COVID-19 Places Company Information at Risk
An increasing number of employers have made their workforces remote in response to the developing COVID-19 situation. For many of these employers (and their workforces), this is the first time they have had cause to look closely at their remote work cybersecurity policies. When remote programs are implemented hastily, there is a risk that necessary protective controls will be overlooked. Unfortunately, cybercriminals are currently taking advantage of this, and COVID-19 phishing scams, hacking attempts, and cyber-attacks are on the rise. Many of these attacks are specifically targeting C-suite employees in the hopes of accessing more valuable or sensitive company information.
To mitigate these risks, it is important that employers review their cybersecurity policies with their IT teams and confirm that their workforce is both aware of, and complying with, those policies. This is particularly important where an employer’s workforce is inexperienced with remote working and may be unaware of the relevant policies.
To help avoid a cyber incident during this time, employers should provide clear security guidance to all remote employees. The more that employees are thinking about cybersecurity controls, the less likely it is that an incident occurs, decreasing risk to vital company information. To promote sound information security practices, employers should consider taking the following general steps:
- Remind employees what kinds of information are considered confidential or sensitive by the company, including business plans, designs, client or supplier information, internal work product, intellectual property, etc.;
- Offer training resources or procedures that they can follow while working remotely;
- Give employees lists of “Do-Nots” or common mistakes that they should completely avoid; and
- Ensure that employees have access to the necessary IT professionals in the event that they have questions or encounter a cybersecurity incident.
The specific cybersecurity controls that employers implement will vary based on the nature of the company’s business and the types of remote access tools at their disposal (e.g., virtual private network vs. virtual desktop); however, there are some issues that will likely need to be addressed in any information security program, such as:
- Restricting the use of unsecured home or public networks and, if available, encouraging the use of virtual private networks. For companies that do not use virtual private networks as part of their IT infrastructure, employees should be instructed to maintain updated and robust security software, firewalls, and passwords on their home networks and devices.
- Requiring employees to only access company information and systems when using company-issued devices that are loaded with the company’s approved software packages.
- Using multi-factor authentication to verify remote access to any company information or systems.
- Encrypting remote access using industry standard cryptography (i.e., a minimum of 256-bit encryption).
- Using secure file transfer protocols (e.g., SFTP or HTTPS).
- Restricting the use of webmail and cloud storage applications which lack the company’s security programs and are outside the company’s control.
- Implementing procedures that can be used by company employees to verify certain sensitive messages (e.g., wire instructions) when it is impossible for employees to conduct in-person conversations or reliably connect over VoIP devices.
The more security guidance that an employer can give its workforce during a period of remote work, the safer the company will be from a data breach or cybersecurity incident. Talk with your IT leads, and confirm that your employees have received the appropriate training in cybersecurity for remote work.
For any Coronavirus-related legal questions, please contact a member of V&E’s Coronavirus Taskforce or visit our Coronavirus: Preparation & Response site for a list of contacts and additional resources we hope will be helpful.
This information is provided by Vinson & Elkins LLP for educational and informational purposes only and is not intended, nor should it be construed, as legal advice.