Businesses’ responses to the COVID-19 health crisis, and in particular the increased demands for personnel to work remotely, present increased security risks and considerations. Workforces have been mobilized, and for many, this transition is expected to last for a significant period of time. For some, this transition to working remotely may be permanent. Because of these rapid and dramatic changes in how and where personnel perform their daily responsibilities, businesses must ensure that the security of their electronic infrastructure and data is prioritized to the highest levels on their response agenda. In particular, existing security vulnerabilities—arising, for example, from an increased reliance on technology (e.g., VPN traffic) or personnel handling sensitive company or customer matters in environments that the company does not control (e.g., the challenge of destroying paper files if the remote worker does not have a shredder)—will be stressed. Given threat actors’ and criminals’ desire to take advantage of any situation, businesses should anticipate seeing inbound security risk that evolves as quickly as businesses’ response to COVID-19.
- Business Continuity. With many businesses moving toward a mandatory or liberal work-remotely policy, the (significant) increased demand for remote connectivity, technology and resources has the potential to strain the availability and reliability of electronic infrastructure. Organizations must ensure critical systems have the capacity to withstand increases in demand and avoid interruptions in service. Further, the company’s business continuity plan should address failover and other backup procedures in the event a business-critical system becomes unavailable. In addition to increased demand for technology and infrastructure, there likely will be a greater need for IT support. Businesses may consider whether additional support staff is warranted during the transition to a fully remote work environment.
- Security Vulnerabilities in the Remote Workforce. Beyond the possibility of overwhelming resource availability, a remote workforce introduces potential security vulnerabilities, in particular with respect to network access and authentication. Organizations should consider how best to address risks associated with securing and verifying credentials in a remote environment, such as enabling multi-factor authentication. In addition, with decreased opportunity for physical oversight of the workforce, companies may need to pay closer attention to user activity, including through analyzing access and event logs and leveraging behavioral monitoring functionalities (consistent with the firm’s workplace monitoring policies).
- Phishing Attempts and Malware. Threat actors quickly capitalized on fears associated with COVID-19 by identifying opportunities to initiate phishing attempts and embed malicious links in purported news articles and communications surrounding the pandemic. For example, the World Health Organization (WHO) recently issued a warning regarding cybercriminals impersonating the WHO in an attempt to steal money or sensitive information. It is good “cyber hygiene” for companies to regularly educate, train and test employees on phishing risks, and current events present a prime opportunity to remind employees of the threats and best practices associated with phishing scams.
- Security Governance and Communications. As security professionals, attorneys, and compliance and audit teams work remotely, coordination among the constituents responsible for monitoring and addressing security risk is critically important. Actual threats and materialized risk must be communicated timely and in a secure manner. For example, and to use an obvious illustration of the risk, if a company’s VPN is compromised, that company’s ability to operate may suddenly be threatened if its workforce is relying on the VPN for connectivity. Incident response plans should be immediately evaluated and updated to reflect the company’s current communications structure and expectations. Ensuring that decision makers are available timely to address any security events or security incidents is another critical step. Companies must ensure that the workforce is aware of how to report security risks or threats through multiple channels of communication (not just by email).
In assessing and managing quickly evolving security risks, transparent and timely communication with personnel is imperative. Businesses should provide clear direction as to what employees should expect during a modified work environment, including what technologies will be deployed, how to use them, and whom to contact with any questions or concerns. Companies should also educate personnel on the risks associated with a remote work environment and ensure employees are equipped with direct and timely reporting mechanisms for any security concerns. Finally, decision makers should ensure the organization is speaking with a unified and consistent voice in establishing and communicating COVID-19 protocols and procedures to its workforce.
We will continue to provide updates and analysis regarding these rapidly emerging developments, and we invite you to reach out to a member of Manatt’s Privacy and Data Security team with any questions you may have.
For regular updates on the major challenges companies are facing, please visit our COVID-19 resources page, and subscribe for timely updates in your inbox here.