COVID-19 Cyber Threats Abound: A Checklist to Protect Your Remote Workforce
The COVID-19 pandemic has changed the conversation around remote work. As more employees work remotely, law firms must employ security best practices to ensure that the extended reliance on the cloud doesn't expose sensitive data or cripple daily operations.
April 28, 2020 at 10:00 AM
9 minute read
This article appeared in Cybersecurity Law & Strategy, an ALM publication for privacy and security professionals, Chief Information Security Officers, Chief Information Officers, Chief Technology Officers, Corporate Counsel, Internet and Tech Practitioners, In-House Counsel. Visit the website to learn more.
The COVID-19 pandemic has changed the conversation around remote work. Today the challenge is less about gaining flexibility and a competitive edge. Rather, the conversation has moved to social isolation, self-imposed and forced quarantines and sobering questions about business continuity. This is a real challenge in the face of a viral outbreak that is predicted to affect our communities on a level not seen in decades.
If there's an upside to this unsettling period, it's that the same cloud that irrevocably changed the way companies do business in recent years will now help them navigate through this pandemic. By enabling remote work in response to this crisis, companies will emerge nimbler, more technologically sound and more productive.
As more employees—or all employees in most organizations—work remotely, law firms must employ security best practices to ensure that the extended reliance on the cloud doesn't expose sensitive data or cripple daily operations.
Following is a practical checklist of systems, technologies and processes to consider when evolving your firm for remote work and selecting your cloud technology provider.
|Securing your Remote Workforce
There are many remote work strategies and controls that law firms can implement in order to significantly reduce the likelihood of a data breach, limit exposure of sensitive information and maintain security in a virtual office scenario.
All firms relying on a remote workforce should be implementing the following measures in order to ensure the safest possible environment.
- Password Requirements. Passwords are the first line of defense against unauthorized access to your systems and information. You should have strict requirements for employee passwords that ensure length, complexity and randomness. Changing passwords at frequent intervals and using a password manager are also recommended.
- Multifactor Authentication Policy. Multifactor authentication is one of the best ways to prevent unauthorized access to email accounts and systems. A multifactor authentication policy requires a user to have two pieces of information to gain access, not simply a password. This prevents attackers from gaining entry even if user passwords or credentials have been compromised.
- Role-Based Access Control. Role-based access control is a neutral access policy that restricts every user's access rights on the basis of the role played within the organization, with specific access granted to specific roles. Also known as a zero trust model, this approach restructures access within your firm's systems based on a "never trust, always verify" philosophy targeted specifically at preventing improper access.
- Strong Encryption at Rest and in Transit. Strong encryption is crucial to protecting your data from outside eyes, and you need to be sure that your data is secure at all times, regardless of where it is or how it's being used. Strong encryption must be in place when data is at rest, or simply residing in your system, as well as when it's in transit, or moving from one location to another. Equally important, you must know who has access to the encryption keys at all times.
- BYOD or Company-Supplied Hardware. Many employees use their own devices to access firm data and track and manage time and communications, but the better practice is for the firm to supply hardware that is consistent, secure and managed as part of a best practices IT strategy. That way, remote workers will not require huge IT overhead to support their hardware or activity.
- Meeting Recording and Transcriptions. Virtual meetings offer convenience, but audio/video challenges and file sharing can sometimes be complicated. We suggest an organization standardize on a widely used virtual meeting system with a robust mobile app. There are many inexpensive, accurate and fast services. Record the meetings and then store transcripts of what was discussed, thereby creating and preserving an official record and minutes of the meeting.
- Proactive Security Monitoring with AI Behavior-Based Protection. Proactive security monitoring is crucial to detecting threats before they wreak havoc on your systems. Behavior-based security measures that incorporate advanced AI and machine learning are designed to proactively monitor all activities in order to identify anomalies and deviations from normal patterns. This monitoring then offers a protective response as soon as a threat is detected.
- Auditing, Training and Planning. Aside from the specific tools and measures outlined above, dedicate firm resources to the prevention of cybersecurity threats on all fronts. This includes performing regular cybersecurity audits of your own networks and systems, requiring employees to undergo regular training in security best practices and revising your overall incident response plan as the cybersecurity threat continues to evolve.
