Sheltering At Home Does Not Protect Your Company From All Threats
Prepared by J. Paul Zimmerman
March 26, 2020
Sheltering At Home Does Not Protect Your Company From All Threats
Congratulations. You have your employees at home, sheltering in place and as productive as circumstances allow. But how’s the company’s security posture in this rapidly expanded information system? Companies may have limited if any, control over personal networks, hardware, and software that are suddenly part of its IT system. As such, security cannot be a mere afterthought because Covid-19 has only increased attacks on systems and employees. Additional measures, beyond simply a policy against using personal email accounts for business use, are necessary as part of any effort to provide employees with remote access. Some additional considerations include:
How secure are your employees’ home networks, devices, and software?
Home network security has improved in recent years, but your company’s IT department may not know how old those network devices are (and what type of security they have), whether they’re properly protected, or if security is even enabled. Furthermore, each device on the network needs its own endpoint protection, which may or may not be adequate or up to date. And with potential access to such devices by young family members, the risk to these settings is constant. Of course, efforts to govern home networks and devices can raise privacy issues.
FAQ
- Is multi-factor authentication (MFA) required?
Studies show that MFA can thwart upwards of 99.9% of automated login attacks. MFA should be implemented for remote access to the company’s systems. - What controls are in place regarding contractors and vendors whose employees are now working remotely?
Many data incidents begin at a company’s vendor. Does your company’s vendor management program address security with regard to its employees that are now working remotely? Your employees may have difficulty identifying a malicious email sent from a familiar vendor’s email account if that email account is compromised. Do protective orders in place in litigation address the information security precautions that are required for opposing counsel, which now holds your client’s data produced during litigation? - Are your remote employees using trusted VPNs?
A VPN should be required for remote access. Like other software, VPNs must be patched and updated from time to time, which presents its own challenges given the limited access IT may have to any remote personal devices. Company-owned and governed devices should be used rather than personal devices. VPN ports on the network must also be monitored for aberrant activity. - How are you educating your employees against scams and maintaining awareness?
The current threat landscape now includes emails, websites, and links from social media that are scams promising information about Covid-19. Tens (if not hundreds) of thousands of domains that relate to coronavirus have appeared in recent days. Many of these are malicious in nature. - Do your cyber liability and cybercrime policies cover incidents arising from remote access by an employee?
Setting up employees to work remotely needs to include a review of the company’s risk management posture to determine whether the company has coverage for incidents involving remote access and systems. - Does the company’s incident response plan provide for incidents arising from remote access by an employee?
Incident response plans should be reviewed to determine if they address incidents involving remote access and systems, including business continuity if the current remote access is a threat. Moreover, additional contingencies are needed if broader systems, such as servers and email, are affected in the current environment. For example, email dependence is increased with colleagues no longer in offices or cubicles next to each other—how will the company communicate if email is compromised? - Do contractual obligations of the company prohibit or restrict remote work arrangements?
Most companies are a vendor to another company, potentially making it subject to a vendor management program of another organization. Requirements and restrictions as to data may be implicated by a sudden shift to remote work arrangements. - Is the company taking steps to educate its employees about different or additional risks in working remotely? Employees are already the cause of about half of the data incidents companies experience. If the company takes on additional risk in a widespread work from home arrangement, then additional risk brings additional incidents. The new work arrangements mean that additional education may be necessary to maintain productivity and while mitigating risks.
Some of the more obvious risks are less of an issue presently because most are sheltering at home. Therefore, the basics such as not using public WiFi, being careful of who can see your screens, leaving devices unattended, and so on may be less applicable, but no less important. Instead, the immediate focus should be on the implications of the environment the company’s employees are likely in right now.
About Christian & Small
Christian & Small LLP represents a diverse clientele throughout Alabama, the Southeast, and the nation with clients ranging from individuals and closely-held businesses to Fortune 500 corporations. By matching highly experienced lawyers with specific client needs, Christian & Small develops innovative, effective, and efficient solutions for clients. With offices in Birmingham, metro-Jackson, Mississippi, and the Alabama Gulf Coast, Christian & Small focuses on the areas of litigation and business, is a member of the International Society of Primerus Law Firms, and is the only Alabama-based member firm in the Leadership Council on Legal Diversity. Our corporate social responsibility program is focused on education, and diversity is one of Christian & Small’s core values.
No representation is made that the quality of legal services to be performed is greater than the quality of legal services performed by other lawyers.