COVID-19: homeworking and cybersecurity

18 March 2020
Frédéric Saffroy, Corinne Thiérache and Jeanne Quéneudec

Following the lockdown measures adopted by the French Government as of 17 March 2020 at 12:00 Paris time, homeworking is the ultimate solution for many companies.

This forced distant working obliges companies to request from their employees a cautious and careful implementation of measures aiming at protecting processed data. Whatever this data is (commercial, financial, technical, legal, administrative, etc.), it is essential to the continuation of your business and the sustainability of your company.

Cyber-attacks (ransomware, phishing, fake president fraud, identity theft, etc.) will not cease during the COVID-19 crisis, and the risks are enhanced by the dispersion of homeworking employees. An IT crisis should not be added to the health crisis.

Below are recommendations based on the assumption that your employees are working from home (these would be stricter if working from a coworking space, a hotel or even in transportation, but this should not be the case with lockdowns):

• Avoid as much as possible the use of devices that are not provided by the company (BYOD): The company cannot monitor, control and secure them as much as its own ones.

• Ensure constant watchfulness on the devices provided by the company, as private residences do not provide the physical protection offered by the company premises: Switch off the laptop and store it discreetly when you leave home; Do not leave the laptop alone in a vehicle, even locked; Do not leave the laptop alone in a place visible from the outside.

• Connect to the company resources only via VPN or via a secured cloud.

• Check that the Wi-Fi used at home is secured and requires a strong password to connect.

• Do not forward your professional emails on your private/personal mailbox.

• Do not plug/connect (physically or via Wi-Fi or Bluetooth) personal devices or third party devices (such as USB keys, SD cards, external hard drives, connected devices, etc.) to the professional laptop of the company.

• Do not allow other family members (even less third parties), including children, to use the laptop.

• Pay attention to any sensitive call or videoconference you may have. Professional discretion still applies.

• Finally, alert your IT manager and your DPO (data protection officer), as well as your security officer (if the company has one) in case of any security incident.

Your vigilance and that of your employees are essential to the integrity of your systems, to the protection of your information and to the sustainability of your business.

For any question, please contact Alerion’s lawyers, and more particularly: Frédéric Saffroy and Corinne Thiérache.