[co-author: James Harrison, Invisus]
When the coronavirus crisis hit, many companies around the world were forced to immediately transition to a remote workforce, a big departure from the previous norm. While about a third of survey respondents in Gallup’s Global Work-from-Home Experience Survey, published in early May, said they worked from home at least weekly before the pandemic, that number rose to 89% during COVID-19. And many experts expect the number of remote workers to stay high for the foreseeable future.
This new reality raises operational and legal issues across all aspects of a company’s business. One of the most significant is an increased threat of cybersecurity breaches. “There’s a lack of good cyberhygiene in the home environment,” explains James Harrison of Invisus, a provider of cybersecurity services. “It’s not that the bad guys are more active, it’s that there are more weaknesses and more access. For small and mid-sized companies especially, control of cyberhygiene in the home environment is a big challenge.”
The number of cybersecurity incidents increased dramatically during the pandemic. Almost a quarter (23%) of cybersecurity professionals surveyed in spring 2020 by (ISC)2, an association of information security leaders, said their organization had seen an increase in security incidents since the crisis began. A separate survey of 1,000 business decision makers from Barracuda Networks found that 46% of companies had already had at least one cybersecurity scare in the first month of the pandemic, while 49% expected to see a data breach or cybersecurity incident in the month following the survey.
These incidents can have significant ramifications, not just financially but in losses of proprietary information and harm to company reputation and brand value.
An Unsecure Environment at Home
When working from home, employees are often using unsecured Wi-Fi routers and personal devices. “Your data was in a controlled environment at the office and is now in a distributed environment in remote locations, and not all are secure,” says Mark Rasch of law firm Kohrman, Jackson & Krantz (KJK), which is a member of the global legal network Meritas Law Firms. “In a closed environment on a company network, you’re protected by the firewall, but you don’t have that at home. You still have a duty under the law, as well as by corporate policy and contract, to protect your data. The problem is you have no ability to protect it when it’s distributed.”
Remote employees also blur the lines between work and home as they use laptops, tablets, and phones for both purposes at all hours. “There’s no longer a clear delineation of what happens at home and work,” says Rasch.
That introduces risks. Some employees may have personal habits like pornography or P2P downloading that could not only expose a company to liability but are also known conduits for cybercriminals to breach a network. In addition, family members may have access to devices used for work. “Teenagers are smart,” Harrison says. “They can bypass your controls and disable your firewalls to download a cheat code for an online videogame, and you might never know it happened.”
Techniques used by cybercriminals are varied, extending to identity fraud, spoofing and business email compromise (BEC), spamming, phishing, ransomware and cryptolock attacks, malware and viruses, computer hijacking, and Zoombombing. Bad actors can disguise a communication as coming from a trusted source, duping employees and leadership into giving them access to a network or even money. They can intercept legitimate emails and reroute funds into their own accounts. They can hijack videoconferencing platforms or voice-controlled virtual assistants like Alexa, inserting racist messaging, defaming someone, or sneaking into a large group chat to steal trade secrets. Crimes such as these that expose sensitive or customer information violate data breach, consumer protection, and negligence laws.
Companies should immediately take steps to address any gaps in cybersecurity due to their employees working from home. “If you’re negligent, a cyberincident is inevitable,” according to Harrison.
Review and Implement Policies and Protocols
“The number-one piece of advice is to take time to evaluate your remote workforce plan, assess its strengths and weaknesses, and fix it—fast,” Harrison says. “Many companies do not have a remote workforce plan at all.” Having a plan that addresses the remote workforce specifically will keep a company compliant with federal, state, and industry data-breach requirements, as well as consumer privacy laws like Europe’s General Data Protection Regulation and the California Consumer Privacy Act.
“Companies often have no policy or an inadequate policy, or they go out and download a policy,” explains Rasch. “For a remote cybersecurity policy to be effective it has to be appropriate and tailored to your business.” Unique factors to consider include company size, technology infrastructure, nature of the work, workforce age, and employee needs and desires.
The policy should include, among other factors:
- which employees can access the company’s various systems and data.
- how they must connect (e.g., via VPN and/or with certain password protocols).
- the rules for Internet usage.
- practices for employee monitoring (with consent).
- what devices can or must be used (corporate-issued or their own).
“Your normal corporate policy on what software is required, allowed, and not allowed is almost impossible to follow at home, especially if your employees are using their own devices,” notes Rasch. “World of Warcraft is not approved, but it’s on their home device. You might not allow Gmail at the office, but that’s hard to enforce at home. You have to accommodate things like that.”
Aside from their cybersecurity documentation, companies also need to review contracts with cloud service providers, IT service providers, web hosting platforms, vendors, suppliers, business partners, customers, and labor unions.
