In the wake of the COVID-19 pandemic, businesses that can have staff work remotely are doing so to a large extent. And remote work is likely to be more common in the long term than it was pre-COVID, with many companies expecting to make some of their COVID-inspired remote work changes permanent.
But there are unique challenges for households in which multiple family members are working from home for separate companies. Specifically, how do employees who are sharing a home with other remote workers—or even sharing the same home office—maintain the confidentiality of potentially sensitive company data?
Basic Cybersecurity Best Practices
First, there are cybersecurity risks present in the Internet Age regardless of whether an employee is sharing a home office or working at an employer location. Basic cybersecurity best practices should be a fundamental part of any remote work training.
“When establishing a remote working policy, organizations should employ comprehensive cybersecurity guidance, as there will likely be employees unaware of the security risks and expectations of remote working,” says Judith Bitterli, VP of Consumer Marketing at McAfee.
Bitterli says there are several tips and tools that all HR teams should clearly communicate to their employees in order to adequately protect both personal and corporate data, including:
Using a VPN. It was common, even before the pandemic, for people to use publicly available Wi-Fi networks while working in coffee shops, parks, or other settings—convenient but not secure.
These unsecured connections make it easy for hackers to get access to both personal and company information. Instead, a virtual private network (VPN) establishes a secure connection while allowing employees to access work files saved in the cloud.
Avoiding the lure of phishing e-mails. “We’ve seen hackers attempt to take advantage of people’s fears by pretending to sell face masks online to trick unsuspecting people into giving away their credit card details,” says Bitterli. So make sure employees are educated on the dangers of opening e-mail attachments or clicking on suspicious links—not just once but frequently.
Using two-factor authentication. Yes, it can be a hassle, but using two-factor authentication—requiring a password and some other form of verification, like generating a code that will be sent to a mobile device—adds more security for organizations that have multiple people logging in from various locations.
A second form of identification that is sent to a personal phone, for instance, boosts the odds that the information will remain secure.
Choosing a strong password. Using complex passwords is one excellent way to protect your account’s security, though it can be frustrating to have to use a different password for each account.
Employees should also be required to update their passwords frequently, choosing new and unique passwords for every update. A password manager, or a security solution that includes a password manager, can help keep track of all your unique passwords.
Browsing security. Make sure your employees’ devices are updated with security solutions regularly to protect against malware, phishing attacks, and other threats, as well as to identify malicious websites while browsing.
Technology isn’t the only risk to data security. There are plenty of people-related risks, as well.
Confidentiality
“Human error is the source of 90% of cyberattacks, meaning cybersecurity training is not a ‘nice to have,’ but a ‘need to have,’” says Michael Madon, SVP and GM for security awareness and threat intelligence products at Mimecast.
Many employees are used to sharing an office space and working closely with others in the organization, and in those situations, they’re all bound to the same confidentiality obligations.
However, this is not so in the case of a husband and wife who share a home office but work for separate companies, potentially even companies in the same industry or direct competitors!
The first step in training staff on maintaining the confidentiality of sensitive company information is simply reminding them of their confidentiality obligations.
Some employees may have been with the company so long that they don’t consciously think about those obligations, even if they adhere to them in their daily activities. When they’re suddenly moved to a potentially shared home office, it’s important to remind them to maintain confidentiality, even with respect to family members.
As a next step, it can be helpful to educate staff on some best practices for maintaining privacy in a home office. This can be as simple as locking a computer screen when the computer is not in use.
It might also include best practices for conference calls; if possible, calls should be taken in separate rooms. Using headphones instead of speakers can also provide some additional privacy.
At Mimecast, says Madon, “Our approach in awareness training is focused on continuous, engaging micro-learnings in the form of short videos. They’re short, engaging—even humorous—and focused on topics like HIPAA, data privacy and impersonation attacks.”
Phishing tests and risk scoring can also help identify employees who represent the greatest potential risk.
FAQs and Other Resources
Regardless of how thorough and well-thought-out your policies are, it’s almost certain staff will have questions on cybersecurity and confidentiality best practices.
It’s a good idea to make on-demand resources available when those questions arise. This can include a regularly updated frequently asked questions (FAQ) page on the company intranet or a phone hotline or an e-mail exploder employees can use when they have specific questions.
Regular Reminders
As with any new policy, it’s helpful to have regular reminders of key changes and updates, including spending the first few minutes of regular meetings highlighting key elements of the new policy, for example. This not only serves to remind employees of specific requirements but also reinforces the importance the organization places on cybersecurity and confidentiality in general.
The switch to remote work in the wake of the COVID-19 pandemic was done quickly and with the mind-set that it’s a temporary solution to a temporary problem.
But as the need to take precautions against the spread of the virus continues and more and more companies see the benefits—or at least are not seeing the downsides—of remote work arrangements, employers need to consider how to manage remote work as a long-term reality. This includes, among other factors, how to properly train employees on policies and procedures around cybersecurity and confidentiality.