On March 11, 2020, the World Health Organization declared the novel coronavirus (or COVID-19) a pandemic. This move has increasingly led businesses to ask their employees to work from home. With the sharp increase in the number of companies encouraging employees to work from home and recommended social distancing, remote work is the best solution to ensure productivity and minimize disruption. Some companies have already made remote work mandatory, and most are expected to follow suit in the coming days and weeks. Just yesterday, President Trump recommended avoiding gatherings of 10 or more people to slow the spread of the virus. Most workplaces fall into this category.
Many companies have invested in remote-working capabilities and feel relatively prepared for this. However, there are steps you can take to ensure success and decrease the likelihood of problems that could bring remote work to a screeching halt. Not to mention the threat of cybercrime, which certainly never sleeps; quite the contrary, this is the perfect time for hackers to capitalize on vulnerable times.
To keep your systems safe and limit interruptions, we have identified the eight areas on which to focus as you plan for your employees to work from home:
#1: Test remote connectivity from the office.
Employees should try using a hotspot or guest Wi-Fi to confirm the following are up and running without issues:
- Instant messaging
- Conference call lines and web meetings for screen-shares
- Ability to connect to VPN/hosted environment and run core applications
#2: Ensure employees are using approved laptops/PCs to work remotely.
Employees should not use their personal laptops/PCs to perform work duties. You should:
- Ensure encryption is enabled for device hard drives.
- Have anti-virus and anti-malware software set to auto-update.
- Remind employees that company-provided devices are for business use only.
#3: Ensure data is secure and backed up.
- Require employees to work in the remote/production environments and not locally.
- If local copies are a reality, require employees to sync their data periodically throughout the day to the remote/production environment.
- Confirm that backup and replication configuration of the remote/production environments continues to be appropriate.
- Review overall disaster recovery and business continuity plans to confirm those continue to reflect the current risk landscape.
#4: Maintain your existing segregation of duties.
Ensure policies and procedures related to the processing of the following are defined and upheld:
- Billing and accounts receivable, including bank deposits
- Vendor management and accounts payable, including the creation of checks
- Payroll processing
- Wire transfers:
- Ensure two-factor authentication is enabled and that two parties are required to execute a wire.
- Other key business processes that require physical and electronic assets, such as management of sales cycle, ability to process custom service requests, etc.
#5: Define a person or people that will be the official voice of the company
This will help provide clarity amidst the noise and reduce the risk of phishing attempts and internal “fake news.”
#6: Ensure adequate IT support coverage and consider extending support hours
Make sure your employees know how to reach your IT support teams and consider expanding support coverage hours as people will likely be working outside of normal business hours.
#7: Be aware of COVID-19 scams
Remind your team to be very wary of any Coronavirus-related emails, texts, and voicemails. Think before you click!
#8: Implement these back-end security best practices
We recommend your IT team ensures that the following best practices are in place to reduce the risk of a security breach for your remote workforce:
- Use only secure protocols (e.g., SSH, HTTPS, SCP)
- Disable all insecure protocols (e.g., Telnet, HTTP, FTP)
- Put access to company resources behind VPN and/or firewalls
- Prevent unsanctioned devices from connecting to company networks (employee personal computers could be compromised)
- Actively monitor remote access
- Change all administrative user account passwords that are still set to factory defaults
This is a challenging time for all, including businesses that are actively trying to minimize disruption to client service and internal operations. But it is also a time to show resiliency and find opportunities to take full advantage of the IT systems your company has in place and has worked hard to build. Just don’t forget that this is also a time of vulnerability in many ways, including technology. If you are uncertain of the strength and security of your IT systems, this is the time to check. IT risk assessments by cybersecurity assessment experts can be done remotely, while you continue your business operations, and will not only ensure you are protected during this vulnerable time but also for the next disruption.
Patrick Daniel, CISSP, CISA, CRISC, is Director of IT Audit and Consulting in the firm’s Risk Advisory and Compliance Services Practice. Patrick is responsible for enhancing both IT auditing services focusing on Sarbanes-Oxley initiatives, compliance and security governance as well as cybersecurity initiatives for many of Moore Colson’s major clients.
Jon Powell, CPA, CITP, CISA, is a Partner in Moore Colson’s Risk Advisory & Compliance Services Practice. In addition to assisting with cybersecurity initiatives, Jon leads Sarbanes Oxley initiatives, internal audit co-sourcing partnerships, SOC audits and other compliance engagements.