In this episode of Culture of Compliance, Sabrina Serafin interviews Jodi Daniels of Red Clover Advisors. They discuss the unique data security challenges that working from home may present to companies.
Culture of Compliance: Data Security with a Remote Workforce
This transcript was assembled by hand and may contain some errors.
It has been edited for readability.
Sabrina Serafin Welcome to Frazier & Deeter’s Culture of Compliance podcast series, where we discuss compliance as a competitive advantage in today’s marketplace. I’m Sabrina Serafin, partner and national leader of Frazier & Deeter’s Process, Risk and Governance practice.
Today, we are speaking with Jodi Daniels, founder and CEO of Red Clover Advisors, a data privacy advisory service that specializes in privacy regulation and other aspects of data strategy. Welcome back to the podcast, Jodi.
Jodi Daniels Hello. It’s great to be back on the podcast and talk with you today, thanks for having me.
Sabrina Well, this is a very timely topic. We are currently recording this podcast from our homes, so please forgive any barking dogs or children that you may hear in the background.
Prior to this recording, the White House issued guidelines that people should not congregate in groups of more than ten, which creates an immediate challenge for most businesses.
How do we make the shift to a completely remote workforce? Jodi, can you tell us some of the privacy concerns that first come to mind when considering people working from home?
Jodi Sure. The first one is some people might be using a work laptop, but a lot of people might also be using a personal laptop. So you now potentially have company information on a personal laptop. You might have the work laptop that’s also going to be used for people to help their children with schooling. So now, you also are exposing other websites and other people to whatever type of information you have.
You also might not have thought through all the security measures- how do I log in to that Zoom, WebEx, GoToMeeting – pick your flavor – remote capabilities that you might be using or home Wi-Fi networks that people will be connecting to? They might not have passwords set up on them. So there’s the basic security hygiene of just who’s going to have access to your information and how would you “lock down” the devices, whether that be mobile or the computer, to make sure that bad actors aren’t getting in there.
Sabrina Great statement – hygiene. Thinking about today’s topic, “Making the Move to a Remote Workforce”, what is one of the first questions employers should ask themselves?
Jodi I think it’s how are you going to do any of the basic items that we just talked about. To me, a very simple one is reminding employees to set a password on their Wi-Fi. Show them how to do it. I know there’s a variety of different Wi-Fi and routers out there, but that’s a really basic one. We often tell people, “Don’t use the public Wi-Fi when you go to your local Starbucks or coffee shop”. Well, the same is true in the home.
We want to be able to make sure that we have that secured and locked down. Making sure that they’re aware of practicing good practice in terms of which websites they’re visiting. Unfortunately, there’s going to be bad actors trying to take advantage of a vulnerable situation and we want to make sure that people know what to be looking for. Whether it’s a real email from someone in their company or they’re outside browsing the web now on their home laptop because they’re on it all day long. And by reminding people what they should and shouldn’t be doing.
I would even recommend some simple password changes and making sure that they’re really strong passwords as well as two-factor authentication. Then making sure that you’re using a two-factor password to a text or to a third-party app or a token or something like that.
Sabrina Are those easily implemented for those who may not have been prepared for this shift in the workforce?
Jodi They are. There’s Google Authenticator, there’s an authenticator called Authy, there’s many tools. A lot of companies use all kinds of third-party tools where you can have it set up to have a text sent to a cell phone and you have to have a one-time passcode, some one-time passcodes are sent to email.
There’s another authenticator app that I use with some of my clients called Ping ID. And it really isn’t a very long, complex process. It doesn’t involve significant software installations or anything like that, it’s pretty quick to be able to have companies get with the right setup.
It’s pretty standard, in the retail environment I think we often see it when you want to change your passcode or banks often use it. The same is true here, we’re just trying to implement another layer to prevent the bad actors from getting to our data.
Sabrina Great advice. You talked about devices, what are some of the physical security issues that some businesses may not have considered?
Jodi I think just the number of people who might actually have access to the device and the kind of information that might be stored. If I’m using my phone more than I might have before, or if I’m using my home computer more, I might be saving files to my computer or maybe I’m going to flip back and forth between my home computer and my work computer.
Personal information or company confidential information might be shared between both of those devices. I think educating employees, creating a simple practice, then a simple policy of “company information should stay on the company device.”
Or if there is no company device, then it’s going to be a personal device making sure that the employee knows that that’s company information, and what procedures might need to be put in place to make sure that that information is protected.
Maybe the employer has access to that personal device at some point. I think a lot of companies these days will have people on their own work devices, but what’s going to happen is people are probably going to switch back and forth often between their mobile, their personal and their work. You’re going to have all the kids and everyone else in the home all kind of flipping between computers, so I think going back to what we’ve just talked about with those passwords and two-factor authentication will help actually with the physical security of the laptop.
