Sending Workers Home May Expose Companies to Data Risks; Dramatic Rise in VPN Use May Help
IAITAM warns that even companies that send employees home with proper safeguards face challenges; personal phones and computers may make them "sitting ducks." Fortunately, Atlas VPN has noted a dramatic rise in VPN use.
- By James E. Powell
- March 17, 2020
In response to concerns about worker safety amid the coronavirus pandemic, many companies and government agencies are allowing or requiring employees to work from home. Many employees are working remotely for the first time. The International Association of IT Asset Managers (IAITAM) is warning that employers may not have thought through how to secure the sensitive data employees must access to perform their job.
Dr. Barbara Rembiesa, president and CEO of IAITAM, said: "We always say that you can't manage what you don't know about and that is going to be a truth with nightmare consequences for many companies and government agencies struggling to respond to the coronavirus situation. The impulse to send employees home to work is understandable, but companies and agencies without business continuity (BC) plans with a strong IT asset management (ITAM) component are going to be sitting ducks for breaches, hacking, and data that is out there in the wild beyond the control of the company."
For instance, Rembiesa noted a 2015 IAITAM report that said 17 percent of U.S. Securities and Exchange Commission (SEC) laptops "were not where they were supposed to be and 22 percent had incorrect user information." Rembiesa worries that the SEC's Washington, D.C. office now has all employees working remotely after a coronavirus case was reported in the agency's headquarters. According to an announcement from IAITAM, "Under the circumstances cited in the IAITAM report, the SEC would have little confidence that it knows who is working remotely on which machines and under what circumstances."
IAITAM points to other potential problems. For example, without a basic mobile device management system, companies may be completely blind as to who is accessing their data. Workers using WiFi without a VPN may be working insecurely, and "the longer employees work remotely in a vulnerable state, the bigger a target they may become for phishing and other attacks," including new coronavirus-related attacks. Furthermore, "data on personal devices (outside the reach of a company or government agency) likely will remain there when the employee returns to work," which creates a risk if the device is transferred to another person or improperly disposed of, leaving sensitive company data exposed (albeit entirely unintentionally).
In its release, the organization suggests enterprises that have sent workers home to work take these six precautions:
Sign out and track all IT assets taken home. No IT assets should be allowed to leave a company site for the first time without formally accounting for each movement.
Make sure solid firewall and passcode protections are in place for accessing company systems. Companies and agencies that plan properly will scale up to accommodate a shift in traffic from the workplace to remote access.
Consider requiring employees to sign a non-disclosure agreement (NDA) about the data they will have access to outside the office. The data is often significantly more valuable than the IT assets in which it is contained. Vital company information may be at stake and an NDA sends a message to employees that they have serious responsibilities that must be honored and respected.
Provide education and training to employees about how to responsibly manage their equipment and the company's data. For example, parents who are accustomed to allowing a child or spouse to use a personal smartphone or computer must be coached to avoid doing so with company IT assets. Companies may also elect to forbid the use of company IT assets on public WiFi networks, such as coffee shops and fast-food restaurants.
Monitor employee data use and other remote practices. It would be nice to assume everyone will follow the rules and be a team player, but that doesn't always happen. Any potential for mischief or data abuse may be heightened in a work-from-home environment. Remember that most data breaches are caused by insiders, not outside hackers.
Tighten up the reins on bring-your-own-device (BYOD) practices. The reality is that the longer someone is out of the office, the more likely it is that they will do company business on their personal smartphone, computer, tablet, or other BYOD asset. A device that is BYOD could simply be a personal phone that receives work emails. If the employee's contract or policy language does not give the data rights to the organization, the IT asset manager will need to make an addendum giving the rights to the organization. The employee may own the device, but the work-related data is 100 percent owned by the company.
VPN Use Rises Dramatically
As IAITAM notes, VPN use is critical. Fortunately, virtual private network provider Atlas VPN reports that VPN usage in Italy increased by 112 percent during the last week. The data was derived from the service's 50,000 weekly users. The company posted a chart illustrating total COVID-19 cases and VPN usage growth for the period (March 9th to 15th, 2020) compared to the previous week. VPN usage in the U.S. grew by 53 percent, by 38 percent in Iran, 36 percent in Russia, and 36 percent in Spain.
Rachel Welch, Atlas VPN's COO, estimates that "VPN usage in the U.S. could increase over 150 percent by the end of the month. Overall, the usage of VPNs should continue to surge if the coronavirus pandemic worsens."
The full report and infographic is available here.
James E. Powell is the editorial director of TDWI, including research reports, the Business Intelligence Journal, and Upside newsletter. You can contact him
via email here.