As so many states and localities have issued orders for "nonessential" employees to "shelter in place" or "stay at home," employers hastily turned to remote access options (VPN, Citrix, LogMeIn, etc.) to keep their business running. But were the risks of moving the entire workforce to virtual operations fully appreciated? Here are three big issues to consider:
1. Unsecured Networks and Devices
Most employees lack the secured physical infrastructure and technological safeguards their employers have undoubtedly invested in over the years. As a result, the most likely security breaches will be from unsecured networks and connected devices. To the extent possible, employers should establish the following work-from-home requirements and provide the tools and training employees need to meet these requirements.
- Set strong passwords. The National Institute of Standards and Technology (NIST) suggests, among other things, screening employee passwords against lists of common or compromised passwords mandatory on a daily basis. But how can employers review the passwords of employee networks and network-connected devices (smart TVs, Alexa, etc.)? Businesses are also vulnerable when their employees use the same password for personal matters as they use for access to the employer's network. Consider implementing (including training and explaining why) a written work-at-home policy that incorporates password strength and unique (not re-purposed) passwords for all connected devices.
- Educate users on COVID-19 scams. As they have with any large-scale world issue, hackers are seizing the opportunity to capitalize on the fears of COVID-19. There has been a drastic increase in the number of malicious emails containing the word "coronoavirus." Ensure your users are aware of these types of scams and social engineering attempts. For more information, see our alert here.
- Data Separation. Avoid transferring proprietary files to personal computers. This can cause issues with data ownership, multiply network vulnerabilities and create version duplication issues. It also exposes data to uncontrolled, and potentially compromised, computer systems. Printing confidential documents at home should be done so with care, ensuring the physical security of any printed materials and destroying any documents that are no longer needed.
- Back up data. Data should be backed up regularly and frequently to remote storage. Backups should be encrypted and physically protected. If employees are working on local desktop copies or personal devices (see Data Separation, above), do they have the know-how and tools to routinely back up their files to the network or a sanctioned cloud storage application like Box, Dropbox or ShareFile?
- Use encrypted communications. Confidential, proprietary and trade secret information should always be encrypted. Remote access workplaces likely increase the risk that employees will communicate such information over unencrypted networks, but encryption services are relatively cheap and simple to implement. Setting a password on a Microsoft Office file or encrypting an archive with a password using a tool like 7-Zip are free and easy ways to ensure these types of files are not lost.
- Use multi-factor authentication. Whether using SMS authentication or a mobile app approval, multi-factor authentication adds a layer of security that makes it much more difficult for hackers to access your network and cloud resources. Even if a hacker obtains a valid username/password combination, without also having physical access to a user's phone, multi-factor authentication prevents them from accessing your network or cloud applications. Consider a single sign-on provider like Okta or DUO that gives users a single SSO portal to visit and can front-end both internal and cloud applications with a single MFA solution.
- Use antivirus software and keep it updated. While office devices likely have antivirus software installed, some cybersecurity consultants have reported as much as 90% of personal/home devices have no antivirus. Consider providing licenses for employee home computers or, at the very least, requiring free antivirus software as part of your work-from-home policy. Modern Microsoft Operating Systems come with Microsoft Defender built in. Home users can leverage this anti-virus system easily for free.
- Use a VPN and maintain secure VPN policies. Employers should put in place and require employees to use virtual privacy networks (VPNs), which are strong tools to automatically encrypt data in motion between the home and office, and to protect personal devices with corporate security controls. But employees also need to be aware that VPNs do not protect against all aspects of data use. For example, VPNs do not prevent you from being tracked by web-browser cookies. Many companies can leverage existing infrastructure like routers and firewalls to implement a VPN at little to no additional cost.
- Update operating systems and browsers. While software and firmware systems in the office environment are likely updated on a regular basis, a survey of personal devices will regularly show lax updating practices. These updates are often used to patch critical security holes, and failing to update can leave your network unnecessarily exposed to bad actors. Provide instructions for your home users to ensure automatic Windows Updates are enabled and that commonly exploited applications such as Flash and Adobe are set to automatically update as well.
2. IT Support
Technology issues are sure to be more prevalent as workers struggle to transition their workflow to the home office. To avoid business continuity issues, employers should:
- Provide training for transitioning to working remotely. For once, phishing and social engineering avoidance training should take a backseat. Given the plethora of home-office and remote access issues highlighted above, securing home office infrastructure should be the number one priority for cybersecurity as employees begin working remotely en masse. Depending on the length of the COVID-19 shelter-in-place orders, provide follow-up training and regular feedback.
- Provide remote access solutions wherever possible. Have you figured out how employees are going to have virtual meetings, print, fax and send mail? Most of these can be resolved through remote access solutions, but companies are having a difficult time transitioning from their standard operating procedures. That means employees are likely to transgress typical safety protocols and expose your business to unnecessary risk.
- Consider implementing data restrictions. Until company-wide policies (and remote access solutions) are adopted, you may want to restrict the access and/or transfer of sensitive or proprietary data to personal devices. Although inconvenient, the high incidence of personal network safety risks may warrant extreme measures until a baseline for security is established.
- Have back-up solutions for potential access issues. Aside from physically going into the office, what back-ups does your company have for potential access denial? Third-party-managed endpoint data protection, including file-level restore capability, may be necessary to ensure continuity of service to your clients. On the other hand, a simple cloud repository could be all that is needed. Either way, redundant safeguards should be implemented, especially if employees are using personal devices that do not have automatic back-up protection.
3. Temporary Changes to Legal Frameworks Inside and Outside the U.S.
In response to the COVID-19 pandemic, the rules and obligations for handling, processing and sharing data have been changing quickly. Centers for Disease Control and Prevention recently advised employers to inform fellow employees of their possible exposure to COVID-19, but warned against disclosing the identity of the individual who tested positive. This instruction is commensurate with the many medical-related confidentiality provisions already in place, including those in the Americans with Disabilities Act (ADA) and the Health Insurance Portability and Accountability Act Privacy Rule (HIPAA).
Many other countries have also adopted temporary measures to facilitate the collection, transfer, processing and storage of personal data where necessary to address health concerns.
For example, the Italian Civil Protection Department adopted Civil Protection Ordinance No. 630 on February 3, 2020. This gives Italy flexibility in processing certain personal data related to the COVID-19 pandemic until July 30, 2020. Similarly, the UK, Israel, France, Belgium, Germany and Spain have made statements on the permissible use of personal data throughout the response to COVID-19.
Other European countries could follow suit by passing their own emergency legislation, or they could potentially rely the permissions in GDPR Article 9, which allow the suspension of certain restrictions in times of crisis. To that end, on March 19, the European Data Protection Board adopted a statement emphasizing that the GDPR should not "hinder measures taken in the fight" of COVID-19.
China, Taiwan, Korea, Japan and others have also passed emergency legislation addressing COVID-19.
While not all of these laws may affect you, it is clear is that – regardless of what country you do business in – the legal landscape governing data use and protection will continue to evolve on a week-by-week (if not daily) lifecycle. Companies need to stay abreast of updates and be ready to adapt their data privacy policies to reflect applicable COVID-19 emergency response legislation.
Jeffrey Lagana, Senior Manager of Information Security at Buchanan, contributed to this article.
For more cutting-edge perspectives onthe legal and business implications of COVID-19, visit ourCOVID-19 resource hub.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.