Is your business ready for Coronavirus?
As the coronavirus continues to spread, more companies are encouraging staff members to work from home. But is your organization ready for large-scale telecommuting? Consult our coronavirus checklist for cybersecurity and knowledge management and take steps to improve your company’s level of preparedness.
All organizations should already have a business continuity and disaster recovery (BCDR) plan in place, one that documents what to do in case a disaster such as a fire, flood, civil unrest, pandemic, or any type of large-scale crisis such as coronavirus occurs. A good BCDR plan should include documented procedures for ensuring critical business operations can occur in case of or immediately after an emergency, even if staff aren’t able to physically get to the office. BCDR plans should be routinely reviewed and updated, and they should cover people (roles and responsibilities), processes, and technology.
If your organization doesn’t already have a BCDR plan in place — or you have one, but it hasn’t been updated or tested in a while — now is a good time to take a look at it with a critical eye and make sure that your organization’s policies, processes, tools, and technical infrastructure are ready for a high percentage of staff to work from home.
If your plan is in place, are staff aware of organizational expectations, policies, and procedures? Do staff members all know how to work from home while following proper information security protocols? Do they have the right tools and know how to use them? Do they have appropriate access to the information, data, and knowledge they need to be successful?
Read on for our coronavirus checklist for cybersecurity and knowledge management. These cross-cutting tips impact all parts of a knowledge-based organization — IT, HR, senior management and leadership, finance, and more. Follow these tips to prepare your business for coronavirus, pandemics, and other large-scale disasters.
Tip #1: Keep Cybersecurity Top of Mind
Don’t allow a crisis to become an excuse to ignore information security policies or allow staff to bypass technical controls. Having proper cybersecurity policies, procedures, and technical controls in place is always important. But when more staff members — particularly those who aren’t accustomed to working outside of the office — are suddenly working from home, it’s tempting to get lax with security in favor of making it easier for people to “get things done.”
Instead, make sure your organization’s information security policies, processes, procedures, and technical controls are appropriate for your organization’s risk appetite and are designed to support staff who are teleworking. Security isn’t just about preventing hacking attempts, but rather about ensuring the confidentiality, integrity, and availability of data. From an information security perspective, the key question to ask is:
Can staff get to the information, data, and knowledge they need to be successful, even if they are working from home?
If not, what’s the issue and how can it be addressed? If staff aren’t able to reasonably access what they need, they’ll bypass security measures, which will inevitably lead to other potentially serious issues.
Tip #2: Prepare Laptops & Mobile Devices
We recommend restricting access to organizational information and knowledge to organizationally-provisioned computers and personal mobile devices that are encrypted. For computers, this means staff should only use workstations that are managed by IT — not their personal computers — even if they’re suddenly working from home.
For a whole host of security-related reasons, it’s never a good idea for staff to use personal computers to access company information. If staff are going to work from home, they should be using laptops, loaners, or even desktop machines that have been set up with all of your IT department’s standard management functionality in place including automated operating system patching, application patching/updates, antivirus updates, automated backups, event monitoring and logging, and cloud syncing capabilities. It’s important that security updates are pushed to workstations even if they’re not connected to the company’s network. Plus, IT should have visibility into each machine so user support and remote troubleshooting is possible.
With mobile devices, if your organization allows staff to use personal mobile devices (phones or tablets) to access organizational data and information, require devices to be encrypted and protected with a screen lock.
Tip #3: Make sure the VPN can handle business needs
Virtual private networks (VPNs) are a critical way to help mitigate many of the security issues that arise when staff work outside of an organization’s carefully controlled and monitored environment.
Using a VPN makes it possible for IT to provide remote access to services that are physically hosted on-premises such as shared network drives.
Historically, VPNs were always the bane of existence for staff who worked from home — they were cumbersome to use and notoriously slow. Fortunately, VPN technology has improved over the years, and an IT staff should be able to configure the VPN to alleviate some of the speed issues.
As your organization is ramping up for many staff members to work from home at the same time, many of whom aren’t accustomed to working remotely, take this opportunity to:
- Review your VPN licenses — specifically, make sure you have an adequate number of concurrent use licenses
- Properly train all staff who will be working from home on how to use the VPN
- Make sure the VPN is fast enough to be viable for staff to conduct business-critical operations
- Test and confirm that management capabilities are fully-functional via the VPN (i.e., if it is necessary for a machine to be connected to the organization’s network for it to receive updates or patches, confirm this functionality via the VPN)
- Deploy a split tunnel VPN so certain high-bandwidth cloud services such as Office 365, Google, or Salesforce can be accessed directly rather than through the VPN
Tip #4: Set up an Independent VPN for Management Purposes
One of the key principles for information security is redundancy — i.e., ensuring that mission critical systems, platforms, and infrastructure devices such as the VPN have a level of redundancy that aligns with your organization’s risk appetite and BCDR plan.
If staff are working from home and the VPN server goes down, is it possible for a member of the IT staff to remotely troubleshoot? For many organizations, the answer is no.
To mitigate this potential problem and to provide an added layer of security, we recommend setting up a VPN specifically for systems administrators and network engineers to use to manage the organization’s networks and other infrastructure devices. This second VPN should be completely independent of the main VPN used by staff members; it should have its own internet connection, should run on its own hardware, and use strong, certificate based authentication. Additional security controls should be in place to help prevent and detect unauthorized access.
Trying to set up this type of VPN remotely would be a mess; if your organization needs an independent VPN for management purposes, set it up now.
Tip #5: Review and Align Your Policies
Policies help an organization define, establish, and maintain consistent ways of working and help set expectations for staff. Depending on your organization’s size, sector, and regulatory requirements, it’s likely that a bunch of information security, HR, and IT policies already exist, many of which might address issues that become magnified or confusing when staff members begin working from home.
