In response to the COVID-19 pandemic and stay-at-home orders issued by state and local governments, many employers rushed to implement emergency remote work policies. Although many areas are slowly starting the reopening process, it is predicted that remote work will remain long after the COVID-19 pandemic ends. A typical home office will have far fewer cybersecurity protections than a traditional workplace and the sudden increase in telework comes with an inherent risk of increased cybersecurity threats. In order to protect businesses from cybercriminals looking to capitalize on the COVID-19 pandemic and the increase in remote work, employers must carefully examine their data security policies, ensure employees are properly trained regarding remote work best practices, and prepare for an increased demand on IT departments.
Protect Confidential and Proprietary Information
As an initial matter, employers should put rigorous protective measures in place to ensure data security in the new teleworking environment, including ensuring that the organization has a clear teleworking policy in place that addresses the proper use and handling of confidential and proprietary information.
- Place restrictions on an employee’s ability to log onto your organization’s internal systems over an unsecured network, and require the use of virtual private networks (VPN) or other secure connections. Keep in mind this might mean that you will need to increase the number of VPN connections available to your organization. Employers may also consider requiring passwords to access certain networks or databases, as well as limiting access to confidential information on a need-to-know basis.
- Provide training to employees about securing home Wi-Fi networks and how to identify Wi-Fi networks that are unsafe or not properly secured. Employees should also be reminded that it is inadvisable to work from coffee shops, libraries, and other public places where Wi-Fi networks are less likely to be properly secured.
- Ensure that all devices being used remotely have current firewalls and encryption software. If possible, employees should only use company-issued devices to perform work; however, to the extent employees are using their personal devices, you should also ensure they have updated anti-virus and malware protections. Similarly, your organization may consider a policy that would allow employees to use personal smartphones to conduct conference calls but would prohibit their use for sending text messages.
- Issue guidance to employees on where they should be saving company documents and work product, as well as provide them with explicit instructions of where such information should not be saved. Remember this guidance can also apply to hard copy documents. For example, if an employee of a call center writes down an individual’s credit card number on a piece of paper, they should receive information about properly disposing of that paper.
- Consider what guidance is necessary regarding an employee’s protection of confidential information. For example, organizations might consider advising employees to turn off their smart speakers (Siri, Amazon Alexa, Google Home) when they are discussing confidential and proprietary information.
- Provide training to employees about the risk of “phishing” attempts and best practices to avoid them. Recently, some companies have reported phishing attempts where the threat has posed as the Center for Disease Control or the World Health Organization to help legitimize their actions.
Consider the Cybersecurity Risk of Furloughed Employees
Challenging economic times are resulting in businesses considering the furlough of employees. Employers shall evaluate how the furlough of employees will impact the IT infrastructure of the organization and if there are any cybersecurity concerns.
- Disable all electronic access.
- Remotely wipe devices in employee’s possession.
- Enable an out-of-office message.
- Ask the employee to return company-owned devices or IT hardware.
Expect a Cybersecurity Incident
Regardless of the protections put into place, no organization can be completely immune from the risk of a cybersecurity incident. The most important thing employers can do is make sure they are prepared to respond to such an incident.
- Perform a risk assessment test on your IT system to help identify potential vulnerabilities.
- Conduct online training for employees on data security, including how to report vulnerabilities or suspected data breaches.
- Ensure that you have policies and procedures in place that address how to handle such an incident, and circulate those to employees as a reminder.
- Establish an internal response team to respond to the loss of access to the company information system, and guarantee the team has hard copies of the plans in the event that it cannot be accessed electronically.
Prepare to Respond
In the event your organization experiences a cybersecurity incident, the most important thing is that you are able to act immediately.
- Confirm cyber liability insurance coverage and review coverage for cybersecurity incidents.
- Update your security incident response plan to address the management of a cybersecurity incident remotely.
- Confirm preferred third-party forensic investigation firm, legal counsel, and notification vendors have resources available to assist in the event of an incident while working remotely.
- Evaluate the company’s contractual and regulatory notification obligations in the event of a security incident and the contractual obligations of critical third-party service providers.