What cyber best practices does CAMICO recommend for remote work, given the pandemic’s "new normal?"The sudden transition to accommodate employees working remotely in response to the pandemic had many CPA firms rushing to establish or update their policies and security protocols to address working remotely, given the security challenges not present in traditional office environments.
Many firms are opting to offer staff more permanent remote work arrangements. CAMICO is encouraging these firms to revisit their written policies and security protocols to assess their specific threats, risks, and vulnerabilities to ensure that appropriate safeguards are in place to address the new paradigm.
When evaluating the propriety of a firm’s policies and security protocols in light of the new remote work environment, first assume that threats will occur. Assuming that threats will occur can be a difficult pill to swallow, especially for firms that do a good job of securing their on-premises infrastructure. However, potential vulnerabilities exist within the infrastructure and applications employees use to work remotely.
Although not meant to be all-inclusive, the following basic best practice measures for firms continue to be extremely critical given remote work’s increased cyber exposure:
- Ensure all software has the latest security options/patches. This will help protect against malware, viruses, and hacker attacks.
- Frequently back up all important data and information and verify your backups. Regular backups reduce the likelihood that critical data is lost in the event of a cyber- attack. Protect the backups in all remote and external locations, outside of your network, where they are safe from ransomware that targets backup copies. Periodically verify that your data backup process is working properly to assure that your data will be recoverable were a crisis to occur.
- Require employees to change and strengthen passwords frequently. Systems are only as secure as the passwords used to access them.
- Use multi-factor authentication. This can add an extra level of security to help prevent an account hack, especially when employees work remotely.
And remember, even the best employees can become complacent about adhering to cybersecurity best practices when working remotely. Setting clear rules to govern how employees work remotely is an important step in managing remote access threats. Claim trends show that employees are the weakest link and the first line of defense against most, if not all, cybersecurity attacks. Special attention should be given to ensure that your firm continues to prioritize appropriate firm-wide cybersecurity awareness training.
Although not meant to be all-inclusive, firms should enforce the following basic best practice measures for remote employees:
- Maintain strong work-from-home cyber hygiene. Adhere to the firm’s policies and cyber protocols when working remotely (e.g., machine use restrictions, WiFi passwords, virtual private network (VPN), firewalls, properly secured router, etc.) In addition to strong WiFi passwords, the wireless router should be no more than five years old and frequently updated with latest firmware updates.
- Slow down to avoid being yet another "phishing scam" victim. Take the time necessary to validate suspicious or unexpected email. And do not click a link, pop-up or attachment without first hovering the cursor over the link to display the URL to assess its legitimacy. If there is an urgent call to action, rather than clicking on a link, consider a different way to validate the request, such as calling to get verbal confirmation that the communication is legitimate, or going directly to the purported sender’s URL.
- Power down computers when not in use, whether in the office or when working remotely. Computers are not accessible to attacks or intrusions when powered off.
- In the event of a potential cyber security “incident,” immediately inform the appropriate parties within your firm. Examples include, but are not limited to, unauthorized use, malicious code, compromise of confidential client information, unauthorized disclosure or loss of information, information security breach, etc. Remote work has inherent security risks. However, firms will certainly be better positioned to mitigate these risks by adhering to these basic best practices and proactively refining their policies and security protocols to encompass the unique security challenges of remote work arrangements.