The COVID-19 pandemic has transformed the way we work. With nationwide lockdowns prevalent in many parts of the world, it became essential for employees across various sectors to adapt to newer styles of remote working and collaboration. In fact, after recognizing the cost benefits of such a setup, most company leaders consider a long-term shift to a remote work model. A survey by Gartner revealed that 74% of CFOs plan to shift some of their employees to a remote work setup permanently. However, working remotely may bring about a host of compliance requirements depending on the industry in question.
What are some of the challenges different sectors could face when their employees work from home?
Healthcare: The current healthcare challenges have forced hospitals and other healthcare organizations to modify their operating procedures and adopt telehealth practices. However, adhering to Health Insurance Portability and Accountability Act (HIPAA) compliance and protecting patient health information (PHI) is as essential in the remote setup as it was on-premise. The penalties for non-compliance to HIPAA can run into millions and cause massive financial strain for the organization.
Finance: While employees in banks and financial institutions work remotely, safeguarding customer’s financial information is of utmost importance. The Gramm-Leach-Bliley Act (GLBA) ensures that all nonpublic personal information (NPI) of consumers needs to be secure and confidential while working remotely. Relevant security measures need to be put in place for access controls to relevant stakeholders, access restrictions based on the location, and encryption of customer details while it is being transferred or stored. The Financial Industry Regulatory Authority (FINRA) also has created guidelines on how organizations in the financial sector can securely transition to a remote work model by having adequate supervisory procedures in place.
Government agencies: Federal employees and agencies had to perform their jobs from remote locations. However, cyberattacks targeting federal networks have been on the rise in the past few months. The National Institute of Standards and Technology (NIST) and the Cybersecurity and Infrastructure Security Agency (CISA) have formulated regulations and recommended security controls for federal agencies to thwart these attacks. Various standards pertaining to general remote access, virtual private networks, and securing access to remote devices were put in place to secure remote work arrangements.
Adhering to compliance rules across sectors is mandatory, regardless of the location of the employee. Therefore, what are some precautionary methods to take while allowing employees to log in remotely?
Employees: The first step would be for organizations to understand which employees are allowed remote access and the level of security clearance and data access required for each of them. Robust security measures can be put in place after identifying the relevant stakeholders. It is also a good practice to educate the employees on the importance of complying with the rules and having them sign compliance agreement documentation that would make them more accountable for their actions.
Devices: Employers must be discouraged against using company-issued devices for non-work related activities, and no one apart from the employee should be allowed to use devices that may contain sensitive information. Companies that follow the Bring Your Own Device (BYOD) rule must ensure that it is encrypted with a robust firewall and an anti-virus system in place.
Network: Employers must ensure that all employees have a wireless router that is encrypted using WPA2-AES, and their default passwords are changed. All devices that access the wireless network must be encrypted and password-protected by the IT department. The company’s intranet must be accessed via a VPN only, and all sensitive information transmitted through these networks should be encrypted.
Updating software: All relevant software must be updated regularly, and access logs of all remote activity must be maintained. These must be reviewed periodically by the IT department for any glitches or breaches.
Videoconferencing & File sharing: When using video conferencing software to collaborate, always ensure that the meeting is password-protected, especially when discussing sensitive information. Sharing files and other relevant information through video conferencing tools must be discouraged to ensure that potential cyber threats can be avoided.
It is more critical than ever before to remain vigilant as cyberattacks are most common during vulnerable times like these when there is a large volume of information being shared across multiple networks daily. The organization and its employees must work together to ensure that stringent measures are followed to avoid data breaches.