As the number of confirmed cases of COVID-19 (coronavirus) continues to increase, organizations across the world have implemented travel restrictions, quarantines, furloughs and other measures to combat the spread of the virus to their employees and customers. One of the most common precautionary measures taken has been instituting or expanding remote working policies. For many organizations, remote working provides a mutualistic solution to an otherwise difficult balance between efficient operation and employee safety. If your organization, like so many others, has deployed remote working, Ice Miller’s Data Security and Privacy Team and Coronavirus Task Force want to share six tips for securing your workspace, wherever your “office” may be.
Tip #1: Use a Virtual Private Network (VPN) to the extent possible.
Whether you are working in your living room or your local coffee shop, we strongly encourage using a VPN to secure remote access to your organization’s systems, documents and contacts. A VPN creates an encrypted connection to your organization’s network, making it ideal for accessing your organization’s resources while on a less secure network, such as public Wi-Fi. For many organizations, the use of a VPN is required to remotely access document management and internal communication applications. If you plan to work remotely and are unsure how to connect to your organization’s VPN, be sure to speak with a member of your information technology workforce before leaving the office for an uncertain amount of time. If your organization does not provide a VPN for employees to remotely connect to its network, there are several options for creating your own personal VPN to improve your data security (although we recommend consulting with your organization’s information technology professionals before doing so), for both Windows and Mac users.
Tip #2: If a VPN is unavailable, improve your personal network security.
Should you not have access to a VPN, take a few minutes to assess your personal network security. Make sure the network you are using at home or at another location at least requires a strong password. If your home network’s password is “Password123,” for example, change the password to something at least eight characters long. (Pro tip: use a passphrase such as “The rocks and the sound 81!”) Although you may have heard it’s best to use a combination of UPPERCASE and lowercase letters and special characters, the National Institute of Standards and Technology (NIST) advised against this in its 2019 NIST password guidelines. If you are logging on to a network at a coffee shop or another public location, ensure you are logging on to a secure network hosted by the establishment. Users often assume the “GUEST” network that appears on their phones is the guest network for the establishment without confirming with management or other employees. Finally, we recommend you update your home router’s password from its default to a stronger password. (Note: this password should be different than your network password.)
Tip #3: Install multi-factor authentication.
Consider installing multi-factor authentication (“MFA”), which requires you to confirm access by providing two or more pieces of authentication, such as a phone number and login credentials. NIST recommends that users not select SMS or text message-based MFA; instead, use a one-time password from an application like Google Authenticator. Also, if you are using a personal hotspot on your iPhone, make sure you have disabled the “Allow Others to Join” feature for additional security.
Tip #4: Develop secure communication protocols in case you do not have internet access.
Although the ideal work-from-home scenario involves strong, secure internet service, there may be times throughout the day where you lose secure internet access. To better protect your organization, we recommend you establish communication protocols that safeguard your data. For example, applications such as Structural and Blink provide security for internal communications across an organization and offer mobile-device friendly solutions for employees and employer. Secure messaging applications such as Wickr, Slack and Signal are ideal alternatives for both employee and personal communication, and each provide encryption at rest and in transit. When working remotely, you should prepare a plan to effectively – and securely – communicate with your colleagues should you lose access to your VPN or otherwise secured internet service.
Tip #5: Encrypt confidential/sensitive data.
If you plan to work with confidential and/or sensitive documents during your remote work period, we encourage you to encrypt this data both in your emails and on your own device. Your organization likely already has this tool enabled if you are using your organization’s network and a device provided by your organization. If you are using your own personal device, you should check to see if your email and other data on your device are encrypted. For Gmail users, you will see this icon ( ) if the emails are not protected by encryption. Outlook users will see this icon ( ) if the email is protected by encryption. Also ensure all stored data on your device is encrypted. For iPhone users, this is done automatically when you create a passcode; for Android users, you can encrypt your device by clicking Settings > Security > Encrypt Device.
Tip #6: Don’t forget about physical security.
So far we have discussed technical safeguards for working remotely, but physically securing your data is just as important as encrypting it. To that end, we recommend implementing full disk encryption on your device. Full disk encryption software is available for Windows, Mac OS and Linux, and it protects your data even if an attacker physically removes your hard drive to bypass your password.
If you are working at home, be sure to lock your doors if you leave your house without your laptop, even if you only expect to be gone for less than an hour. If you are working at a public location, physical security becomes even more important. Although you should avoid leaving your computer unattended, be sure to lock your computer if you must do so. If you must leave your laptop or tablet in the car, we recommend locking your computer in the truck of your car to prevent theft (and a smashed window). Be cognizant of your surroundings, too – you never know who might be reading that confidential memorandum you are writing over your shoulder. Finally, if you charge your phone at a publicly available charging station, use a USB data blocker when possible. These are cheap tools that allow your phone to connect to power without exposing the data on your device.
Finally, if printing confidential documents at home, we recommend using the Secure Print option that appears on the drop-down menu when you start to print. This will allow you to create a Secure Print ID and password in a few easy steps, and this procedure can help reduce risk. If you need to shred documents at home instead of at the office, ensure you shred documents well enough so they cannot be pieced back together (turn the document into confetti, not puzzle pieces).
Your organization’s primary concern is likely your employees’ and customers’ health and well-being. Remote working capabilities provide an efficient, flexible alternative to exposing your organizations employees and customers to the novel virus, and your organization may already have the infrastructure necessary to create a safe, effective remote working environment. However, as your organization rolls out remote working strategies, our Data Security and Privacy Team and Coronavirus Task Force encourages your organization – from executive to intern – to review the tips above to protect your data during the remote working period. If you have trouble with the more technical precautions, ask your organization’s information technology professionals for assistance.
For additional guidance on securing your remote working environment, contact Stephen Reynolds or Mason Clark with IceMiller LLP Data Security and Privacy Team. Visit our Coronavirus (COVID-19) Resource Center to speak with a member of our Coronavirus Task Force if you have additional questions about how the virus could impact your workplace.
This publication is intended for general information purposes only and does not and is not intended to constitute legal advice. The reader should consult with legal counsel to determine how laws or decisions discussed herein apply to the reader’s specific circumstances.