Business Continuity and Disaster Recovery
The novel coronavirus is spreading quickly despite the best efforts of government, health care, private business and public organizations. That's why it's important for all organizations to include pandemic planning and remote work protocols in place that ensure the continuity of business and to allow organizations to adopt a WFH (work from home) model in the event of an infection or quarantine.
The following measures are key for business continuity and disaster recovery.
- Knowledge is power when it comes to bouncing back from a crisis. It's crucial that the firm be transparent about the current health risks and emphasize every measure taken to protect employee health and job satisfaction.
- Communications to Clients. Share the steps and technologies that the firm is using with your clients so they understand your preparedness and the attorney/client trust relationship is protected.
- Clear Terms of Service and Privacy Policy. All firms today need to have clear terms of service and privacy policies in place that inform clients how their personal data and information is managed and protected. Part of those policies should include a clear statement of the firm's remote work protocols and protections.
- Data Segmentation. Employing data segmentation practices in advance will help with continuity and recovery. Using a private cloud isolates your data from the data of other companies, because you're not sharing infrastructure when you are in a public multi-tenant cloud. Data mirroring, or the practice of maintaining exact, real-time copies of data in another location, eliminates single points of failure and ensures that you still have access to your data if one server is compromised.
- 999% Uptime. Remote access depends on your systems being as available as possible. Some cloud service providers promise 99.9% uptime, which may sound great, but in reality that translates to your systems being unavailable for hours at a time a few days each year. You want your providers to offer 99.999% uptime, often noted as "five nines," which means you'll have less than 10 minutes of total downtime in any given year.
- Round-the-Clock Support. A seamless remote work environment will require access to technical support for all of the systems, applications and products you use. Because you can never predict when a breach or disruption might happen, it's critical that providers offer 24/7 support.
- Immediate Failover Capabilities. In computing, failover is a process for switching to a standby or redundant technology if a server, system, network or program is compromised or otherwise made unavailable. If you can't afford any downtime, you need to make sure you have immediate failover capabilities in place across the board to ensure continuity.
- Having backups for networks, systems and other technology is critical to ensuring continuity and avoiding downtime, but they're only useful if you know they work. You should not only be making a point of regularly backing up your data and systems, you should also regularly test and verify your backups to make sure they'll function when you actually need them.
- If you need to terminate the use of a technology or a relationship with a provider due to a breach, you need to have clear processes in place. Among other things, they should guarantee a timeline for recovering any compromised data and make clear who owns that data after termination.
Remote Access Application Due Diligence
Ensuring secure remote access starts with choosing the right platforms and applications. A major factor that should play into any decision to use a particular application or provider is the security measures offered. Proper due diligence requires consideration of the following features:
- Strong Encryption at the Database Layer. Your applications should offer AES 256 encryption, which is the most secure encryption offered commercially today.
- Any technology you use must provide strong password protection. You should also look for single sign-on, which allows you use one set of login credentials to access multiple applications.
- Role-Based Access. Your applications should allow you to restrict access to certain systems or data based on the role and responsibility level of each user.
- User Activity Log. All applications should automatically keep and provide access to a record of their operating trends, baseline metrics and any security incidents that might arise.
- User Information. Technology is only helpful if your people know how to use it. Look for applications that offer educational reference materials like an indexed knowledge base, context-sensitive guidance and user communities.
- Client Portals. Law firms operate under intense time demands, and often it's helpful for clients to engage in self-service. Look for tools that offer client portals, so your clients can access basic information, check status and collaborate on documents without having to wait for a lawyer's intervention.
- Mobile Apps. Today's lawyers are mobile and their tools need to go wherever they go. Look for technologies that offer secure mobile apps for access from anywhere at any time.
Be Proactive
The immediate need to support remote work has brought with it an increasingly complex and risky cybersecurity landscape. Thinking proactively about remote work strategy and controls, business continuity and disaster recovery and application management when choosing or monitoring a cloud provider is the best way to prevent cybersecurity breaches before they happen.
Tomas Suros is a technology advocate working at the intersection of IT and client consulting. With AbacusNext since 2004, he currently serves as global director of product marketing, guiding firms through the process of identifying forward-facing technology options and ensuring the successful implementation of a tailored solution. He can be reached at [email protected].
