A week ago Canadian and U.S. health authorities were saying healthy people could go about their business. Now, they’re urging most businesses to make people work from home.
As a result, a lot of North American organizations in the past seven days or so have made quick decisions letting employees work remotely, including using home computers, computers taken from the office. However, the International Association of IT Asset Managers (IAITAM) fears some employers may have rushed into making their decision without thinking through how to secure their most sensitive data.
“We always say that you can’t manage what you don’t know about,” association president Barbara Rembiesa said in a news release, “and that is going to be a truth with nightmare consequences for many companies and government agencies struggling to respond to the coronavirus situation. The impulse to send employees home to work is understandable, but companies and agencies without business continuity plans with a strong IT asset management (ITAM) component are going to be sitting ducks for breaches, hacking and data that is out there in the wild beyond the control of the company.”
Ideally an organization has a business continuity plan that incorporates IT asset management that can send employees home with laptop or desktop computers (and possibly portable storage) that are accounted for and working properly. But not keeping on top of assets will mean trouble. The association says that without even a basic mobile device management (MDM) system, which scans and blocks devices with vulnerabilities until they are patched, companies will be almost completely blind as to who is accessing their data.
Fortunately MDM and virtual private network (VPN) applications can quickly be subscribed to as a software-as-a-service.
IT leaders in organizations that haven’t yet released staff are being urged to follow these steps:
- Sign out and track all IT assets that are being taken home. No IT assets should be allowed to leave a company site for the first time without formally accounting for each movement;
- Make sure solid firewall and passcode protections are in place for accessing company systems. Companies and agencies that plan properly will “scale up” to accommodate a shift in traffic from the workplace to remote access;
- Consider requiring employees to sign a non-disclosure agreement (NDA) about the data they will have access to outside the office. The data is often significantly more valuable than the IT assets in which it is contained. Vital company information may be at stake and an NDA sends a message to employees that they have serious responsibilities that must be honored and respected.
- Provide education and training to employees about how to responsibly manage their equipment and the company’s data. For example, parents accustomed to allowing a child or spouse to use a personal smartphone or computer must be coached to avoid doing so with company IT assets. Companies may also forbid the use of company IT assets on public Wi-Fi networks, such as coffee shops and fast-food restaurants;
- Monitor employee data use and other remote practices;
- Tighten the reins on Bring Your Own Device (BYOD) practices. The longer someone is out of the office, the more likely they will do company business on their personal smartphone, computer, tablet or other BYOD asset. If the employee’s contract or policy language does not give the data rights to the organization the IT asset manager will need to make an addendum giving the rights to the organization. The employee may own the device, but the work-related data is completely owned by the company.
Organizations that have already employees working from home for the first time before asset management could be brought in should consider if these recommendations can be implemented.