And, just a simple one, is making sure that you have a good password on your mobile phone. For some, you want to install the fingerprint device so that not everyone can get into the mobile and send anything they want. The same is true on a laptop, make sure that you have a password or a fingerprint or something to actually get into the device.
Sabrina Security awareness has been becoming a larger part of how organizations protect themselves. So what comes to mind in terms of training for employees specifically during this time?
Jodi At this time, everyone is a little extra frazzled. So, what we might have shared before, now is the time to repeat. I don’t think we can over emphasize anything, whether it’s just washing our hands- we need to hear it 100 times. The same is true with good security hygiene so reminding employees, pull out whatever you’ve done, and do a quick video on it and share it with folks.
Create a PDF document, and think about your different learners. Some might be visual, some might need to read something, some might want paragraphs, one might want bullets. Keep emphasizing.
Create that new password, be careful of that website, provide examples of what phishing emails might look like, walking people through step by step I think will make significant inroads. Have some fun with it. Create little graphics if you can, there’s no shortage of information that is available these days so start with what you’ve already created.
Maybe the next day it’s passwords, the day after that it might be physical devices and repeat the cycle. Because this week is an interesting week where people are first getting into this remote working thing, figuring out what home-schooling might need to look like or working at home might look like.
So next, we kind of repeat and just continue on that cycle to ensure that all the data is going to be as protected as possible during this time.
Sabrina Thanks, Jodi. Let’s turn now to connecting to company data. What are some questions management teams need to consider?
Jodi They want to be thinking about a virtual private network (VPN), so that there’s a distance between the computer and where that company information is. When you’re thinking about a VPN, there are different levels of VPN appropriate for different sized companies. Those that have significant databases might need to have different layers of access throughout, and you want to be thinking about who in the company should have access to each of those different environments.
Potentially it might have only been one person at home, but now you need to think about connecting a business continuity plan because one, if that one person happens to be the one who contracts the virus, you need to have a backup plan, and now that backup plan is someone remote. You have to be thinking about the level of access, but you do not want everyone in the company to have access to all of the information. You still want to make sure you have those access controls in place.
Going back to the VPN for a moment, you want to think about how many licenses you need. Some of these services are by employee or by licenses, so make sure you have the appropriate amount in place. Also that policy perspective, create a little tutorial to help employees understand what they need to do, because many of them might not have used this software before.
It’s not complicated, but it’s something to make it extra simple. Let’s provide a simple tutorial to explain what it is and how to use the software to be able to protect that company information.
Sabrina That’s great. You’ve mentioned authentication, what are some best practices that we can share for internal or outsourced I.T. departments supporting the organizations at this time? What do they need to have in place?
Jodi If you already have a policy, I highly recommend you print that policy and have it already handy and share it with a wider executive team. Go into that business continuity thinking and then double check the licenses like we just talked about. Make sure you have the right software and licenses for your size business.
For access controls, make sure that you don’t have everyone having access to everything. This isn’t about moving it so the whole company has access, but you still have to appropriately size which departments have access to which pieces of information. Emphasizing strong passwords, we often recommend a password phrase or complex password generators that are out there. Even tools like a LastPass or one-tap will help with complex passwords that are out there.
For an I.T. department to really be able to break down all of the requirements, as I had said at the beginning of this question, is share it with the executive team because I think the executive team needs to understand how critical this time is for protecting our data so that we don’t turn a pandemic into then a data breach scenario.
Sabrina OK, so we’ve covered devices, virtual private networks, training, and user accounts. What are the best practices companies need to follow to protect their own and their customer data?
Jodi They want to be encrypting information. So if they’re not already, now is a great time to be encrypting information – making sure that employees have encrypted laptops and making sure that employees are aware of how to back up information. So if I’m on my laptop, how often is the information being backed up? I did all my personal devices, not really the best backup having malware in place that’s up to date.
Again, hopefully everyone here will be on a VPN. You want to be able to push out malware updates as best as possible. But for some companies, that won’t be the case. So make sure that there’s a friendly reminder every week to make sure that your device is up to date, because unfortunately, there are going to be some bad actors trying to take advantage of the situation. We want to make sure that we’re doing everything we can to be able to protect against that.
Basic encryption, malware review and proper backing up procedures will help protect that data.
And then from a privacy point of view, just making sure that people realize that there are still some privacy laws that are in place that people need to be adhering to. We can’t use data in a different fashion, we have to make sure we’re still complying with privacy laws. So we have the security side covered and just a little snippet on the “you” side.
Sabrina Thank you, Jodi, for being with us today and giving very timely advice to businesses who are dealing with a very challenging situation. I think it’s important to note that this is a prime time for threat actors and we have to be increasingly diligent to protect ourselves through this troubling time.
We hope this information will help a lot of organizations, and thank you for listening to Frazier & Deeter’s Culture of Compliance podcast. Please join us for our next episode as we continue to discuss transforming compliance requirements into investments in your business.