BY Ridwaan Boda
technology, media and telecommunications (TMT)
South Africa: Coronavirus (COVID-19): BYOD, working remotely and ensuring information security
With the outbreak of the coronavirus (COVID-19), many businesses have taken the decision to request that employees work from home. To work from home, employees will either be using their own personal devices or company-issued equipment to either access the company network remotely or to transmit data and information through their own personal network. There are a few inherent information security risks that are posed by these arrangements. We address such risks and provide some practical tips to ensure that technology and information security is maintained.
In the first instance, any company that allows or encourages the use of personal devices for work purposes should ensure that a “Bring Your Own Device” (“BYOD”) policy is in place. A BYOD policy should address topics such as:
- which employees are permitted to use personal devices;
- the tools or applications that employees may utilise on their personal devices;
- the employer’s rights in respect of access to data and information contained on personal devices;
- the responsibility for technical support in respect of those devices;
- the security of devices; and
- how the various risks associated with the use of personal devices are shared and are mitigated.
When it comes to the security of devices and with that, ensuring information security, companies should, at the very minimum, impose strict rules to ensure that such devices are password protected (in this regard, a password policy is strongly recommended) and should require that anti-virus software be installed thereon.
When it comes to working remotely, whether or not this is from a personal device, companies must consider the consequences of working from home in terms of systems access, access to internal IT infrastructure, bandwidth costs and data access and repatriation. What this means, at the core, is that when a company’s employee accesses the company’s data and/or databases remotely, the risk to that data grows. While at normal times the risk is only between the server, internal network and end user machine, external working adds public internet, local networks and consumer-grade security systems to the risk mix.
To minimise these risks, here are a few tips:
- Educate your employees: People remain the weakest link when it comes to cybersecurity. Employees working from home must be provided with the training and knowledge (or reminded) about basic security. This includes, as an example, education around being aware of phishing emails, particularly at this time where it is anticipated that attempts to subvert security using phishing attacks are likely to increase. For example, there have been some media reports that hackers are circulating fake dashboards that purport to show maps tracking the spread of coronavirus but that actually infect people's computers with malware when opened. Employees should be particularly reminded to avoid clicking links in emails from people they do not know, and installation of third-party apps should be confined to bona fide app stores, even on personal devices.
- Avoid public Wi-Fi networks and reset home router passwords: Employees should not utilise public Wi-Fi networks. These networks are, as a general rule, not secured and are prime spots for malicious parties to spy on internet traffic and collect confidential information. Employees should also be advised to change the default password for their Wi-Fi router, as many would unlikely have conducted this exercise.
- Use reputable cloud services: One way to protect employee endpoints is to ensure that the company’s confidential information is not stored locally (ie, on the device). This will ensure that if the device is stolen or otherwise accessed, confidential information will not be at risk of exposure. Information should be stored on the cloud, however, it is important to bear in mind that any third-party cloud storage services must be properly verified by the company’s IT security team. With contracting any cloud services provider, ensure that a risk management exercise is undertaken (our Cloud Risk Matrix Tool can assist with this) and be mindful of the terms of contracting.
- Ensure adequate security protection: Companies should ensure that security mechanisms, such as virus checkers, firewalls and device encryption tools are up-to-date, installed and active on any device being used for work purposes.
- Provide your employees with VPN access: Another way to secure information as it moves between the employee’s external system to the business’ core network, is to deploy a virtual private network (“VPN”). Simply put, a VPN provides an additional layer of security by:
- hiding a user’s IP address;
- encrypting data transfers in transit; and
- masking the user’s physical location.
Many larger organisations will already have a VPN in place. The action point in this regard is then to ensure that there are enough seats to provide access due to the increased demand.
The tips provided above should be a good starting point to ensure the security of a company’s information and technology systems. Of course, no matter how proactive any one business is, a security compromise is always a real possibility. In this regard, it is important to ensure that there are sufficient support structures in place to ensure that an incident can be reported immediately and a clear procedure is adopted and followed in the case of a suspected or actual security incident.
ENSafrica’s TMT team has extensive experience in the field of information and technology security and we can assist you in developing information security practices and policies suitable for your business.
Executive | Technology, Media and Telecommunications
+27 83 345 1119
Candidate Attorney | Corporate Commercial
+27 72 455 2135
COVID-19, also known as the Coronavirus, is an infectious disease caused by severe acute respiratory syndrome coronavirus 2 (SARS-CoV-2) that was declared a pandemic by the World Health Organization on 11 March 2020. The disease has since been reported in over 190 countries.
No information provided herein may in any way be construed as legal advice from ENSafrica and/or any of its personnel. Professional advice must be sought from ENSafrica before any action is taken based on the information provided herein, and consent must be obtained from ENSafrica before the information provided herein is reproduced in any way. ENSafrica disclaims any responsibility for positions taken without due consultation and/or information reproduced without due consent, and no person shall have any claim of any nature whatsoever arising out of, or in connection with, the information provided herein against ENSafrica and/or any of its personnel. Any values, such as currency (and their indicators), and/or dates provided herein are indicative and for information purposes only, and ENSafrica does not warrant the correctness, completeness or accuracy of the information provided herein in any way.