Mark McCreary, with Fox Rothschild.The Dangers of Remote Working and How to Adapt
With information technology departments and business leaders focused on traditional information technology and business continuity priorities, promoting best data security practices was merely an afterthought, if a thought at all.
July 16, 2020 at 12:34 PM
8 minute read
In the weeks leading up to the issuance of stay-at-home orders, forward-looking businesses took that time to ensure that VPN connections and remote virtualization solutions were robust enough to handle the sudden barrage of users. This time was especially a challenge because most businesses had not planned on having every employee working remotely, so critical infrastructure and data lines had to be built and strengthened quickly. With information technology departments and business leaders focused on traditional information technology and business continuity priorities, promoting best data security practices was merely an afterthought, if a thought at all.
Four months later we see past and current evidence that businesses have never been more at risk than they are with a remote or mixed workforce. Having assisted clients dealing with these issues both proactively and in response to incidents, I have seen themes and constants emerge. I want to share the 10 things that I have observed that conclusively make remote working so much more dangerous than the office, and what your business can do to succeed in this new reality.
- Distractions. If you previously thought Gary was a distraction in the office, I am confident you now find he was nothing compared to the distractions in your work-at-home space. Workers are dealing with young children, surly teenagers and young adults forced to return from college right when they got into the groove of dorm life. Spouses are sharing workspaces, dogs are barking at squirrels, and suddenly rearranging drawers feels like a great way to spend workday hours. All of these are distractions that may lead to employees making mistakes, opening emails that would have seemed like a scam just a few months ago, and falling for emails from a "boss" requesting the purchase of gift cards for a client. Encouraging employees to remain attentive by regular reminders will improve their focus.
- Scams. From the immediate outset of the COVID-19 pandemic, businesses saw an increase in direct attacks, scams, spear phishing and ransomware. Scammers are not dumb. They know when their targets are the most vulnerable. Right now, with workers having transitioned to at-home working, some even switching back and forth between home and their office as businesses reopen, we are all the most vulnerable. Scams for COVID-19 relief charities remain common, but what has increased the most by far has been phishing scams leading to business email compromises and ransomware. Increasing the sensitivity of technology solutions designed to detect and prevent phishing, as well as regular reminders to employees, will help reduce the effectiveness of these scams.
- Working from devices. Both anecdotal evidence and studies have shown that when we work from smartphones we are much more likely to become victims of scams or otherwise make mistakes that we simply would not make on a personal computer. When we read email on our Apple and Android devices, it's harder to see when an email is being spoofed. We also tend to move more quickly, not pay attention to details, and otherwise not have the safety and security benefits that we would have on personal computers. Encouraging employees to limit transacting business on personal devices, instructing employees that if anything seems off about an email to scroll to the top and closely read the email address, and rolling out containerization services to personal devices are all excellent ways to limit these risks.
- Using work devices for personal purposes. As the workforce takes home laptops and PCs from work, inevitably employees will be using work devices for personal use. As employees use business-issued computers on home Wi-Fi connections (which may not be secure themselves), and they visit web pages that may be compromised, the device becomes subject to possible infiltration. A compromised device puts the business's systems at risk, which is a risk that generally did not previously exist. It is important for a business to both limit personal use of company-issued devices, but also to implement security solutions that will help to limit this exposure.
- Training stops. If your business conducted regular data security training for employees, it is likely that training stopped when the workforce transitioned to remote working. Data security professionals have stressed for years the importance of having constant reminders to employees of the dangers they face, and regular data security training has been a crucial part of that effort. As the workforce has begun working remotely, many businesses have felt challenged to continue that training, while others have simply forgotten or deemed that training to be low priority. By adapting existing training regimens, or even adopting new procedures, you can ensure that your workforce will have the necessary reminders about data security, and learn about new traps and dangers.
- Patching ceases. Thanks to many high profile data incidents and Microsoft's efforts to push Patch Tuesday, most businesses have become very good at keeping the software on their computers patched against malicious threat. Unfortunately, many businesses suspended this practice for technological or practice purposes when remote working started. Those that have suspended patching have vulnerable devices that are much more susceptible to attack and compromise. Even those business that have continued to patch are not immune from attack if they implement a BYOD policy where employees use their own devices to connect remotely. Those personal devices themselves may not be patched properly and regularly, which may put the entire enterprise at risk. Priority should be given to patching servers and company-issued personal computers, as well as instructing employees on how to patch their own devices for BYOD programs.
- Departing staff. Employees leave employers, both voluntarily and involuntarily, even during a pandemic. Your business likely has processes in place to ensure that sensitive data of the company is retrieved before the employee departs. In fact, it may be unlikely that in the "Before Times" your employees would even have access to sensitive data. But those employees have been working at home for the past four months. Depending on what restrictions you have in place, that departing employee may have a veritable treasure trove of sensitive company data in their hands about which you are unaware and you cannot retrieve. New processes should be incorporated into the off-boarding process to ensure that data and sensitive materials are retrieved or destroyed, including a written affirmation of the same from the departing employee.
- Bad connections lead to working offline. If your resources are not reliable, or the employee herself does not have an adequate Internet connection, such that the experience is frustrating and keeps her from working, eventually that employee is going to stop working as you intended. The employee may start forwarding emails to her personal email account, or downloading and/or sharing files from personal file share services (e.g., Dropbox). In extreme cases, she may download files to a thumb drive to transfer to her own personal computer. In all of those cases, duplicate copies of company data are created that are entirely untraceable, cannot be recalled, and will almost certainly not be deleted for years if ever. All of that data is subject to loss and further disclosure if there is a compromise of the personal email account or file share account, or a compromise, sale, or theft of the personal computer. Reminding employees to not transmit business data over or to personal email, file share services, and UDB devices is the bare minimum option, and your company should strongly consider blocking access completely.
