Controlling Cyber Risk for Teleworkers with HITRUST

Organizations across the globe have sent workers home to avoid spreading the Coronavirus and, as a result, technology leaders are hard-pressed to create cyber-safe work-from-home environments. Organizations must quickly identify and treat new cybersecurity risks introduced by the newly formed remote workforce.

Here’s how the HITRUST CSF®, a certifiable framework with a comprehensive approach to regulatory compliance and risk management, provides guidance. The latest release of the HITRUST CSF includes a control (01.y Teleworking) that addresses these risks specifically. Here are the takeaways:

Provision the right equipment – Teleworking increases the likelihood that sensitive data is exposed through misplacement, shoulder surfing, theft, or a more malicious exploitation of insecure software. Issuing the right equipment can mitigate risk associated with these vulnerabilities. IT departments should mind their baseline security configurations for things like session timeouts, passwords, remote patching, and disk-encryption, and consider issuing extra hardware like privacy screens and cable locks.

Evaluate home network security – Teleworkers will likely connect to their home networks which add risks like rogue devices that may monitor otherwise private transmissions. A particularly high-impact threat would be rogue devices exploiting network vulnerabilities to compromise corporate assets and expose the organization’s network to malicious actors. At a minimum, employers should validate that their remote workers’ networks are encrypted using AES and WPA2.

Create a plan for revocation of access – Before an organization can authorize employees to work from home, it should have a plan for employees who quit or who need to be removed from network access. Employees who leave the organization during a work-from-home stint increase the likelihood that access is abused, or sensitive files and media are leaked. Secure organizations will ensure that access is revocable and that accounts can be remotely disabled. Flash drives and external hard drives should be prohibited, and paper files should be removed from use altogether.

Communicate with teleworkers – Teleworkers are more likely to act securely if the organization communicates what’s expected. Acceptable usage should be defined, and additional training courses can be made available to help teleworkers understand their responsibilities and restrictions.

Encrypt data in transit – Remote workforces are far more likely to leak data via unencrypted transmission than employees working on a secured corporate network. One of the best mitigating controls for unencrypted transmission is a virtual private network (VPN). With a VPN, employees accessing on-premise resources (such as email servers) are less likely to inadvertently expose transmissions over the open internet.

Understand physical security – Mature organizations will understand the physical security of their workforce teleworking sites. Management should consider risks such as theft of sensitive machines, shoulder surfing, and misplacement of paper files or sensitive media. Nearby family members or guests may overhear sensitive or restricted information while workers are on phone calls. Some organizations require employees to sign additional agreements before authorizing teleworking. Others will have employees fill out a questionnaire or audit the environment through webcams to gauge the level of physical security. Make sure that sensitive conversations are held in private and that only authorized personnel are accessing workstations.

Access authorization – Lastly, a secure organization should consider all these risks and controls and formally authorize rights to telework. Authorization creates organizational and individual accountability which ultimately reduces the likelihood that data or systems are compromised with employees working from home.

Over the last five years, advancements in technology and tight labor markets have enabled companies to recruit remote workers and even allow local workers to remain in their homes. Although the Coronavirus has required teleworking for many employees, this isn’t a trend we see going away after the current crisis is over. Mature risk management programs will not only understand teleworking risks but leverage the new paradigm in their business continuity plans.

Before making changes in your HITRUST program to address these risks, we recommend working with your External Assessor to understand the requirements. Remember, the HITRUST CSF is right-sized for the organizations that enroll in the program so there’s no one-size-fits-all compliance or risk management solution to teleworking.