From left: David J. Oberly and Jeffrey N. Rosenthal of Blank Rome.Combating Insider Threats Posed by Remote Workers in the Time of COVID-19
Remote working increases the risk of insider threats arising from employee negligence. Given the state of the world, employees may be prone to distraction and mixing personal online endeavors with their work-related activities.
July 27, 2020 at 01:37 PM
7 minute read
Insider threats—i.e., security risks originating from within an organization—have been on the rise. The average cost of an insider attack has grown by 31% to $11.45 million per incident in the last two years alone. And the current pandemic—and resulting transition to long-term remote work arrangements—has significantly enhanced these already-sizable risks in several ways.
|Increased Threats Posed by COVID-19 and Remote Working
Remote working increases the risk of insider threats arising from employee negligence. Given the state of the world, employees may be prone to distraction and mixing personal online endeavors with their work-related activities. This, in turn, raises the likelihood cyber criminals' targeted phishing campaigns and other attacks will prove successful. Employees may often fail to utilize safe computing practices while working outside the office, leaving remote devices susceptible to cyber attacks. Working from home also brings significant technical vulnerabilities—like insecure network connections—further increasing opportunities for cyber criminals to carry out attacks.
At the same time, remote working also enhances the risk of insider threats arising from intentional, malicious actors. The effectiveness of traditional organizational security controls to monitor and flag inappropriate online employee activity may be significantly diminished in remote work environments. This can result in reduced visibility over what employees are doing and the information they access. In addition, many companies that were ill-prepared to make an immediate transition to full-scale remote working have been forced to provide increased privileges and access to maintain productivity levels while employees work from home, greatly boosting the opportunities available for malicious insiders to exploit organizational networks and sensitive data.
Significantly, these heightened insider threat risks will continue apace even after COVID-19 is in our rear-view mirror, especially as many companies implement remote working on a permanent basis. As such, now more than ever companies must take actionable steps to combat the sizable security risks posed by the combination of insider threats and remote working. Fortunately, there are several key best practices that companies can implement as part of a comprehensive, risk-based security strategy to significantly reduce the threat of remote worker insider attacks.
|Teleworking Policy
As a starting point, companies should implement a strong, comprehensive teleworking policy that directly addresses the security of company networks and data. Creating a robust teleworking policy is a simple yet effective way to combat insider threats, particularly those arising out of carelessness or negligence. In particular, there are several key components that should be included in such policies.
First, teleworking policies should address the issue of remote access. Remote access guidelines should define scope of permissible bring-your-own device (BYOD) practices—involving the use of employee-owned devices to connect to company networks—while working from home, as well as any technical requirements for connecting remotely to organizational networks, such as mandating virtual private networks (VPN) and multi-factor authentication (MFA) password protocols.
Teleworking policies should also address "acceptable use," which serves a critical role in promoting employees' responsible use of company assets and data by educating them on the types of behaviors permitted when using company technology. Acceptable use guidelines should define what employees can and cannot do with company-owned devices and specify the scope of such activities.
Similarly, mobile security guidelines—which specify the company's security requirements when data is accessed or transmitted via mobile device (both company- and employee-owned)—should also be included in all teleworking policies. In particular, these guidelines should address several key points, including: keeping software updated; always locking devices when they are not in use; reporting lost or stolen devices immediately; and never connecting to public Wi-Fi networks.
|Employee Education and Training
Employing a workforce that is savvy about lurking cyber risks and threats is another critical way to minimize the risk of insider threats. As such, a second key ingredient to an insider threat risk mitigation program is employee security awareness education and training.
Employees must be thoroughly educated and trained on how to safely and securely use, transfer, and store organizational data in the course of their day-to-day activities while working from home. Employees should also be educated and trained on today's most prominent cyber-attack methods—such as phishing, malware, and social engineering—and best practices to implement to avoid falling victim to a targeted cyber scam.
Combined, education and training in these areas can help arm a company's workforce with the tools they need to effectively avoid any mishaps while working outside the office that could result in accidental or unintentional data breaches or other security events.
|Employee Monitoring
Employee monitoring is a third key component of an effective insider threat risk mitigation program.
Employers should monitor workers' use of electronic data, with an eye toward unusual activity—especially if data is being pulled off the company's network. Data monitoring can not only detect data leaks when they happen, but can discourage employees from taking unnecessary risks when accessing or handling company data.
At the same time, employers should also monitor for "digital" threat indicators, which are represented by different forms of online activity that deviate from employees' normal day-to-day activities. Common examples include downloading large amounts of data to external sources, emailing sensitive data to personal accounts, and accessing sensitive data that is not relevant to an employee's job duties or responsibilities.
|User Access Restrictions and Control
Finally, companies should also include user access restrictions and control as an integral component of their insider threat risk mitigation programs.
Employers should implement the principle of "least privilege" to restrict and limit exposure by granting employees only the minimal level of access or privilege that is necessary for them to carry out their job duties and responsibilities. Similarly, companies should regularly review workers' data access rights and terminate any access to data or accounts that are no longer in use or no longer needed for employees to carry out their job responsibilities.
By ensuring employees only have access to data that is essential to their work-related duties and responsibilities, companies can significantly decrease the likelihood of finding themselves on the receiving end of a successful insider attack.
|Conclusion
With no clear ending date for the current COVID-19 pandemic, employers must implement the necessary protocols and technical safeguards to secure their networks and data while employees continue to work remotely. Remote working may very well become the "new normal," as employers seek to capitalize on the significant benefits offered by remote work arrangements. Thus, effective insider threat risk mitigation programs are also critical from a broader, long-term perspective. By adhering to the best practices described above, companies can put themselves in the best position to protect themselves from data compromise events stemming from insider threats and remote working arrangements—both during the COVID-19 pandemic and after.