- Limited IT staff. With staff being furloughed, terminated, or having hours reduced, there may be limited information technology staff to keep systems safe, provide assistance to users, and plan for future security upgrades. As a result, the same attention cannot be focused on securing environments, maintaining upgrades, and assisting users. When information technology staff is augmented by third parties, additional risks materialize. Businesses should be mindful of the harms that can come from reducing information technology staff and the use of third parties that are unfamiliar with your systems, data, and staff.
- Data incidents not reported. When employees work from a traditional office, it is easier to discover data incidents than when the same employees are working remotely. Incidents are more easily detected by security controls in place, and employees are likely to report a data incident so that it could be dealt with promptly. While working remotely we have consistently seen employees fail to report suspected or known data incidents. It may be because there is a feeling of anonymity (that does not exist) or a fear of severe punishment or termination in these times where no job feels secure. You should create a culture where data incidents should be reported quickly with little fear of retribution.
Mark G. McCreary is co-chair of the privacy and data security practice at Fox Rothschild. He focuses his practice on compliance with privacy-related laws, rules and regulations as well as responses in the event of a data breach. He can be reached at [email protected].
This content has been archived. It is available through our partners, LexisNexis® and Bloomberg Law.
To view this content, please continue to their sites.
Not a Lexis Subscriber?
Subscribe Now
Not a Bloomberg Law Subscriber?
Subscribe Now
NOT FOR REPRINT
© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.
You Might Like
View All
Philadelphia Bar Association Executive Director Announces Retirement
3 minute read
Phila. Attorney Hit With 5-Year Suspension for Mismanaging Firm and Mishandling Cases
4 minute readTrending Stories
- 1Gibson Dunn Sued By Crypto Client After Lateral Hire Causes Conflict of Interest
- 2Trump's Solicitor General Expected to 'Flip' Prelogar's Positions at Supreme Court
- 3Pharmacy Lawyers See Promise in NY Regulator's Curbs on PBM Industry
- 4Outgoing USPTO Director Kathi Vidal: ‘We All Want the Country to Be in a Better Place’
- 5Supreme Court Will Review Constitutionality Of FCC's Universal Service Fund
Who Got The Work
Michael G. Bongiorno, Andrew Scott Dulberg and Elizabeth E. Driscoll from Wilmer Cutler Pickering Hale and Dorr have stepped in to represent Symbotic Inc., an A.I.-enabled technology platform that focuses on increasing supply chain efficiency, and other defendants in a pending shareholder derivative lawsuit. The case, filed Oct. 2 in Massachusetts District Court by the Brown Law Firm on behalf of Stephen Austen, accuses certain officers and directors of misleading investors in regard to Symbotic's potential for margin growth by failing to disclose that the company was not equipped to timely deploy its systems or manage expenses through project delays. The case, assigned to U.S. District Judge Nathaniel M. Gorton, is 1:24-cv-12522, Austen v. Cohen et al.
Who Got The Work
Edmund Polubinski and Marie Killmond of Davis Polk & Wardwell have entered appearances for data platform software development company MongoDB and other defendants in a pending shareholder derivative lawsuit. The action, filed Oct. 7 in New York Southern District Court by the Brown Law Firm, accuses the company's directors and/or officers of falsely expressing confidence in the company’s restructuring of its sales incentive plan and downplaying the severity of decreases in its upfront commitments. The case is 1:24-cv-07594, Roy v. Ittycheria et al.
Who Got The Work
Amy O. Bruchs and Kurt F. Ellison of Michael Best & Friedrich have entered appearances for Epic Systems Corp. in a pending employment discrimination lawsuit. The suit was filed Sept. 7 in Wisconsin Western District Court by Levine Eisberner LLC and Siri & Glimstad on behalf of a project manager who claims that he was wrongfully terminated after applying for a religious exemption to the defendant's COVID-19 vaccine mandate. The case, assigned to U.S. Magistrate Judge Anita Marie Boor, is 3:24-cv-00630, Secker, Nathan v. Epic Systems Corporation.
Who Got The Work
David X. Sullivan, Thomas J. Finn and Gregory A. Hall from McCarter & English have entered appearances for Sunrun Installation Services in a pending civil rights lawsuit. The complaint was filed Sept. 4 in Connecticut District Court by attorney Robert M. Berke on behalf of former employee George Edward Steins, who was arrested and charged with employing an unregistered home improvement salesperson. The complaint alleges that had Sunrun informed the Connecticut Department of Consumer Protection that the plaintiff's employment had ended in 2017 and that he no longer held Sunrun's home improvement contractor license, he would not have been hit with charges, which were dismissed in May 2024. The case, assigned to U.S. District Judge Jeffrey A. Meyer, is 3:24-cv-01423, Steins v. Sunrun, Inc. et al.
Who Got The Work
Greenberg Traurig shareholder Joshua L. Raskin has entered an appearance for boohoo.com UK Ltd. in a pending patent infringement lawsuit. The suit, filed Sept. 3 in Texas Eastern District Court by Rozier Hardt McDonough on behalf of Alto Dynamics, asserts five patents related to an online shopping platform. The case, assigned to U.S. District Judge Rodney Gilstrap, is 2:24-cv-00719, Alto Dynamics, LLC v. boohoo.com UK Limited.
Featured Firms
Law Offices of Gary Martin Hays & Associates, P.C.
(470) 294-1674
Law Offices of Mark E. Salomone
(857) 444-6468
Smith & Hassler
(713) 739-1250
