With more and more organizations responding to growing COVID-19 disruptions by allowing employees and students to work from home via the internet, the surge in inexperienced remote workers is creating a host of potential cybersecurity threats that in-house counsel need to quickly address, expert lawyers said.

The U.S. Department of Homeland Security's Cybersecurity and Infrastructure Security Agency on March 13 issued an alert encouraging organizations that move to remote work "to adopt a heightened state of cybersecurity," citing an escalated risk of phishing and malware attacks and ransomware during the novel coronavirus pandemic.

"As organizations use VPNs [virtual private networks] for telework, more vulnerabilities are being found and targeted by malicious cyber actors," it said.

General counsel and their chief information security officers ideally would have planned in advance and established or reinforced their policies and procedures regarding telework, but events are moving too quickly now in many instances, and they will have to play catchup while dealing with other urgent matters, lawyers said.

David Newman, head of the coronavirus task force at Morrison & Foerster and partner in the global risk and crisis management group in Washington, D.C., said, "the top line to general counsel is that even with everything else going on, they need to appreciate that cybersecurity risks must remain front-of-mind.

"The No. 1 thing is to continue to ask about the cybersecurity risk of your actions. Think of how much worse it would be with a ransomware attack," he said. 

Bryan Cave Leighton Paisner's Jena Valdetero, co-leader of the firm's data privacy and security team in Chicago and head of its data breach response team, said, "Hackers love exploiting weakness and they know the entire world is distracted."

Here are some pointers from these lawyers and other sources about how general counsel and their staff can get ahead of the problems:

1. Make sure your organization's information technology department has support.

"You have IT systems and IT staff that are stressed in a way that is unprecedented, and you have just a general set of circumstances in which people are rushing and scrambling to get through the day and meet their business needs and all that adds up to a case of real risk," Newman said. It's important to make sure these departments have the resources they need to do their jobs. "The CISO [chief information security officer] and/or CIO has to have a seat at the table during these discussions and they need to be thinking about the risks of teleworking and vendors and remote work and contractual relations, and reading the actual contracts is an important step."

2. Help employers make sure there is enough equipment for remote workers, and that it is properly configured with security software to ensure that data accessed on it remains secure. 

Many organizations, including schools, are distributing laptops and tablets for the first time to new users, and they need to have the correct security software installed. Consider encrypting hard drives, said Bryan Cave's Valdetero.  

Also, some remote workers may be using their own equipment that may not be properly configured and may therefore have security vulnerabilities. If workers must use personal equipment, the company should provide a VPN for connections and require multifactor authentication to log in. 

3. Work with security experts to establish, or reinforce, policies around the use of company equipment and network access.

In-house lawyers should help their employers establish clear guidelines around acceptable internet connections and the types of devices they use to connect to the company's network. For instance, employees should not use unsecured WiFi, and use the enterprise's virtual private network only.

Establish best practices and make sure they are properly communicated: "If you don't want them to go to the library and log on, tell them that." Give clear and specific instructions, like "don't connect from a WiFi connection where you don't have to enter a password," she said. "Be realistic about human beings and how they will take shortcuts to get work done."

Make clear that company-issued laptops and other equipment are to go home and stay there, and specify what employees should do in case of lost or stolen equipment in order to prevent data breaches. Remind employees including top executives to turn on multifactor authentication. 

As for the organization's network itself "whatever you [employers] can do to mitigate against threats you should do—increased monitoring, logging and monitoring suspicious logins when people are logging in from multiple suspicious addresses," she said. "It will be worth the investment." 

4. Consider that in some instances, it may be better to have some nonessential personnel take leave rather than work remotely.  

"If you are a highly regulated industry, they may not be able to work from home because the data security requirements cannot be met," Valdetero said. "If you can't meet those standards, maybe you should not let them work from home."

"I would also caution employers to think about labor and employment legal issues, there is an intersection between Fair Labor Standards Act and making sure you don't run afoul of those" with increased remote work, she said.

5. Warn all employees about the heightened risk of phishing, malware and other cyber threats connected to the COVID-19 outbreak.

"I think it is fair to say that first-time teleworkers are all at high risk of malicious attacks," Newman said. "Local governments of all kinds including schools are particularly attractive targets for these types of attacks."

Even the U.S. Department of Health and Human Services apparently was targeted in a DDoS, or distributed denial of service, cyberattack Sunday that may have been the result of a foreign state, according to Bloomberg News. HHS said the attacks weren't successful.

Tell employees to double-check before complying with any unusual directives from higher-ups. Some phishing attacks come disguised as instructions from higher-ups to wire transfer funds, for example. 

Also, as after many disasters, charity and relief scams abound, so remind employees in corporate communications not to click on links and attachments of which they are unsure, the lawyers said. Also, many phishing emails are circulating purporting to be COVID-19 updates or information.

6. In cooperation with chief information security officers and chief security officers, review contracts with vendors, clients and customers with respect to cybersecurity.

"This [situation] is unprecedented and they may choose to do things that aren't strictly in the letter of their contracts. Reading the actual contracts is an important step," Newman said. This includes contracts with outside cybersecurity service providers and other support vendors.

As well, take time to review data breach insurance and similar policies for coverages and exposures, the lawyers said.

7. Finally, print out a list of internal and external emergency contacts and have them ready in case of a data breach or another emergency.

"Two things will help your business survive if you are [data] breached: Timing and communication," said Valdetero. That is, how quickly you respond to the data breach to cut off access by intruders, investigate and notify stakeholders. Printing out the list will ensure access to it even if the network is down or access cut off.

"This is the first time in recent history our country has had to deal with something like this," Valdetero said. "We are all learning as we go, but fortunately for us, because we have been moving much more toward a remote-working culture in recent years and, we are far better equipped to handle this in 2020 than we would have been even 20 years ago. We just need to be mindful that there are some risks and try to mitigate them."

Read More: