The COVID-19 crisis could become even worse for a business that experiences a breach.
Published in NH Business Review (3/17/2020) and the Keene Sentinel (3/18/2020)
Businesses are rapidly transitioning to remote workforces to combat the transmission of coronavirus. For those that already widely support remote work, that transition may occur fluidly. However, even businesses that are prepared in that way still should reinforce important cybersecurity principles.
For businesses unprepared for widespread remote work, the cybersecurity risks are more frightening. Those companies need to scramble to implement appropriate safeguards. The following are ten of the most important.
- Protocols and communications: Businesses that have existing protocols for remote working should reinforce them with employees, including by reiterating the principles set forth below. Businesses that do not should create temporary rules for remote work.
- Laptops: Businesses should permit their employees to access their networks using only company-owned or -managed computers, which have encrypted hard drives, up-to-date anti-virus/anti-malware, strong and periodically change passphrases (three or more unrelated words) or passwords (eight or more characters consisting of letters, numbers and symbols), and screensavers that lock after 15 minutes of inactivity. With limited exception, non-IT employees should not have administrator privileges on any company computer, and employees with such privileges should have regular user credentials for non-administrator functions. Employees should be reminded to shut down company computers whenever not in use, and that they may not permit family members or others to use those computers.
- Virtual private network (VPN): Access to the business’ network should be permitted only using a secure company controlled VPN, which has multi-factor authentication, prevents downloading of information to a local drive, prevents access to local printers and other Internet of Things (IoT) devices on a home or public network, and is configured with robust access and activity logging. Employees should not be allowed to use such a VPN to access the company’s network with a personally owned computer, unless the business manages the updating of anti-virus/anti-malware, operating systems, and applications on the computer.
- Mobile devices: At the very least, businesses should permit employees to access their company email accounts only using a mobile device that has a password or biometric and, thus, is encrypted. More effective cybersecurity controls exist using a mobile device management (MDM) application, and a MDM should be implemented whenever employees are permitted to access the business’s network on a mobile device.
- Email and cloud storage: Remote access by employees to their company email account and cloud storage (like OneDrive and Google Drive) should be permitted only using a company owned computer or a mobile device with the controls discussed above. The account should require a strong password and multi-factor authentication, and be configured with robust access and activity logging. Outlook Web Access (OWA) should be disabled.
- Wi-Fi networks: Home and public Wi-Fi networks are notoriously vulnerable. Employees should be prohibited from using any public network that is not secure (encrypted). While home networks are not necessarily more secure, it may be difficult for businesses to correct such deficiencies during the current crises. Businesses should at least ensure that the home networks of their executives are protected (including with firewall monitored by the company), and that other employees use a VPN described above whenever using a company computers at home.
- External drives: Businesses should prohibit employees from using an external or USB drive to store company information, unless it is an encrypted, company-owned drive. Effective methods to control the use of such drives are to disable the USB ports in company computers, or install an application that encrypts drives connected to such ports.
- Phishing/social engineering and financial crime: Hackers are capitalizing on the coronavirus crisis by increasing phishing and social engineering attacks. If not implemented already, businesses should adopt safeguards for such threats, like headers alerting employees to emails originating outside the organization, a button permitting employees to forward suspicious email to IT, and a ‘sandbox’ that executes links and attachments in a safe environment. Remote work facilitates financial crime since employees are not working in one location. Businesses should require employees to confirm the authenticity of every electronic monetary transaction via a second manner of authorization (like voice confirmation).
- Privacy laws: Privacy laws remain in effect during this crises, including laws protecting health information (like HIPAA) and personal information (like GDPR and CCPA). Businesses cannot disclose health or personal information about an employee who is or may be affected by the coronavirus without complying with statutory requirements for disclosure.
- Prohibited activities: Businesses should remind employees that certain activities are strictly prohibited. Such activities include handling company information using a personal email account, personal cloud account (such as Dropbox or iCloud), or personally owned computer that is not managed by the company.
While this crisis can tempt businesses to facilitate remote work without effective cybersecurity, the crisis will become far worse for a business that also experiences a breach. Implementing the above safeguards does not have to be prohibitively costly or time-consuming and will establish a foundation for appropriate cybersecurity after the crises. Businesses should pause before rushing forward, and ensure that their remote workforces are cybersecure.
Attorney Cameron G. Shilling, a director at McLane Middleton, is founder and chair of the firm’s Information Privacy and Security Group, can be reached at 603-628-1351 or [email protected].