multi-factor authentication. Also, use technology where possible to enforce and enable company culture (e.g., chat, video and conference systems to enable communication).
Broadband providers may be lifting data caps, but bandwidth limits should be considered in remote operations planning. Remote workforces are competing with other online uses, including schools moving to online learning, increased telehealth usage and streaming services. This increased dependence on and use of technology and remote connectivity will slow users and test bandwidth limits.
If bandwidth becomes an issue, consider workforce communications and monitoring to control video streaming and other data-intensive activities. For example, ensure that workforce members know that personal online activities should be done on their own devices. Additionally, guidance to help workforce members minimize non-essential home internet use during working hours may also be effective (e.g., limit children’s video streaming to standard definition, turning off internet connected devices like video game systems that can automatically update during the day without notice, etc.).
With an increased remote workforce comes increased exfiltration of data historically only accessible via more secure and monitored processes. While remote access is necessary for businesses to function amid the COVID-19 pandemic, it is important to consider appropriate access.
Health and life sciences entities are familiar with the minimum necessary concept, but now is a time to reassess access needs. Adjust and monitor role-based access to match job duties. Consider whether it’s possible to restrict access to high-risk systems with sensitive data or mission-critical designations to workforce members with appropriate training and need to know. Access rights can be adjusted as the situation continues to unfold.
Plan and Prepare for Failure
Businesses should be prepared for failures and overload on system resources. Not everything will work. It’s important to test backups, identify redundancies and implement emergency mode operations plans to support business continuity.
Many businesses have sent workforce members home but keep IT personnel and skeleton operations teams on site. Businesses should prepare backup plans (a Plan C) in the event of shelter-in-place orders or workforce sickness/exposure that limit the ability of an on-site IT presence. Identify mission-critical systems and team members, and set redundancies and backups where possible.
Find Your Culture
It’s important a business’s leadership remember that its workforce may be scared, responding to lack of normal human interaction and adjusting to a new work-from-home lifestyle. Businesses should try to find ways to foster moments of normalcy between co-workers.
Important actions are to test connectivity, train workforce on remote access, consider bandwidth limits, consider effects of increased workforce exfiltration of data and reassess role-based access designations for current conditions, test redundancies and backup plans, acknowledge increased security exposure due to remote workforce and remember the business’s culture.
Meghan O’Connor and Simone Colgan Dunlap are partners at law firm Quarles & Brady LLP. For more comprehensive, free-to-access COVID-19 resources, please visit https://www.quarles.com/covid-19-guidance-for-clients/.