For a while now, we have been working on the development of a pandemic plan for our company. Information Technology supports this plan in many ways. Through the use of technology we can increase the number of employees who can “work at home” and use Virtual Private Networking (VPN) software to remotely connect into our systems to perform their work. Getting employees out of the office but still having them be productive is a form of “Social Distancing” that can reduce the risk of exposure to disease.
A component of any pandemic plan needs to be communication on what can and can’t be done from an Information Security perspective, even in a pandemic situation. For example, we only allow company configured machines to connect to our network, even over a VPN connection. However, not all of our employees have laptops so many, therefore, cannot work at home. It must be reinforced that information security policy is still policy even in a pandemic, and employees who do not have company laptops must not use email to send documents or data to themselves to work on using their home (or any non-company owned) computer. This is the same for taking work home on portable USB drives or other media. Even if you have the best intentions and only want to help your company, you are putting your company at risk of your data being intercepted, copied or lost resulting in a privacy breach.
Why be so paranoid? Our employees are only trying to be more efficient and effective in a time where 20%-30% of the company might be out sick. It can't be that bad, right? Wrong. A big reason why is “endpoint protection”. Your company’s endpoints (workstations and laptops) have known, approved and licensed software on them, they have anti-virus software running on them, they are regularly patched for security vulnerabilities and they are free of peer-to-peer sharing software. Some of your employees' home machines MAY be up to your company’s standards, but what if even one is not? When your employee is done with their work, are you sure that no backup or temporary files will linger behind? How many of your employees have children that use the home computer to share music or files? How about viruses or malware infecting your corporate network once this work is brought back into your production environment? What if the employee actually loses the USB drive? Not to mention the risk of a shared or compromised gmail or yahoo mail account.
All of these scenarios can cause data leakage or data loss that can lead to a privacy breach. According to the most recent Ponemon study that reports on the costs and causes of privacy breaches, “Over 88% of all cases this year involved incidents resulting from negligence.” This leaves only 12% as a result of malicious activity. This 88% is composed of employees who think that they are doing the right thing, are trying to help and believe that nothing bad can happen.
So, please reinforce to your employees and peers that it is not safe to trust public networks, infrastructure or non-company owned equipment to store or work on company confidential materials. Even in a pandemic situation were your workforce may be diminished and people are looking for innovative ways to “keep the lights on”, information security policy is still in effect and information security risks, and their consequences, outweigh lost productivity.