They should also take a look at their insurance policies. “The company’s cybersecurity insurance policy may not cover employees that are working at home, especially if they’re using their own hardware,” says Brett Krantz, also a lawyer with KJK. “You’re not protecting your data or third-party data adequately, and that opens you up to liability. Meanwhile, you’re in breach of your policy and less likely to be covered. A lot of companies haven’t thought about his.”
Finally, maintaining compliance with laws, regulations, and company policy goes beyond the initial document review. “Frequent monitoring is very important,” says Harrison. “Employees need to be checked regularly to ensure they are following safe remote work practices, and you need to follow up with remote work technology vendors to see if they’re keeping up to date with security enhancements and aren’t putting employees or the company at risk.” Harrison also recommends conducting a risk and compliance assessment—even if one has been completed recently—to address and respond to new risks arising in the work-from-home landscape.
Technology and IT Support
Best practice for a remote-working scenario is to set up a virtual private network (VPN). It should be noted, however, that VPNs are not wholly secure. A cybercriminal could use a phishing attack or capitalize on an insecure Wi-Fi connection to gain access to the employee’s device, and then enter the corporate network from there. The network sees the intrusion as coming from a trusted employee and does not stop it. Therefore additional steps are required, including requiring multifactor authentication and performing regular vulnerability scans of the firewall to identify and fix hacks.
Many companies take additional steps beyond the VPN, such as issuing secure laptops or tablets to all employees to use exclusively for remote work purposes, creating a secure area on a personal device where all work is to be done, adding layers of encryption and antivirus protection, implementing security alerts, limiting access to only those employees who need certain information, and/or providing WPA3-enabled routers to remote workers. It is also beneficial to require employees to work in a secure shared folder, rather than downloading, working offline, and then reposting, which creates two copies of the project, one of them insecure.
Harrison stresses the importance of full-time tech support for remote workers as well as of ensuring that employees know the approved process for accessing that support. “Shadow IT is a real problem,” he says. “When employees can’t get tech support right away, they’ll try to solve the problem themselves or turn to their brother-in-law. Those DIY fixes can drive vulnerabilities.”
It is also essential to have a response plan in place for when a breach occurs, as well as to provide employees with non-digital means of communication such as phone numbers, fax numbers, or snail mail addresses, in case a network goes down.
Training and Monitoring
Employees should sign work-from-home non-disclosure and security agreements, along with giving consent for any monitoring that will be done. Even with this paperwork, however, training is critical. “Employee error is one of the biggest causes of cyberbreaches,” says Harrison. “You have to rely on employees to do their part and be responsible.”
Employees working from home must be apprised of practical information such as how to connect and log on securely, which devices they can or must use, and the rules for personal Internet and social media usage. Employees can sometimes let down their guard at home, potentially resulting in pirated music or pornography ending up on the corporate network, raising liability concerns. They also need to be aware of what they must do if they receive a security alert, as well as the urgency of reporting it.
“It’s also a good idea to look at the use of the network and conduct random computer security checkups on a quarterly basis for every remote employee,” Harrison says.
Companies, meanwhile, need to balance the desire for cybersecurity with privacy concerns. “Employee privacy definitely comes into this,” Rasch says. “You’re extending monitoring into the employees’ homes. That can be a tremendous invasion of privacy.”
A Work-from-Home Future?
Barracuda found that 56% of respondents to its survey planned to continue widespread remote working after the COVID-19 crisis passes. Similarly, Gallup has predicted that 25% to 30% of the global workforce will be working from home multiple days a week by the end of 2021 and that 77% of the workforce wants to continue remote working, at least weekly, when the pandemic is over. Organizations such as Twitter have already said they will allow their employees to work from home for the foreseeable future. “Businesses are adapting to working from home and the trend’s not going anywhere but up,” says Harrison.
That means companies must consider their policies for remote working long-term. Krantz points out that the policies at the peak of the COVID era, when virtually all employees at many companies have worked from home full-time, may not be the same as an ongoing remote work policy, which might involve only certain employees for specific purposes or occasions. Thus the policies developed for the crisis will need to be reviewed and readjusted as time goes on.
In some ways, the pandemic is hastening shifts that were already happening. “COVID has accelerated these issues but they’re not really new,” Rasch explains. “There’s no such thing as work time and not-work time any more.” He advises being strategic when developing permanent work-from-home policies. “Think before you leap. Take a methodical approach that is risk-based and not one-size-fits all.”
Small and mid-sized companies can turn to service providers for help in developing policies, ensuring that the right technology is in place, training employees, addressing problems, and monitoring over time. “There are solutions available for businesses that don’t have the resources or technology to do it well,” says Harrison. “The important thing is to do something to protect your data.”