By: J.P. Harris
March 25, 2020
In the last several weeks, many businesses have significantly increased the number of telecommuters to implement social distancing in response to the COVD-19 outbreak. Increasing outside access to the company’s network and dispersing access to company data to more remote workers increases legal risk that must be managed. Data privacy and security laws remain in effect through the Coronavirus pandemic, and even if those laws are relaxed, financial pressures mandate vigilance through this period of unrest.
If businesses have not already done so, they should draft and implement written telecommuting policies that, among other things inform employees that this is a temporary situation and make employees responsible to ensure a safe work environment at home.
In addition to addressing the practicalities of working from home, companies must also address the cyber risks of a remote workforce. The written telecommuting policy suggested above should address these cybersecurity concerns:
- Provide specific instruction as to the manner in which employees can access company systems from the outside. If the company provides a secure VPN connection, for example, employees should be required to use it and no other. Companies need to limit the “rogue IT” phenomenon, one in which employees “find their own solution.”
- Require employees to address the security of the home networks. If employees must use personal computers or networks to work remotely, companies’ IT staff should provide instruction to ensure the security of the home networks is as solid as it can be. Employees may need to be guided through the updating and patching process for their computers and firewalls as well as ensuring passwords to home routers are strong. Employees’ personal security hygiene impacts the chances their hardware will be used by hackers to access employers’ data. As a remote offshoot of the companies’ systems, the home networks need to be secured as well.
- Bolster password management. Companies should require employees to change passwords more frequently and disallow the use of the same password for personal accounts as is used to access the companies’ systems. If possible, companies should utilize multifactor authentication as another layer of security before employees can access the companies’ systems. If it has not already, this will become the “standard of care” or expected minimum for most companies.
- Disallow employees from saving any company data locally – on their home computers. The more repositories of data, the more places that need to be protected/the more places hackers can find sensitive data. Saving locally might also contradict data privacy rules/regulations and contractual promises made by the employer to third parties (including the employer’s insurer, which could jeopardize available cyber insurance).
- Dictate sanctioned resources. Companies should create and maintain a list of applications that are approved and disallow the use of any other resources. The fewer applications that need to be patched and updated, the better. Third party apps are an additional vulnerability if they do not treat security seriously. Beyond that, limiting the number of applications eases the burden on the IT department.
- Instruct employees that if they suspect an intrusion or security incident, even one to their home systems, they must report it to the company immediately. Employees’ home networks can be the doorway for hackers to compromise their employers’ systems. It is vital that employees report suspicious activity on their home networks so that their employers can investigate whether there has been an intrusion to the companies’ systems.
In addition to the above steps, companies need to be more vigilant about phishing scams. Hackers are using COVID-19 as a mechanism to deploy nefarious links to employees who are trying to get up-to-date information. Employees must be reminded and trained to refrain from clicking on links that come from unknown sources.
IT departments are stretching to get remote workers up and running. Even so, IT departments need to remain disciplined about the companies’ patches and updates. If companies employ a third-party managed services provider, it would be wise to call the provider to ensure they have the manpower necessary to handle all of their clients’ challenges, monitor for intrusions, keep systems up-to-date, and otherwise comply with their obligations. If there is any uncertainty as to whether the provider can keep up, companies should become the squeaky wheel to ensure resources are reallocated and/or take back more control over their own systems.
Companies need to ensure that their current configuration, with more remote workers, is consistent with representations made when the company applied for cyber insurance. During the application and underwriting process, the company undoubtedly completed a questionnaire that included questions about security measures in place. If the new remote workforce arrangement contradicts the representations made in the insurance application, it is possible the insurer will later decline coverage for an incident.
The interplay between IT and legal is complicated enough, but it is even more so when scores of employees work from home (some for the first time in their careers). Vigilance is best medicine, at least when it comes to data security and managing the legal risks.