Use this opportunity to review existing policies, identify gaps and inconsistencies, and address potential items that should be highlighted and discussed with staff.
Examples of policies to review through the lens of what it means to work from home:
- Data Classification Policy
- Encryption Policy
- Information Security Policy
- Mobile Device/Bring-Your-Own Device (BYOD) Policy
- Network Access/VPN Policy
- Remote Work/Telework Policy
Staff should know who can work from home and what the expectations are. Accountability for following these policies should be addressed — for instance, using a VPN or a work-issued computer shouldn’t be optional.
Tip #6: Communicate Clearly & Manage Expectations
During times of change or crisis, it’s essential for organizational leaders and managers to communicate as clearly as possible and to manage expectations across the organization.
For organizations that heavily rely on face-to-face forums, how will you communicate with staff if everyone is working off-site? What will replace physical town hall meetings? Will you shift to virtual meetings that are video recorded? Or rely on email? There’s no single answer, but sharing your communication plan with staff in advance so they know what to expect will help alleviate some of the uncertainty, stress, and confusion that can accompany any emergency or large-scale transition.
Likewise, it’s important to have channels and mechanisms in place so staff can communicate up to leaders and managers. (See tip #7 for some ideas.)
In addition to general-purpose updates, announcements, and other news, it will be essential for staff throughout the organization to understand expectations and nuances of working from home. Clear communication that is consistent throughout your organization will help. Is there a clear understanding across departments of what it means to work from home?
- Are staff expected to work the same hours as they do in the office?
- When staff are working, are they expected to immediately respond to instant messages or emails?
- Are staff expected to maintain the same dress code if they’re working in the office or from home? Or is a more casual approach acceptable?
- Are meetings going to be video or audio only?
- Will standing meetings still occur?
- Are staff members expected to work from their homes? Or is it acceptable for staff to work from restaurants, coffee shops, or other public places?
In addition, are there any limitations to working from home that staff should be prepared for? For example, staff might not be able to print or scan. They probably won’t have a desk phone and will need to be prepared to use a soft phone and headphones. Likewise, staff won’t be able to get the same level of support from IT that they’re used to if they’re having trouble with certain types of equipment. (See Tip #9 for more thoughts about tech support.)
It’s likely that staff will have a bunch of questions. Getting these questions into the conversation now and setting appropriate expectations will make it easier to have a smooth transition and have consistent operations throughout the organization.
Tip #7: Use knowledge sharing and collaboration platforms such as Microsoft Teams or Slack
Over the past few years, Microsoft Teams and Slack have emerged as the two main players for real-time collaboration and knowledge sharing platforms, and both are currently offering free versions of their tools. (Google is reportedly working on something in this space, but the Google Suite doesn’t yet have a comparable tool.)
Regardless of which platform your organization adopts, having a single platform where people can work together has the potential to make working from home a much more similar experience to working in the office than ever before.
But as is the case with any type of large-scale platform deployment, don’t launch Teams or Slack and expect automatic adoption. Without guidance, staff won’t know how they’re expected to use this new tool or for what purpose(s). Rolling out Teams or Slack without much structure or guidance will likely lead to chaos, frustration from staff, and some clean-up headaches in the long term.
Rolling out Teams or Slack in a meaningful, organized way typically isn’t an overnight project; it takes planning, governance, structure, change management, and training. But unusual times call for different ways of working, and an accelerated approach is possible.
If you already have Teams or Slack in place, it can be helpful to use three organization-wide channels:
- One for official communication from senior leaders
- One for targeted questions, answers, and conversation threads about working remotely
- One for more general stuff, including social posts
This type of communication is just one of the many ways in which Teams and Slack can be used, but it’s a critical aspect of quickly transitioning staff to being able to work from home.
Tip #8: Use a Conference Room for Hands-On Staff Training & Testing
One of the trickiest parts in managing a large-scale transition for employees to begin working from home is getting staff comfortable with new technology. To help ease the transition, we recommend setting up a conference room in such a way that it emulates a home network environment as much as possible.
From this conference room, disable access to the company’s wireless network. Instead, configure a wireless network that resembles a home network.
Encourage staff to stop by with the laptops and mobile devices and learn how to use their equipment on the VPN.
In addition to adjusting to using a VPN, staff also should be prepared to use headsets for meetings. Acquiring decent headsets, installing and configuring drivers, pairing bluetooth headsets with devices, and configuring audio conferencing applications to use headphones can be a thorn in the side of a staff member, especially someone who typically can rely on an IT help desk to handle these types of tasks.
Investing time to set up this equipment and train staff while they’re still in the building will prevent a ton of headaches and frustration down the road.
Tip #9: How to Get (or Provide) Help
One of IT’s responsibilities should be to figure out how to provide remote IT help desk support, including procedural details. How will IT support staff who can’t get their machines online? What options do staff have for getting help? What kind of turnaround time should they expect? What’s realistic?
As much as possible, set realistic expectations.
Tip #10: Test, Learn, Iterate, Revise
If your organization already has a robust BCDR plan in place, now is a good time to test it out. If your organization is like many and has been talking about one but hasn’t yet taken concrete steps to draft a plan, now is the time for organizational leadership — including IT — to think through and test the logistics of what it means for staff to work from home en mass. What works? What doesn’t? What could we do to mitigate or minimize negative impact?
Focus on the ways in which the organization can take advantage of new tools and technologies, define formal processes, and support staff as they work from home. Take advantage of this opportunity to strengthen your organization and how staff manage, secure, share, and re-use data, information, and knowledge, regardless of whether staff are working on-site or at home!