The COVID-19 pandemic has had a number of global impacts. For businesses, one of the biggest changes is a sudden transition to telework. In the past, only a small percentage of organizations had a work from home policy, and only a fraction of employees worked remotely at any given time. COVID-19 rapidly changed this. Now, “nonessential” organizations in many jurisdictions are forced to either shut their doors for the duration of the outbreak or allow their employees to work remotely.
During this unexpected transition to remote work, organizations are not exempt from their responsibilities under data protection regulations. Compliance with regulations such as the Payment Card Industry Data Security Standard (PCI DSS) and the Health Information Portability and Accessibility Act (HIPAA), is still mandatory.
The governing bodies behind these regulations have released guidance on how to maintain compliance during the outbreak and what is and is not allowed under extenuating circumstances. While limiting access to sensitive data, using an access control list (ACL) or similar solution, is a common requirement, regulators have also mandated that organizations processing protection data have additional protections in place.
Common Requirements for Regulatory Compliance
During the COVID-19 pandemic, regulatory authorities acknowledge that some compliance activities, such as on-site audits, may be difficult or impossible to complete. However, the HIPAA Security Rule is still in effect during the crisis, and the Payment Card Industry Security Standards Council (PCI SSC) has issued guidance on securing remote workers, both during the COVID-19 pandemic and under normal circumstances. Common best practices for ensuring security and compliance during telework include the following.
Regulations such as PCI DSS and HIPAA are primarily focused on protecting sensitive customer data, such as payment card information and patient records. For this reason, ensuring that all communications between a remote worker and the enterprise network, especially if they contain sensitive data, are encrypted is a major compliance requirement for remote workers.
Most regulations recommend the use of a corporate virtual private network (VPN) to meet this requirement. A VPN encrypts communications between the remote worker’s machine and a VPN endpoint deployed on the enterprise network. As a result, the user has the same experience as if they were connected directly to the enterprise network and benefits from the protections provided by the organization’s existing cybersecurity deployment.
Multi-factor Authentication (MFA)
Password security is generally a problem for organizations and their employees. The sheer number of online accounts that the average user has makes it difficult or impossible to remember unique, strong passwords for each. As a result, instead of using a password manager, many people reuse weak passwords across multiple accounts, making it easier for cybercriminals to use credentials leaked in data breaches to compromise personal and business accounts.
When an employee is working remotely, traditional methods for identifying anomalous and suspicious authentication attempts, such as checking login location and time, are no longer effective. As a result, it is important for organizations to take extra steps to authenticate a potential user.
Multi-factor authentication requires multiple forms of authentication, for example, a smartphone app or a physical token, instead of just a password. Deploying MFA is a common regulatory compliance requirement for remote workers since access to sensitive data cannot be restricted to the enterprise network and a greater probability exists that an employee’s device will be lost or stolen.
When working on the enterprise network, employees are protected by the organization’s deployed cybersecurity solutions. These solutions, such as a next-generation firewall (NGFW) and secure email gateway (SEG), can filter inbound traffic and identify malicious content before it infects a user’s device.
When connected via the corporate VPN, a remote worker is protected by these defenses as well. However, a remote device may not always be connecting to the Internet via the VPN, creating the possibility for infection.
For this reason, regulatory compliance often requires a firewall and the corporate antivirus solution to be installed, updated, and operating on the device. These help to minimize the probability of infection by blocking suspicious traffic and identifying any malicious content that reaches the device.
Maintaining Business Continuity and Regulatory Compliance Despite COVID-19
Crises such as the COVID-19 pandemic can force an organization to rapidly implement their business continuity plan or even address situations not covered by this strategy. The “stay at home” orders issued by many governments found many organizations unprepared to securely transition most or all of their employees to remote work.
While the COVID-19 pandemic (and similar situations) is considered an extenuating circumstance that releases organizations from some contractual and regulatory requirements, the need to protect customer data in accordance with PCI DSS, HIPAA, and similar rules is still in effect. In most cases, an organization may be released from reporting requirements during the crisis but will be required to demonstrate how they remained compliant throughout after the fact.
Since remote work is an unusual circumstance for many organizations, regulatory authorities have released guidance on how an organization can maintain compliance while allowing employees to telework. The examples described above are some of the most common requirements that teleworkers must fulfill in order to remain compliant, but each regulation may have its own unique requirements. Organizations should ensure that these minimum requirements are in place and then confirm that no additional gaps exist between their current security posture and regulatory requirements.