As corporations and even entire municipalities are increasingly advising their employees to work from home in light of COVID-19, it is important to remember that doing so it not without its risks.
For any corporation or organization which has information to protect (which is to say, everyone), permitting company data to be remotely accessed by employees raises the chances of a cyber-incident involving that data. And, where a cyber-incident occurs, the company may have a duty to report the incident to consumers, regulators and business counterparties.
Put simply, cyber criminals are not expected to take a “corona-holiday.” In fact, some might even prey on vulnerabilities created by the situation. Fortunately, there still is time to address the potential privacy and data security risks—and to develop clear guidance for employees to follow. These policies should be tailored to each company’s specific risk profile and communicated clearly to all employees.
While every organization’s information security defenses are unique, some of the most common risks to be addressed concerning remote work include the following:
- Unsecure personal and public WiFi networks: Employees’ home networks and connected devices may be vulnerable to malware or ransomware attacks through their wireless routers. Hackers could monitor network traffic or access files on connected devices. In a pinch, employees might even use their personal computers on public networks at libraries or cafes, which are even less secure. Companies should therefore strongly recommend that their employees secure their home WiFi networks (which should be updated regularly) with a robust password and, when possible, employees should not use computers containing sensitive information on public networks.
- Working on unsecure personal or shared devices: Home computers may be shared among family members and may not be the most up to date. They may lack critical security patch management that would otherwise protect them and the data on them. They may be laptops which are transported in vehicles and may not be password-protected (or have weak or compromised passwords). And the hard drive may not be encrypted. To the maximum degree possible, employees should be advised to only conduct work on their employer-issued computers. Where this is not possible, home computers should, to the greatest degree possible, be as secure as business laptops; and desktops and personal laptops should not be allowed to leave the home.
- Transferring corporate data using personal e-mail accounts: Employees sometimes send sensitive information to their personal e-mail accounts (perhaps out of convenience) to download onto a personal computer or to print at home. Many major webmail providers have, however, suffered data breaches in recent years, and these nonenterprise email accounts usually lack the robust protections that centrally managed commercial accounts often have, such as multifactor authentication or logs that would help a forensic investigator determine the cause and scope of a breach.
- Deleting corporate data from personal accounts: In addition to advising employees against sending sensitive company data to their personal email accounts, it is just as important to remind employees to permanently delete any corporate data remaining on their email accounts after they return to their normal working arrangement. It may even be appropriate, subject to applicable law and corporate policies consented to by the employee, to monitor company email systems to identify specific employees who have sent emails to their personal accounts, and to counsel them in connection with this poor practice.
- Synching with personal cloud storage accounts: Employees working remotely or from home may be tempted to use a personal cloud service account to transfer documents or data to and from offices that may be less secure. Files may even be synching from the employee’s personal computer to the cloud without their knowledge. As with personal email, employers should monitor network activity, and employees should be advised to search these accounts for any work-related data on the personal cloud accounts and permanently delete it.
- Physical document management and destruction: Don’t forget the paper! In a hurry to migrate to a home environment, employees may take hard-copy sensitive or confidential materials off-site that they would not otherwise. They may also print documents containing sensitive, nonpublic information in public locations or on network printers with unsecure connections. Employees should be advised not to take critical materials off-site unless truly unavoidable, and to never print corporate documents at home or at hotel business centers unless the compelling reasons to do so clearly outweigh the manifest risks. Additionally, employees without cross-cut shredders at home should be advised to return all printed materials once they return to the office for proper destruction, and to avoid disposing of documents at home or in a public place without proper cross-cut shredding.
- Unsecure connections to employer systems: Absent a secure virtual private network (VPN), employees may attempt to connect to a company’s systems in an insecure manner, such as using insecure remote desktop software to connect to their work computers. To the extent that the company anticipates employees may need to access information on the company’s network—for example, many employees have a network-enabled personal drive to store their documents—employers should investigate the viability of configuring a VPN for certain employees or for data that is critical for conducting business. Remember also to require employees who have web access to corporate e-mail to enable two-factor authentication to the web-accessible portal or any other web-accessible corporate network.
- Phishing schemes and other frauds: Unfortunately, cybercriminals are always searching for security vulnerabilities to exploit, and many employ sophisticated attacks tailored to specific organizations and their employees. A malicious hacker could target employees working from home, for example, by creating a fake coronavirus notice or phony request for charitable contributions (this happened following 9/11 and Superstorm Sandy). They might even go so far as to create a fake web page that looks exactly like the company’s web-based platform to employee email and, impersonating someone in the IT department, send an email to employees with a link to the imposter site in order to harvest user names and passwords. Our firm has counseled several clients whose email systems were compromised in just this manner. Employees should be advised to look out for and report any suspicious communications that appear to be impersonating someone inside the company, or a trusted vendor or customer.
- Unsecure conference call lines: An increased need for conference call or video services may exceed the capacity of the company’s existing accounts. A free or online based service may seem like a sensible temporary alternative, but employees should be advised against using these for work-related calls without consulting with the company. Some services may not be secure or may even record your employees’ conversations by default (a subject for another day). Employers are well-advised to proactively work with your existing—presumably secure—conference call provider to accommodate the temporary need, or to identify a secure alternative for employees to use.
Because many employees are understandably concerned about their health and the health of their families, it is natural that data security is not their first priority as they cope with the coronavirus outbreak. However, with some careful planning, well-defined policies and transparent communication between employees and management, companies should be able to maintain the security of their data while keeping their employees safe.
Joseph V. DeMarco is the founding partner of DeVore & DeMarco LLP, a boutique law firm practicing exclusively in the law of data privacy and security and cybercrime prevention and response. From 1997-2007 he was an Assistant United States Attorney in Manhattan, where he led the Computer Hacking and Intellectual Property Program. He can be contacted at firstname.lastname@example.org.