This post is also available in: Español

Now that our entire lives revolve around the hashtag #quédateencasa (#stayhome), remote working has become the best response for many companies.

Remote working entails new challenges and opportunities, but it is not yet widespread in Spain. This, together with the urgency with which these decisions must be made during the health crisis, poses greater risks and exposures—mainly to information and data security.

In line with our previous recommendations to keep companies’ know-how secret, Spanish authorities and institutions have outlined a series of guidelines and recommendations:

The Spanish National Cybersecurity Institute (“INCIBE”)has published several articles and infographics regarding remote working cybersecurity (see here, here and here).

INCIBE highlights the advantages of the Virtual Desktop Infrastructure (VDI), which provides employees with the same operating system and applications with which they usually work from other devices, while stressing the importance of (i) working with corporate devices; establishing robust access controls with double authentication factor; (ii) using virtual private networks (VPN); and (iii) connecting to password-protected home networks or the data network as plan B.

The Spanish National Cryptologic Center has published a comprehensive report on remote working cybersecurity addressing different applications and tools (e.g., email, cloud documentation or videoconferencing), different technical measures for monitoring, protection and storage, as well as practical recommendations to prevent incidents and vulnerabilities.

Finally, the Spanish Data Protection Agency has recently published a set of recommendations for companies on information and personal data protection, and on management of security breaches in remote working situations. With a focus on personal data protection, these recommendations include:

For companies:

  • Define a specific information protection policy for mobility situations, establishing what forms of remote access are permitted, as well as the types of devices and level of access.
  • Designate an appropriate point of contact to report any incidents.
  • Sign a remote working agreement including all commitments made by the employee.
  • Training on potential threats and their consequences.
  • Identify reliable solutions and service providers.
  • Restrict access to information according to each employee’s role, considering the type of device and its location.
  • Periodically review, update, and configure the equipment and devices, install updated antivirus software, have firewalls activated, incorporate information encryption mechanisms, and have only installed or activated the applications and communications necessary to carry out the work activity.
  • Establish specific measures if the use of personal devices is allowed (BYOD).
  • Monitor the accesses to the corporate network to identify potential threats or viruses.
  • Review policies and configurations on a regular basis according to the evolving context.

For employees:

  • Respect the information protection policy as well as any other rules and procedures.
  • Protect the device used and its access with strong passwords and do not download applications or software that have not been previously authorized.
  • Ensure the protection of the information by maintaining at all times the duty of confidentiality, avoiding the use of hard copy and being aware that conversations may be overheard.
  • Save the information in enabled network spaces, avoiding saving the information locally, enabling periodic backups and eliminating residual information.
  • Immediately report any suspected incidents.

Cybersecurity is a joint effort of companies and employees with implications in different areas (such as trade secrets, confidential information, personal data and privacy protection) and in the interests of us all.

By Adaya Esteban

This post is also available in: Español



51 artículos