To fully manage and mitigate the enhanced risk of insider threats tied to remote working, businesses should contact experienced legal counsel to ensure they have the proper policies and protocols in place to effectively defend against these potentially lethal security vulnerabilities. And if a business suffers a successful insider attack or other type of security incident during the COVID-19 pandemic (or thereafter), experienced counsel should be contacted to provide immediate assistance with rapid incident response and crisis management, which is key to minimizing the fallout and impact of a data compromise event.
Jeffrey N. Rosenthal is a partner at Blank Rome. He concentrates his complex corporate litigation practice on consumer and privacy class action defense, and regularly publishes and presents on class action trends, attorney ethics and social media law. He can be reached at [email protected].
David J. Oberly is an attorney in the Cincinnati office of the firm and is a member of the firm's cybersecurity and data privacy and privacy class action defense groups. Oberly's practice encompasses both counseling and advising sophisticated clients on a wide range of cybersecurity, data privacy, and biometric privacy matters, as well as representing clients in the defense of privacy and biometric privacy class action litigation. He can be reached at [email protected].
This content has been archived. It is available through our partners, LexisNexis® and Bloomberg Law.
To view this content, please continue to their sites.
Not a Lexis Subscriber?
Subscribe Now
Not a Bloomberg Law Subscriber?
Subscribe Now
NOT FOR REPRINT
© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.
You Might Like
View All
Seven Rules of the Road for Managing Referrals To/From Other Attorneys, Part 1
7 minute read
Matt's Corner: RPC 8.4(d)—Conduct Prejudicial to the Administration of Justice
2 minute read
The Moving Goalposts of Overtime Exemption: Texas Judge Invalidates 2024 Salary Threshold Rule
5 minute read
Law Firms Mentioned
Trending Stories
- 1Cars Reach Record Fuel Economy but Largely Fail to Meet Biden's EPA Standard, Agency Says
- 2How Cybercriminals Exploit Law Firms’ Holiday Vulnerabilities
- 3DOJ Asks 5th Circuit to Publish Opinion Upholding Gun Ban for Felon
- 4GEO Group Sued Over 2 Wrongful Deaths
- 5Revenue Up at Homegrown Texas Firms Through Q3, Though Demand Slipped Slightly
Who Got The Work
Michael G. Bongiorno, Andrew Scott Dulberg and Elizabeth E. Driscoll from Wilmer Cutler Pickering Hale and Dorr have stepped in to represent Symbotic Inc., an A.I.-enabled technology platform that focuses on increasing supply chain efficiency, and other defendants in a pending shareholder derivative lawsuit. The case, filed Oct. 2 in Massachusetts District Court by the Brown Law Firm on behalf of Stephen Austen, accuses certain officers and directors of misleading investors in regard to Symbotic's potential for margin growth by failing to disclose that the company was not equipped to timely deploy its systems or manage expenses through project delays. The case, assigned to U.S. District Judge Nathaniel M. Gorton, is 1:24-cv-12522, Austen v. Cohen et al.
Who Got The Work
Edmund Polubinski and Marie Killmond of Davis Polk & Wardwell have entered appearances for data platform software development company MongoDB and other defendants in a pending shareholder derivative lawsuit. The action, filed Oct. 7 in New York Southern District Court by the Brown Law Firm, accuses the company's directors and/or officers of falsely expressing confidence in the company’s restructuring of its sales incentive plan and downplaying the severity of decreases in its upfront commitments. The case is 1:24-cv-07594, Roy v. Ittycheria et al.
Who Got The Work
Amy O. Bruchs and Kurt F. Ellison of Michael Best & Friedrich have entered appearances for Epic Systems Corp. in a pending employment discrimination lawsuit. The suit was filed Sept. 7 in Wisconsin Western District Court by Levine Eisberner LLC and Siri & Glimstad on behalf of a project manager who claims that he was wrongfully terminated after applying for a religious exemption to the defendant's COVID-19 vaccine mandate. The case, assigned to U.S. Magistrate Judge Anita Marie Boor, is 3:24-cv-00630, Secker, Nathan v. Epic Systems Corporation.
Who Got The Work
David X. Sullivan, Thomas J. Finn and Gregory A. Hall from McCarter & English have entered appearances for Sunrun Installation Services in a pending civil rights lawsuit. The complaint was filed Sept. 4 in Connecticut District Court by attorney Robert M. Berke on behalf of former employee George Edward Steins, who was arrested and charged with employing an unregistered home improvement salesperson. The complaint alleges that had Sunrun informed the Connecticut Department of Consumer Protection that the plaintiff's employment had ended in 2017 and that he no longer held Sunrun's home improvement contractor license, he would not have been hit with charges, which were dismissed in May 2024. The case, assigned to U.S. District Judge Jeffrey A. Meyer, is 3:24-cv-01423, Steins v. Sunrun, Inc. et al.
Who Got The Work
Greenberg Traurig shareholder Joshua L. Raskin has entered an appearance for boohoo.com UK Ltd. in a pending patent infringement lawsuit. The suit, filed Sept. 3 in Texas Eastern District Court by Rozier Hardt McDonough on behalf of Alto Dynamics, asserts five patents related to an online shopping platform. The case, assigned to U.S. District Judge Rodney Gilstrap, is 2:24-cv-00719, Alto Dynamics, LLC v. boohoo.com UK Limited.
Featured Firms
Law Offices of Gary Martin Hays & Associates, P.C.
(470) 294-1674
Law Offices of Mark E. Salomone
(857) 444-6468
Smith & Hassler
(713) 739-1250
