Don't Forget About Cyber Hygiene During Coronavirus (COVID-19) Outbreak
Management should be coordinating with the Human Resources (HR) and Information Technology (IT) departments to establish security controls and ensure employees are properly trained on those controls in the remote work context.
March 06, 2020 at 11:46 AM
4 minute read
As organizations prepare for certain contingency work arrangements in response to the coronavirus (COVID-19) outbreak, companies must also focus attention on ensuring appropriate cyber hygiene. Companies are anticipating more individuals working remotely from the safety of their own homes to avoid contracting the virus and other companies are planning for potential quarantines and school closings. The flexibility of working remotely, however, involves real cybersecurity risks that companies should be aware of and work to mitigate in the face of the COVID-19 outbreak. With increased remote work, there is increased risk of employees accessing data through unsecured and unsafe Wi-Fi networks, using personal devices to perform work, and not following general security protocols established by the company. As individuals are approved or otherwise authorized to work remotely, there must be a multi-departmental focus on maintaining proper controls. Management should be coordinating with the Human Resources (HR) and Information Technology (IT) departments to establish security controls and ensure employees are properly trained on those controls in the remote work context.
Companies should have a protocol in place for secured remote access to company networks. Where possible, such connections should be through a virtual private network (VPN), which routes the connections through the company's private network, or another encrypted connection mechanism. Where employees can remotely access sensitive information on the network, VPNs should be configured with multi-factor authentication (MFA) as an added security layer. With MFA enabled, even if an employee's VPN credentials are compromised, an unauthorized actor will be unable to connect through the VPN without a second factor (i.e., a code sent to an individual's smartphone, token, biometric verification, etc.). The IT Department should ensure firewalls are properly configured and monitor firewall logging to identify attempted or successful connections from unauthorized or suspicious Internet Protocol (IP) addresses. If there are regions of the country and/or world from which employees would have no reason to be remotely connected to the company network, the IT Department can proactively "blacklist" the IP ranges for those geographic regions to prevent connections. This may not be possible for a multinational company where employees may be scattered throughout the world but can be an effective measure for smaller companies or those with a regional presence.
Personal devices are more likely to be used when employees are working remotely, and such use presents additional cybersecurity risks given the lack of corporate control over the devices. Where mobile devices (i.e., mobile phone, tablets, laptops, etc.) are permitted to connect to the corporate network, companies should ensure those devices are equipped with mobile device management (MDM) software. MDM software allows the corporate IT Department to manage such devices by ensuring that the devices are configured to consistent standards, scheduling updates and patches for the devices and applications contained thereon, tracking location of devices, and—in circumstances where such devices are lost or stolen—permitting the devices to be remotely wiped.
Prior to authorizing remote connection to the corporate network, employees should have adequate training on acceptable use policies, the logistics of connecting to the network, appropriate use of Wi-Fi, and steps to take if a security incident or other compromise is suspected or identified. While these subjects are often covered in annual employee trainings, if your company is seeing increased remote work, now is a good opportunity to provide a training update or informal security reminders. Regardless of the efforts of the company and the sophisticated security measures put in place to create a safe environment for remote workers, the risk of human error will always exist.
As your company takes steps to promote physical health in the face of the COVID-19 outbreak, you should also consider how your company can enhance cybersecurity through proper security controls and employee training. It is important to remember that all companies are different, and varying controls and procedures may be appropriate depending on the size and complexity of the company, as well as the sensitivity of the information maintained by the company.
Alisa Chestler, a shareholder in the Nashville and Washington, D.C. offices of Baker Donelson, concentrates her practice in privacy, security and records management issues; health care and insurance regulatory compliance; and corporate transactions matters. She can be reached at [email protected].
An associate in Baker Donelson's Nashville office, Alexandria Murphy concentrates her practice in data privacy and security issues, along with health care and insurance regulatory compliance matters. She can be reached at [email protected].
This content has been archived. It is available through our partners, LexisNexis® and Bloomberg Law.
To view this content, please continue to their sites.
Not a Lexis Subscriber?
Subscribe Now
Not a Bloomberg Law Subscriber?
Subscribe Now
NOT FOR REPRINT
© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.
