6 Cyber Risks That Your Municipal Employees Face Working Remotely—and How to Address Those Risks

When your municipal employees work from home, one thing that might not be on their minds is information security. That’s where your town or city needs to ask some tough questions and ensure you are not exposing your files, documents, and databases to cyberattackers while also risking permanent data loss.

If people are not used to working remotely and you’re not used to supporting remote workers, you may not realize that various security vulnerabilities exist that don’t necessarily appear at the office. Teleworking introduces increased cybersecurity risks as employees work from home with their personal computers. Here are some areas you need to assess.

1. Risks associated with the use of personal devices

While ideally you should give your employees municipal-owned and supported computers, employees may be using their personal desktop computers and laptops when working from home. When employees use their own personal computers, security risks include:

• Endpoint detection and response (EDR): Without EDR, cyber threats could go undetected on their computers and lead to stolen user credentials, data breaches, and permanent data loss.
• Software patches and updates: Are they applying security patches and updates to their operating system software and other important applications? Unpatched security vulnerabilities are like unlocked doors into your city’s data.
• Firewall and network security: A firewall helps protect a computer from hostile and dangerous internet traffic. Does the employee have an appropriate firewall set up on their home computer network?

2. Wi-Fi security

Most employees will have a wireless router of some kind set up at home. Many people do not pay attention to the security of that device, protecting it not at all or with a weak password (like “123456” or a simple, easy-to-crack password like their name or favorite sports team). Along with weak passwords, many people do not know about basic WiFi security settings (such as using WPA2 security instead of WEP security).

However, you might think that the likelihood of a cyberattacker selecting your employee to attack through their home or office router is a low probability. Think again. Cyberattackers can be anywhere and you may never know if someone is spying on your employee’s computer as your employee accesses sensitive municipal information.

3. VPNs

A personal computer attached to your city's network through a VPN could become the gateway for a cybercriminal to enter your network. VPNs work well when the employee is using a city-owned and supported computer, but they are not a good idea to use with a personal device. That’s because personal devices are susceptible to security vulnerabilities—and we just talked about some of those vulnerabilities above. Are you willing to trust the security of all your city data based on your employees’ device security? Do you feel they are securing their devices to the best of their ability?

4. Phishing and scamming risks

We encourage you to read our recent article, “Tips to Help Municipal Employees Fend Off IT-Related Coronavirus Scams,” which goes into phishing and scamming risks in detail. Are your employees ready to recognize and fend off email phishing scams, spear phishing scams, communications where the scammer pretends to be your IT vendor or department, or coronavirus-related scams?

5. Encryption

Devices that use no or poor encryption can be easily hacked by cyberattackers. Are you confident that the data your employees access and transmit is sufficiently encrypted so that a cyberattacker cannot easily read and steal it? Encryption covers applications, web browsing, file storage, email, and data on their computer.

6. Data backup and disaster recovery

If your employee accidentally destroys or damages their device, downloads malware, or makes a mistake when handling municipal data, then what happens? Are they able to recover that data? Or is there a big risk of permanent data loss? Employees that store data to their local hard drives may lose important data permanently if it’s not backed up. If employees have access to data in a centralized location, then is that data protected from unauthorized access, deletion, and corruption? Does an offsite backup component exist to ensure you can recover from accidental data loss?

Cities can mitigate against these cyber threats by implementing the following best practices:

• Create security policies: To get started, review our whitepaper, “A Municipal Guide to Complying with the Law Through Information Security Policies,” that gives you guidance about security policies needed by your municipality. Especially focus on security policies related to employee data access, authorization to view sensitive information, wireless security, and the physical security of devices.
• Communicate with employees and train them about cybersecurity: If you don’t communicate your security policies with employees, they will be left on their own and either improvise a solution on their personal devices or do nothing. Share your policies, give them cybersecurity training, and keep an open line of communication with them about your teleworking expectations.
• Make sure all employee data is covered by a data backup and disaster recovery plan: Even if an employee uses a personal device, the data needs to be covered by a data backup and disaster recovery plan. Teleworking employees should access files and documents through a secured, typically browser-based remote portal, a document management system should contain a centralized repository of documents for all employees to securely access, and an offsite data backup solution should ensure that all this data is backed up even if an employee’s device is lost, destroyed, or corrupted through a virus.

Need help addressing cyber risks to your teleworking employees? Reach out to us today.

Original Date: 5/6/2020