Mark McCreary, with Fox Rothschild.

In the weeks leading up to the issuance of stay-at-home orders, forward-looking businesses took that time to ensure that VPN connections and remote virtualization solutions were robust enough to handle the sudden barrage of users. This time was especially a challenge because most businesses had not planned on having every employee working remotely, so critical infrastructure and data lines had to be built and strengthened quickly. With information technology departments and business leaders focused on traditional information technology and business continuity priorities, promoting best data security practices was merely an afterthought, if a thought at all.

Four months later we see past and current evidence that businesses have never been more at risk than they are with a remote or mixed workforce. Having assisted clients dealing with these issues both proactively and in response to incidents, I have seen themes and constants emerge. I want to share the 10 things that I have observed that conclusively make remote working so much more dangerous than the office, and what your business can do to succeed in this new reality.

• Distractions. If you previously thought Gary was a distraction in the office, I am confident you now find he was nothing compared to the distractions in your work-at-home space. Workers are dealing with young children, surly teenagers and young adults forced to return from college right when they got into the groove of dorm life. Spouses are sharing workspaces, dogs are barking at squirrels, and suddenly rearranging drawers feels like a great way to spend workday hours. All of these are distractions that may lead to employees making mistakes, opening emails that would have seemed like a scam just a few months ago, and falling for emails from a "boss" requesting the purchase of gift cards for a client. Encouraging employees to remain attentive by regular reminders will improve their focus.
• Scams. From the immediate outset of the COVID-19 pandemic, businesses saw an increase in direct attacks, scams, spear phishing and ransomware. Scammers are not dumb. They know when their targets are the most vulnerable. Right now, with workers having transitioned to at-home working, some even switching back and forth between home and their office as businesses reopen, we are all the most vulnerable. Scams for COVID-19 relief charities remain common, but what has increased the most by far has been phishing scams leading to business email compromises and ransomware. Increasing the sensitivity of technology solutions designed to detect and prevent phishing, as well as regular reminders to employees, will help reduce the effectiveness of these scams.
• Working from devices. Both anecdotal evidence and studies have shown that when we work from smartphones we are much more likely to become victims of scams or otherwise make mistakes that we simply would not make on a personal computer. When we read email on our Apple and Android devices, it's harder to see when an email is being spoofed. We also tend to move more quickly, not pay attention to details, and otherwise not have the safety and security benefits that we would have on personal computers. Encouraging employees to limit transacting business on personal devices, instructing employees that if anything seems off about an email to scroll to the top and closely read the email address, and rolling out containerization services to personal devices are all excellent ways to limit these risks.
• Using work devices for personal purposes. As the workforce takes home laptops and PCs from work, inevitably employees will be using work devices for personal use. As employees use business-issued computers on home Wi-Fi connections (which may not be secure themselves), and they visit web pages that may be compromised, the device becomes subject to possible infiltration. A compromised device puts the business's systems at risk, which is a risk that generally did not previously exist. It is important for a business to both limit personal use of company-issued devices, but also to implement security solutions that will help to limit this exposure.
• Training stops. If your business conducted regular data security training for employees, it is likely that training stopped when the workforce transitioned to remote working. Data security professionals have stressed for years the importance of having constant reminders to employees of the dangers they face, and regular data security training has been a crucial part of that effort. As the workforce has begun working remotely, many businesses have felt challenged to continue that training, while others have simply forgotten or deemed that training to be low priority. By adapting existing training regimens, or even adopting new procedures, you can ensure that your workforce will have the necessary reminders about data security, and learn about new traps and dangers.
• Patching ceases. Thanks to many high profile data incidents and Microsoft's efforts to push Patch Tuesday, most businesses have become very good at keeping the software on their computers patched against malicious threat. Unfortunately, many businesses suspended this practice for technological or practice purposes when remote working started. Those that have suspended patching have vulnerable devices that are much more susceptible to attack and compromise. Even those business that have continued to patch are not immune from attack if they implement a BYOD policy where employees use their own devices to connect remotely. Those personal devices themselves may not be patched properly and regularly, which may put the entire enterprise at risk. Priority should be given to patching servers and company-issued personal computers, as well as instructing employees on how to patch their own devices for BYOD programs.
• Departing staff. Employees leave employers, both voluntarily and involuntarily, even during a pandemic. Your business likely has processes in place to ensure that sensitive data of the company is retrieved before the employee departs. In fact, it may be unlikely that in the "Before Times" your employees would even have access to sensitive data. But those employees have been working at home for the past four months. Depending on what restrictions you have in place, that departing employee may have a veritable treasure trove of sensitive company data in their hands about which you are unaware and you cannot retrieve. New processes should be incorporated into the off-boarding process to ensure that data and sensitive materials are retrieved or destroyed, including a written affirmation of the same from the departing employee.
• Bad connections lead to working offline. If your resources are not reliable, or the employee herself does not have an adequate Internet connection, such that the experience is frustrating and keeps her from working, eventually that employee is going to stop working as you intended. The employee may start forwarding emails to her personal email account, or downloading and/or sharing files from personal file share services (e.g., Dropbox). In extreme cases, she may download files to a thumb drive to transfer to her own personal computer. In all of those cases, duplicate copies of company data are created that are entirely untraceable, cannot be recalled, and will almost certainly not be deleted for years if ever. All of that data is subject to loss and further disclosure if there is a compromise of the personal email account or file share account, or a compromise, sale, or theft of the personal computer. Reminding employees to not transmit business data over or to personal email, file share services, and UDB devices is the bare minimum option, and your company should strongly consider blocking access completely.
• Limited IT staff. With staff being furloughed, terminated, or having hours reduced, there may be limited information technology staff to keep systems safe, provide assistance to users, and plan for future security upgrades. As a result, the same attention cannot be focused on securing environments, maintaining upgrades, and assisting users. When information technology staff is augmented by third parties, additional risks materialize. Businesses should be mindful of the harms that can come from reducing information technology staff and the use of third parties that are unfamiliar with your systems, data, and staff.
•  Data incidents not reported. When employees work from a traditional office, it is easier to discover data incidents than when the same employees are working remotely. Incidents are more easily detected by security controls in place, and employees are likely to report a data incident so that it could be dealt with promptly. While working remotely we have consistently seen employees fail to report suspected or known data incidents. It may be because there is a feeling of anonymity (that does not exist) or a fear of severe punishment or termination in these times where no job feels secure. You should create a culture where data incidents should be reported quickly with little fear of retribution.

Mark G. McCreary is co-chair of the privacy and data security practice at Fox Rothschild. He focuses his practice on compliance with privacy-related laws, rules and regulations as well as responses in the event of a data breach. He can be reached at [email protected].