This content has been archived. It is available through our partners, LexisNexis® and Bloomberg Law.
To view this content, please continue to their sites.
Not a Lexis Subscriber?
Subscribe Now
Not a Bloomberg Law Subscriber?
Subscribe Now
NOT FOR REPRINT
© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.
You Might Like
View AllTrending Stories
- 1'Largest Retail Data Breach in History'? Hot Topic and Affiliated Brands Sued for Alleged Failure to Prevent Data Breach Linked to Snowflake Software
- 2Former President of New York State Bar, and the New York Bar Foundation, Dies As He Entered 70th Year as Attorney
- 3Legal Advocates in Uproar Upon Release of Footage Showing CO's Beat Black Inmate Before His Death
- 4Longtime Baker & Hostetler Partner, Former White House Counsel David Rivkin Dies at 68
- 5Court System Seeks Public Comment on E-Filing for Annual Report
Who Got The Work
Michael G. Bongiorno, Andrew Scott Dulberg and Elizabeth E. Driscoll from Wilmer Cutler Pickering Hale and Dorr have stepped in to represent Symbotic Inc., an A.I.-enabled technology platform that focuses on increasing supply chain efficiency, and other defendants in a pending shareholder derivative lawsuit. The case, filed Oct. 2 in Massachusetts District Court by the Brown Law Firm on behalf of Stephen Austen, accuses certain officers and directors of misleading investors in regard to Symbotic's potential for margin growth by failing to disclose that the company was not equipped to timely deploy its systems or manage expenses through project delays. The case, assigned to U.S. District Judge Nathaniel M. Gorton, is 1:24-cv-12522, Austen v. Cohen et al.
Who Got The Work
Edmund Polubinski and Marie Killmond of Davis Polk & Wardwell have entered appearances for data platform software development company MongoDB and other defendants in a pending shareholder derivative lawsuit. The action, filed Oct. 7 in New York Southern District Court by the Brown Law Firm, accuses the company's directors and/or officers of falsely expressing confidence in the company’s restructuring of its sales incentive plan and downplaying the severity of decreases in its upfront commitments. The case is 1:24-cv-07594, Roy v. Ittycheria et al.
Who Got The Work
Amy O. Bruchs and Kurt F. Ellison of Michael Best & Friedrich have entered appearances for Epic Systems Corp. in a pending employment discrimination lawsuit. The suit was filed Sept. 7 in Wisconsin Western District Court by Levine Eisberner LLC and Siri & Glimstad on behalf of a project manager who claims that he was wrongfully terminated after applying for a religious exemption to the defendant's COVID-19 vaccine mandate. The case, assigned to U.S. Magistrate Judge Anita Marie Boor, is 3:24-cv-00630, Secker, Nathan v. Epic Systems Corporation.
Who Got The Work
David X. Sullivan, Thomas J. Finn and Gregory A. Hall from McCarter & English have entered appearances for Sunrun Installation Services in a pending civil rights lawsuit. The complaint was filed Sept. 4 in Connecticut District Court by attorney Robert M. Berke on behalf of former employee George Edward Steins, who was arrested and charged with employing an unregistered home improvement salesperson. The complaint alleges that had Sunrun informed the Connecticut Department of Consumer Protection that the plaintiff's employment had ended in 2017 and that he no longer held Sunrun's home improvement contractor license, he would not have been hit with charges, which were dismissed in May 2024. The case, assigned to U.S. District Judge Jeffrey A. Meyer, is 3:24-cv-01423, Steins v. Sunrun, Inc. et al.
Who Got The Work
Greenberg Traurig shareholder Joshua L. Raskin has entered an appearance for boohoo.com UK Ltd. in a pending patent infringement lawsuit. The suit, filed Sept. 3 in Texas Eastern District Court by Rozier Hardt McDonough on behalf of Alto Dynamics, asserts five patents related to an online shopping platform. The case, assigned to U.S. District Judge Rodney Gilstrap, is 2:24-cv-00719, Alto Dynamics, LLC v. boohoo.com UK Limited.
Featured Firms
Law Offices of Gary Martin Hays & Associates, P.C.
(470) 294-1674
Law Offices of Mark E. Salomone
(857) 444-6468
Smith & Hassler
(713) 739-1250