Cybersecurity Concerns When Utilizing Coronavirus Work-From-Home ProtocolsMarch 17, 2020
As concerns arising from the recent coronavirus (COVID-19) drive companies to utilize alternate workplace options, such “work-from-home” or other measures for employees to work remotely, companies should bear in mind the increased cybersecurity challenges and risk of cyber incidents from non-on premise work. The U.S. Department of Homeland Security is encouraging companies preparing for the impact of COVID-19 to adopt heightened cybersecurity standards as well as make efforts to mitigate the risk of cyber threats from employees working remotely. As always, and especially in the face of COVID-19, an ounce of cybersecurity prevention is worth a pound of cure.
We recommend that companies encourage employees to remember to “THINK” about their cybersecurity while working from home:
T—Tighten Security: Ensure that information stored on or sent to or from remote devices is properly safeguarded, including by use of encryption or multi-factor authentication. Make sure to exclusively use company security measures, such as a VPN, when working remotely, and limit the use of company systems while on public Wi-Fi. Consider updating and strengthening your passwords.
H—Have a Strategy (And a Back-Up Strategy): Review current company policies for information security and develop a strategy to ensure compliance while working remotely. As needed, make a specific strategy for maintaining cybersecurity standards in light of COVID-19, including contingency plans, disaster recovery efforts, and business continuity and procedures.
I—Identify Potential Incidents: The World Health Organization issued a warning about the increase of cyber criminals sending phishing emails with malicious links in connection with COVID-19. With coronavirus-based phishing attacks circulating the internet, it is key for remote users to stay vigilant in looking for and reporting suspicious activity as potential cybersecurity incidents. Be especially wary of external e-mails and unsolicited communications.
N—Narrow Use of Personal Devices: To reduce the risk of unauthorized access to or disclosure of company information, to the extent possible, only use company-issued devices for working remotely and sending work-related communications. Attempt to limit usage of personal devices in a way that protects company information from others, such as children or family members, who may also use the devices. Avoid downloading or saving company information to personal devices.
K—Know Your Network and Information: Keep your devices updated with the latest security updates and patches for your network. Remember the types of information that need safeguarding, including confidential business information, trade secrets, protected intellectual property, work product, medical records, customer information, employee information, and other personal information. Maintain compliance with applicable privacy laws for using, processing, and disclosing this protected information.
Company Security Measures
To assist employees in maintaining adequate cybersecurity standards while working from home, companies should also implement certain technical and administrative measures. For example, to reduce the risk of unauthorized access or disclosure, companies should consider limiting employee access to protected information to the extent needed to perform their duties and imposing additional credentialing requirements. Additionally, companies should increase proactive security measures, such as malware scans and log reviews.
In order to successfully execute these practices, it is crucial for companies to keep their IT resources well-staffed. Companies should ensure that IT personnel are prepared to ramp up cybersecurity tests and tasks. Further, companies should continuously remind all personnel about cybersecurity protocols and provide tips on avoiding cyber-attacks.
Cybersecurity is always a pressing concern for companies, but especially with the increased reliance on alternate workplace options during the COVID-19 outbreak, it is critical for companies to protect themselves from compromising attacks. Many companies are moving quickly to transition to work-from-home strategies, but companies cannot forget cybersecurity concerns. Companies must strive to maintain their cyber hygiene in the wake of COVID-19.
In response to the coronavirus (COVID-19) pandemic, Lewis Rice has formed a COVID-19 Task Force which brings together subject matter authorities from various practice areas within the Firm who stand ready to assist our clients as they navigate these challenging and evolving issues. We will continue to monitor the myriad legal and other developments that may impact our clients.
If you have legal questions related to COVID-19, please reach out to a member of the Task Force. If you have any questions regarding your cybersecurity procedures and policies or any potential cybersecurity incidents associated with COVID-19, please contact one of the authors above or another member of Lewis Rice’s Cybersecurity & Data Privacy Practice Group.