Virus Protection Has a Whole New Meaning
For compliance professionals, listen to our accompanying audio interview discussing HIPAA, security operations center (SOC), and Payment Card Industry (PCI) Data Security Standard (DSS) compliance during a pandemic, featuring Brett Bane of Pondurance and Robert Ramsay of Barnes Dennig.
Pondurance and Barnes Dennig Conversations – COVID-19 and Compliance
Remember when virus protection only referred to malware? When we talked about “wiping phones” prior to March 2020, it was all about erasing data from a lost device. With millions of people around the world working from home and spending endless hours on video call platforms like Microsoft Teams and Zoom, there are a plethora of new cybersecurity issues to consider, and we’ve detailed some of the top ones here. Have one to add to the list? Let us know!
Using Home Wi-Fi for Business Purposes
Remind your employees to be especially careful of shared, borrowed, or free networks on older routers or home access points, which may not be as secure as newer technology. Consider requiring the use of routers under the employee’s control with a required password.
A virtual private network (VPN) has become a most common practice for ensuring data in transit is encrypted, and while that’s an excellent line of defense, it’s only effective if your employees consistently log in to the VPN. Consider implementing a policy for that as well, if you don’t already have one in place.
Sharing Work Computers With Family Members
With so many kids doing their schoolwork from home, it may seem logical to share devices, but that can present a security risk. The most secure stance is to implement a policy limiting the use of company-owned devices to company work only (e.g., Do not use this computer for anything but work). Whether that works for your organization depends on your company culture.
Adding Personal Devices to Your Company Network
This is tempting if your employees don’t all have company-issued laptops, and many organizations already have bring-your-own-device policies and practices. But “bring your own device to your home office” may be an entirely new phenomenon.
It may seem counterintuitive, and it will depend on the sophistication of your workforce, but you may need a policy that very specifically defines how employees get equipment to use at home and how that equipment is configured with remote access and antivirus solutions.
Don’t Get a Virus From Fighting the Virus
Scammers are clever, and anxiety levels everywhere are high — anxious people are more prone to making mistakes. They may be clicking on new sites, and they’re definitely adding new meeting tools and receiving more calendar invitations with links. Now is a great time to implement additional training for being cautious about misinformation campaigns, malware attacks, and phishing schemes.
Remember To Exit
Whether it’s another work meeting or a happy hour event, be sure to exit your Teams, Zoom, or Hangouts meeting. You probably don’t want to continue broadcasting your work or family life after the event has ended.
The Need To Shred Didn’t Get Shredded
The need for shredding confidential information doesn’t go away when your employees are working remotely. You may need a detailed plan for saving and shredding later for employees who don’t have their own shredders at home. Perhaps those empty cardboard boxes in the office would be useful for employees to use at home, saving confidential information for shredding later at the office. Another idea is to have shredders shipped to employees who access sensitive data. Materials to be shredded should still be stored in a physically secured part of the employee’s home.
Disinfecting Your Device – Hand Wipe vs. Delete Wipe
Now that we’ve covered the digital realm, let’s take a moment to look at disinfecting our devices in the physical world. Research shows we check our phones an average of 47 times per day, and unfortunately, they’re crawling with germs: A recent study found more than 17,000 bacterial gene copies on the phones of high school students. In a world where we’re all much more concerned with sanitizing, keeping our devices clean has a whole new level of priority.
Don’t be afraid to use a disinfecting wipe on your phone and keyboards — any residential grade hand or surface wipe should disinfect your device. Note that Apple has changed its position on using alcohol wipes on phones as of April 23, now saying it’s fine to use a 70% isopropyl alcohol wipe — but you still can’t use bleach. (The Wall Street Journal’s Joanna Stern has a clever article and video on her trials with a variety of cleaning solutions.)
The Pondurance team helps companies stay compliant with SOC 1, 2, and 3, PCI DSS, HIPAA, General Data Protection Regulation, and many other compliance frameworks, and we’re very interested to see how IT departments evolve their policies and procedures to accommodate the work-from-home conditions imposed globally. If you have questions, have a story to share, or would like to talk about compliance for your organization, reach out to firstname.lastname@example.org. We’re here to help.