Inventory of good practices to adopt in the context of teleworking – economymatin


The health crisis we are going through is forcing companies to reinvent themselves. In an increasingly uncertain business continuity environment, teleworking remains the best option. Boosted by the democratization of digital tools and framed by precise legal regulations, teleworking has been practiced by 39% of employees in private companies since the start of confinement in March 2020 (Malakoff Médéric study) compared to 3% in 2017 (DARES study – Ministry work).

The uncontrolled implementation of teleworking can significantly increase the risks for companies, especially in the face of the rise of cybercrime which seeks to profit from the crisis. COVID-19-themed phishing campaigns attest to this sad reality. Cybercriminals have thus taken advantage of the popularity of the Microsoft Teams collaborative tool to recover credentials. To trick their victims, they sent a very similar copy of an automatic notification from the official app. The victims then thought they were logging into their account to join a meeting, but they entered their credentials on a fraudulent page. Companies are not the only ones affected by this wave of cyber attacks since large institutions such as the World Health Organization (WHO) and several governments (French, Canadian, American) have been affected.

Along with the increase in cyber attacks that require organizations to strengthen the security of their assets, the practice of teleworking has led to a radical change within companies: the adoption of new communication tools, which we briefly mentioned with the Microsoft Teams example. The advent of collaborative platforms, such as Zoom, Slack or Microsoft Teams has enabled private and public entities to continue their activities, with a certain level of agility. Nevertheless, drifts have unfortunately been observed. The overuse of collaborative tools is not without consequences. For example, the free Framatalk application, used by many teachers for its ease of use, fell victim to its success and experienced service disruption due to overuse. These tools are also sometimes the carriers of security vulnerabilities, like the Zoom video conferencing tool. For example, white hats from the Morphisec research laboratory have revealed security flaws in this tool. These allow cybercriminals to voluntarily record videoconferencing sessions and gain access to user conversations.

The setting up of collaborative platforms that have not been assessed and validated by the IT department thus leads to overexposure to digital risks and in particular to those of Shadow IT. It is advisable for CIOs to ensure a controlled supervision of said tools such as the definition of the rules to be applied. The latter must be applicable to all businesses and not only to CIOs. Certain limits should also be set on what can be outsourced, taking into account the risks that this entails. On the other hand, it is the IT department and only it that has control over the configuration of the entire IS of the company. In addition, the implementation of a proven security policy would allow serene use of these collaborative platforms, a pledge of confidence for employees.

In the aim of raising awareness among companies and employees, it is essential to present an inventory of the security recommendations to be adopted within the framework of the practice of teleworking. Based on existing documentation, in particular hygiene guides published by ANSSI and CNIL, around ten measures appear to be priorities among all the recommendations established by public agencies:

Edition of a telework charter
Hardening of nomadic employee workstations Partitioning of systems Securing the Wi-Fi connection Setting up a VPN Regulated access to Cloud resources
Event logging
Detection of computer incidents Raising employee awareness of cyber risks Communication of computer incidents to the competent authorities

These measures must be applied to ensure the continuity of professional activity and the security of the company’s assets.