You Might Like
View AllLegal Departments’ Lack of Third-Party Oversight Leaving Small, Midsized Banks Exposed
4 minute readTen Best Practices to Protect Your Organization Against Cyber Threats
7 minute readSEC Fines 4 Companies $7M for Downplaying Breaches Tied to Massive SolarWinds Hack
Law Firms Mentioned
Trending Stories
- 1$400M Case: Trustee Claims Instant Pot-Maker Defrauded Lenders
- 2NLRB Bans 'Captive Audience' Meetings, Yanking Away Platform Employers Used to Combat Unionizing Efforts
- 3The Power of Your Inner Circle: Turning Friends and Social Contacts Into Business Allies
- 4Bosworth Claims It Was Kline & Specter, Not Him, That Breached Settlement Terms
- 5K&L Gates Faces Malpractice Suit: 'An Experienced Labor Attorney Would Know'
Who Got The Work
Michael G. Bongiorno, Andrew Scott Dulberg and Elizabeth E. Driscoll from Wilmer Cutler Pickering Hale and Dorr have stepped in to represent Symbotic Inc., an A.I.-enabled technology platform that focuses on increasing supply chain efficiency, and other defendants in a pending shareholder derivative lawsuit. The case, filed Oct. 2 in Massachusetts District Court by the Brown Law Firm on behalf of Stephen Austen, accuses certain officers and directors of misleading investors in regard to Symbotic's potential for margin growth by failing to disclose that the company was not equipped to timely deploy its systems or manage expenses through project delays. The case, assigned to U.S. District Judge Nathaniel M. Gorton, is 1:24-cv-12522, Austen v. Cohen et al.
Who Got The Work
Edmund Polubinski and Marie Killmond of Davis Polk & Wardwell have entered appearances for data platform software development company MongoDB and other defendants in a pending shareholder derivative lawsuit. The action, filed Oct. 7 in New York Southern District Court by the Brown Law Firm, accuses the company's directors and/or officers of falsely expressing confidence in the company’s restructuring of its sales incentive plan and downplaying the severity of decreases in its upfront commitments. The case is 1:24-cv-07594, Roy v. Ittycheria et al.
Who Got The Work
Amy O. Bruchs and Kurt F. Ellison of Michael Best & Friedrich have entered appearances for Epic Systems Corp. in a pending employment discrimination lawsuit. The suit was filed Sept. 7 in Wisconsin Western District Court by Levine Eisberner LLC and Siri & Glimstad on behalf of a project manager who claims that he was wrongfully terminated after applying for a religious exemption to the defendant's COVID-19 vaccine mandate. The case, assigned to U.S. Magistrate Judge Anita Marie Boor, is 3:24-cv-00630, Secker, Nathan v. Epic Systems Corporation.
Who Got The Work
David X. Sullivan, Thomas J. Finn and Gregory A. Hall from McCarter & English have entered appearances for Sunrun Installation Services in a pending civil rights lawsuit. The complaint was filed Sept. 4 in Connecticut District Court by attorney Robert M. Berke on behalf of former employee George Edward Steins, who was arrested and charged with employing an unregistered home improvement salesperson. The complaint alleges that had Sunrun informed the Connecticut Department of Consumer Protection that the plaintiff's employment had ended in 2017 and that he no longer held Sunrun's home improvement contractor license, he would not have been hit with charges, which were dismissed in May 2024. The case, assigned to U.S. District Judge Jeffrey A. Meyer, is 3:24-cv-01423, Steins v. Sunrun, Inc. et al.
Who Got The Work
Greenberg Traurig shareholder Joshua L. Raskin has entered an appearance for boohoo.com UK Ltd. in a pending patent infringement lawsuit. The suit, filed Sept. 3 in Texas Eastern District Court by Rozier Hardt McDonough on behalf of Alto Dynamics, asserts five patents related to an online shopping platform. The case, assigned to U.S. District Judge Rodney Gilstrap, is 2:24-cv-00719, Alto Dynamics, LLC v. boohoo.com UK Limited.
Featured Firms
Law Offices of Gary Martin Hays & Associates, P.C.
(470) 294-1674
Law Offices of Mark E. Salomone
(857) 444-6468
Smith & Hassler
(713) 739-1250