The spread of Coronavirus (COVID-19) has led companies to encourage employees to work remotely. Given that cyber attackers are always ready to exploit any security vulnerability, companies should ensure that they have in place a robust IT code of conduct that supports their wider information security policies.
In part owing to the encouragement to “work from home” since the early stages of the pandemic, companies have widely adopted measures allowing employees to work remotely, using either devices provided by the company or their own, known as Bring Your Own Device (BYOD).
As a result, companies are facing a significant risk of cyber attacks. For example, the French National Information Security Agency, the Agence Nationale de la Sécurité des Systèmes d’Information (ANSSI) has noted an increase in fraud related to the public health emergency and attempts to exploit COVID-19 for phishing or scamming.
Another source of risk noted by the ANSSI is the lack of security measures in place where employees access company networks, especially when they use their own devices without employer authorisation (known as shadow IT). Cyber attackers are ready to exploit any security vulnerability, and companies are particularly vulnerable during this crisis.
To effectively manage and secure employee remote access to the company’s information system, procedures related to information security must be adapted to reflect the increase in remote working and the exponential growth or cyber security risks. The European Union Agency for Cybersecurity (ENISA) has published Tips for cybersecurity when working from home, which emphasise the importance of fostering employee awareness, especially regarding the current increase in phishing attacks using emails related to COVID-19.
IT Code of Conduct
In addition to detailed organisational and technical security measures, an internal IT code of conduct can be a crucial tool. An IT code of conduct aims to reinforce the importance of information security and involves employees in such a way that they become key actors in the protection of information. A robust code also allows employers to control how employees access and use tools and devices made available to them for remote work, and to take disciplinary measures in case of violations.
As companies must, for the time being, work remotely, it is in their best interests to ensure that an IT code of conduct is put in place and is effective. Companies should, in particular, ensure that their code covers common practices such as BYOD, and implements strict security measures that cover the current public health crisis and the increased risk of cyber attacks.
Companies should double check that their IT codes of conduct achieve the following goals.
Explicitly include employees working remotely in the scope of the code, and specify the conditions under which employees can use their own devices.
Impose the use of strict security measures on employees’ personal devices, such as installation of a privacy filter on the screen, use of a complex password that is also regularly changed, installation of up-to-date anti-virus software, and access to the company’s remote system through a secure tool.
Strictly limit the personal use of devices provided by the company to minimise exposure to cyber attacks. This can be achieved by imposing periodic inspections of the devices by the information security department. If the company allows personal use of company devices to a reasonable extent, the parameters of that use must be precisely defined.
Reinforce the rules of confidentiality that apply to remote working. In particular, employees should only share highly confidential information or sensitive information through the company’s secure file sharing tools and not through email. In addition, employees using their own devices should be advised on the need to separate the professional and personal content on those devices, and be advised that the company may access professional content stored on their devices. The French Data Protection Authority has recently stated that companies are allowed to not only access but also delete data stored on the parts of the file system dedicated to remotely accessing the company’s resources.
Define a protocol to be followed in case of a security breach, e.g., phishing, Trojan horses or a virus. The company should designate a dedicated contact person, reachable by email or phone, so employees can quickly report the problem and appropriate measures can be put in place. Employees must be encouraged to report not just confirmed incidents, but also attempted breaches, to allow the implementation of preventive measures and test methods of security breach detection.
Stipulate proportionate disciplinary measures that apply in case of violation of the code. This enables companies to sanction employees found to have violated the code.
Be vested with binding force through the inclusion in company bylaws. Most countries will have a specific procedure that company rules must follow in order to be binding. In France, for example, prior to its adoption, an IT code of conduct must be submitted to the Social and Economic Committee (Comité social et économique) for review, filed with an employment court (conseil de prud’hommes), and communicated to the Labour Inspectorate. To be enforceable against employees, this process must also be followed whenever the IT code of conduct is updated. Considering the extra burden such formalities present during a crisis situation, we are expecting governments to adopt specific measures providing simplified procedures.
Widely disseminated in order to effectively inform employees of the rules that must be followed when working remotely, and to ensure that the rules are enforceable against employees. Regular awareness-raising campaigns through, for example, information newsletters, tutorials or warnings regarding cyber attacks, should be conducted.