Cybersecurity tips for remote working during the coronavirus outbreak
by Alisa L. Chestler and Alexandria Murphy, Baker Donelson
What can we do to prepare if employees need to work remotely because of coronavirus?
As organizations prepare for certain contingency work arrangements in response to the coronavirus (COVID-19) outbreak, companies must also focus attention on ensuring appropriate cyber hygiene. Companies are anticipating more individuals working remotely from the safety of their own homes to avoid contracting the virus and other companies are planning for potential quarantines and school closings.
The flexibility of working remotely, however, involves real cybersecurity risks that companies should be aware of and work to mitigate in the face of the COVID-19 outbreak. With increased remote work, there is increased risk of employees accessing data through unsecured and unsafe Wi-Fi networks, using personal devices to perform work, and not following general security protocols established by the company.
Additionally, where employees are working remotely from their own homes, there are often added distractions. Employees may have to balance work with children or pets who are also in the home, try to perform routine household chores during the workday, or even get distracted by having television and other personal electronics at their disposal. Children with access to an open computer connection could inadvertently cause a security incident. Such distractions can also add to a risk profile for falling prey to phishing attacks. Employees should be reminded of these issues through training or handy guidelines issued for remote users.
As individuals are approved or otherwise authorized to work remotely, there must be a multi-departmental focus on maintaining proper controls. Management should be coordinating with the human resources (HR) and information technology (IT) departments to establish security controls and ensure employees are properly trained on those controls in the remote work context.
Companies should have a protocol in place for secured remote access to company networks. Where possible, such connections should be through a virtual private network (VPN), which routes the connections through the company's private network, or another encrypted connection mechanism. Where employees can remotely access sensitive information on the network, VPNs should be configured with multi-factor authentication (MFA) as an added security layer. With MFA enabled, even if an employee's VPN credentials are compromised, an unauthorized actor will be unable to connect through the VPN without a second factor (i.e., a code sent to an individual's smartphone, token, biometric verification, etc.).
The IT Department should ensure firewalls are properly configured and monitor firewall logging to identify attempted or successful connections from unauthorized or suspicious Internet Protocol (IP) addresses. If there are regions of the country and/or world from which employees would have no reason to be remotely connected to the company network, the IT Department can proactively "blacklist" the IP ranges for those geographic regions to prevent connections. This may not be possible for a multinational company where employees may be scattered throughout the world but can be an effective measure for smaller companies or those with a regional presence.
Personal devices are more likely to be used when employees are working remotely, and such use presents additional cybersecurity risks given the lack of corporate control over the devices. Where mobile devices (i.e., mobile phone, tablets, laptops, etc.) are permitted to connect to the corporate network, companies should ensure those devices are equipped with mobile device management (MDM) software. MDM software allows the corporate IT Department to manage such devices by ensuring that the devices are configured to consistent standards, scheduling updates and patches for the devices and applications contained thereon, tracking location of devices, and – in circumstances where such devices are lost or stolen – permitting the devices to be remotely wiped.
Before employees are authorized to connect remotely to the corporate network, they should have adequate training on acceptable use policies, the logistics of connecting to the network, appropriate use of Wi-Fi, and steps to take if a security incident or other compromise is suspected or identified. While these subjects are often covered in annual employee trainings, if your company is seeing increased remote work, now is a good opportunity to provide a training update or informal security reminders.
Such training should also address the increased risk of phishing attacks and other social engineering schemes during crises such as the COVID-19 outbreak. Threat actors recognize and try to exploit the fact that individuals may be distracted and less cautious during remote working situations. Already there have been reports of attackers exploiting the COVID-19 outbreak by sending malicious emails to businesses in geographic areas heavily impacted by the virus or in specific industries that may face shipping delays because of the virus. All employees should be reminded to use caution in opening emails, particularly those that include links or attachments, and to report suspicious emails to the IT department. Regardless of the efforts of the company and the sophisticated security measures put in place to create a safe environment for remote workers, the risk of human error will always exist.
All employees should have a listing of contact information for key personnel at the company, including IT personnel. Employees should be provided a hardcopy or instructed to print the contact information for use, if needed, while remotely working. Similarly, employees who are part of the company’s Incident Response Team should have a hardcopy version of the company’s Incident Response Plan for ease of access should a cybersecurity incident occur while employees are out of the office.
As your company takes steps to promote physical health in the face of the COVID-19 outbreak, you should also consider how your company can enhance cybersecurity through proper security controls and employee training. It is important to remember that all companies are different, and varying controls and procedures may be appropriate depending on the size and complexity of the company, as well as the sensitivity of the information maintained by the company.
In light of COVID-19, the Federal Financial Institutions Examination Council (FFIEC) issued updated guidance regarding pandemic planning for financial institutions. The guidance includes actions such institutions should consider taking to minimize adverse effects of a pandemic and limit the impact on the institution’s ability to provide certain critical financial services. Although the guidance applies to financial institutions directly, it contains general principles for business continuity that can be helpful for companies in all industries and sectors.
Alisa L. Chestler, CIPP/US, is a shareholder with Baker Donelson, where she concentrates her practice in privacy, security and records management issues; health care and insurance regulatory compliance; and corporate transactions matters. Members of Baker Donelson's Data Protection, Privacy, and Cybersecurity Team.
First published in Corporate Counsel