As COVID-19 spreads around the globe, cybersecurity and data privacy risks are expanding for employers. Read on to learn some simple steps you can take to address and mitigate the dangers.
2 Key Areas of Opportunity for Cyberthieves
Cybercriminals are taking advantage of the pandemic in two ways:
- First, they’re launching phishing campaigns to lure e-mail users into clicking on malicious links that appear to be legitimate information from public health officials and other news sources about the growing coronavirus risk.
- Second, as organizations shift employees to remote work as part of their overall coronavirus response, more employees may be using unsecured Wi-Fi networks, handling information outside of secure channels, relying on personal devices for remote work, and not following the employer’s security policies.
Together, the factors increase the risk for cybersecurity and privacy incidents, which could lead to ransomware infections, compromised business e-mails, and the release of information protected under state, federal, and international privacy laws.
Changes in Threat Landscape
Cybercriminals regularly use targeted, topical campaigns to gain unauthorized access to user credentials. In times of crisis, even companies with training programs in place may find staffers—and especially their busy, time-pressed executives and employees new to remote work—tricked into clicking on a link or opening an attachment in what appears to be a COVID-19 outbreak-related e-mail. Once that happens, the hackers may be able to use the compromised e-mail account to cause a great deal of harm, which could include:
- Gaining access to sensitive company information, protected personal data, or financial information;
- Embedding ransomware they can later activate to encrypt or destroy the organization’s data and systems; or
- Carrying out a business e-mail attack in which they use the compromised account to send fraudulent messages to other parties with directions to wire funds to fake accounts.
According to cybersecurity researchers, nation-state threat actors are using bots and other online accounts to spread deliberate misinformation about COVID-19 and send targeted phishing attacks to users in countries where the virus has gained a foothold. You should warn your staff about the risks and assess whether additional training, technical measures, or other steps may be helpful in counteracting them.
Remote Work Increases Cybersecurity, Privacy Risks
As more employees begin working remotely, you should prepare in advance to mitigate the increased cybersecurity and privacy risks. Your comprehensive planning should span all the departments in your organization to train employees and ensure their IT infrastructure can accommodate the increased demand.
Given the pace of the virus outbreak and changes in local conditions, you may need to implement remote work policies on short notice. Failing to plan ahead would increase the risk employees will handle information in ways that compromise data privacy, security, or both (e.g., taking confidential information home, forwarding it to personal e-mail accounts, or uploading it to personal cloud accounts).
12 Ways to Protect Your Infrastructure
Here are 12 steps to protect your infrastructure from cyberthieves:
- Evaluate your remote access capabilities (e.g., be sure the virtual private network and other remote access systems are fully patched, test web and voice conferencing capabilities, and ensure employees have access to and understand how to use them);
- Test employees’ ability to work remotely (e.g., rotate staff to telework on selected days during the week to identify issues in anticipation of a new facilities closure or quarantine order);
- Provide laptop computers, monitors, keyboards, printers, docking stations, and shredders, and avoid, if possible, shifting work to personally owned computers;
- Consider employees who require access to paper documents and files, and identify and securely provide access to cloud file stores where shared use of documents is required, using multifactor authentication and encryption;
- Identify the ability to reset (remotely if possible) the schedule for exterior doors automatically locking and unlocking for business hours;
- Develop open communication and coordination with key vendors and other outside parties, including clients, shareholders, limited partners, regulators, and the media;
- Test critical service providers’ ability to support your business during a disruption (e.g., ensure clients can access investor portables or continue to receive investor/client reports);
- Ensure the organization’s firewalls are properly configured, and log attempted and/or successful connections from unauthorized or suspicious Internet Protocol (IP) addresses;
- Develop backup or alternative processes (e.g., manual or in-house) to ensure continuation of critical business operations;
- Consider alternative service providers;
- Implement multifactor authentication; and
- Review your incident response plan to consider a workforce across a distributed environment.
9 Cybersecurity Tips for Remote Workers
Here are things you can do to promote cybersecurity for your remote employees:
- Provide training to employees, especially those new to remote work, and remind them of your cybersecurity precautions;
- Ensure they transfer data securely and encrypt data on all portable storage devices (USB drives, external hard drive), and use secure data destruction (e.g., shred paper documents, or return paper documents to the office when employees come back from remote work);
- Notify employees about the procedures for letting you know when a suspected data or network compromise occurs;
- Tell employees they should be on high alert for increased phishing attacks, and verify the sender’s e-mail address, especially in messages relating to the authorization of expenses, funds transfers, any money payment, financial account or payroll information, and other sensitive data (also, avoid clicking on links in unsolicited e-mails, and be circumspect of attachments);
- If not already in place, consider implementing an external warning banner that identifies e-mails sent from an external sender, which will remind employees to verify the sender’s e-mail address when they view and respond to work messages in the condensed format on their mobile devices;
- Require employees to carry laptop computers home each day as new quarantines and closures may be enacted with little warning;
- Remind them to take particular care when they’re handling core business functions from a smartphone or other mobile device to verify the authenticity of the e-mail sender, recipient, and information contained therein (e.g., when in doubt, call the recipient to verify over the phone, or use another means of verification);
- Ensure all remote employees have access to IT support; and
- Remind your remote workforce to enable automatic updates on their personal computers or work laptops and turn off their computers and restart for updates at least once every three days.
April Falcon Doss and Jillian K. Walton are attorneys with Saul Ewing Arnstein & Lehr LLP. Doss chairs the Firm’s Cybersecurity and Privacy Practice and co-chairs the Firm’s Congressional Investigations Practice. Walton maintains a general litigation practice and handles a variety of matters for individuals, companies, and institutions of higher education involved in complex commercial disputes in state and federal courts. You can reach them at firstname.lastname@example.org and email@example.com.