Jeremy Wolk, BridgeTower Media Newswires
As the COVID-19 pandemic moves employees to remote working, it puts companies at a greater risk for a cyberattack. Here are some tips for businesses to safely navigate the "work-from-home" environment.
As employers and employees are adjusting to the new "normal" of working from home, the risk of a cyberattack has never been greater. Hackers are preying on innocent employees and their lax cybersecurity practices as an easy way to gain access to organizations of all sizes and across all industries. Now, more than ever, it's important to remind your workforce to remain vigilant about cybersecurity. Employers should consider circulating any company privacy or information security policies as a helpful reminder for employees. It's imperative that your employees review and understand these policies. We encourage employers and employees alike to try to maintain the same or similar security standards as normal.
We put together a few additional reminders as we navigate this challenging time:
- Working outside the office may mean that others can more easily see confidential information on a computer screen. Be sure to log off or lock your computer when stepping away from your work station, even for a short period of time.
- Even while working from home or elsewhere out of the office, employees are still responsible for complying with all company policies and procedures. This includes complying with any non-disclosure or other confidentiality agreements that may be in place.
- Be especially vigilant for phishing scams and avoid opening attachments from any untrusted emails. These can include purported "coronavirus" or "COVID-19" alerts; unfortunately, scammers are taking advantage of the current situation. Employers should encourage employees to check with the company's IT department if they have any questions about the validity of a particular email before opening any attachments.
- Employers should require that employees use the company's VPN system or similar remote access system to connect. Employees should be reminded to not save documents locally on their computer and to not use personal webmail or texting to conduct company business.
- Employees should avoid printing out documents at home. If an employee must do so, they should not throw any confidential documents in the trash or recycling when finished. Employees should save all documents somewhere safe and private, and bring them to work for secure shredding once the office reopens.
- Be cognizant of smart-home devices. Even though such devices are designed to only be activated by certain words, one study has shown that these devices can inadvertently activate between 1.5 and 19 times per day. Confidential conversations should happen away from such devices.
- Employees should update the password on internet modems and wireless access points to make sure they are not still using the default password that came with the device. Hackers can purchase those passwords on the dark web and gain easy access.
- Everyone should be sure to completely shut down his or her computer every night, and reboot it in the morning. This helps keep it more secure.
- We strongly recommend considering whether any changes to your information security programs are warranted. Many state laws require review and updates of privacy and security policies as company circumstances change, and moving an entire workforce to a remote situation is certainly a material change. Regardless of whether a change is warranted, this is a great time to send or re-send policies to your remote workforce as a friendly reminder that such policies govern, even when working from home. Routine reminders help to keep data privacy and security at the forefront of your employees' minds.
- And for those companies with no written privacy or security policies? It's not too late. Take this as an opportunity to draft policies outlining the company's expectations as it relates to data privacy and cybersecurity, especially in light of these changed circumstances. Policies should make clear what is sensitive information and the "dos and don'ts" of handling such information. The more descriptive a company can be about the permissible and prohibited uses of company data, the easier it is for employees to comply. Ultimately, while hopefully not needed, data privacy and security policies should carve out disciplinary action for non-compliance.
- Above all, employees should be advised what to do and whom to immediately contact in the event of a suspected or actual data breach. Be mindful of encouraging employees to self-report any incident, rather than instill fear of falling victim to an incident. During a time when so many employees are concerned about job security, self-reporting a data security incident may seem counterintuitive, so it is more important than ever that employers foster a sense of responsibility and trust. Make it clear that reporting an incident is an important way to mitigate the damages and can help save the company money, legal ramifications, and embarrassment. Encourage your employees to become part of the solution, even when they may be responsible for the incident. While your employees can be the company's biggest weakness in terms of data security, they can also be your first and best line of defense.
-----
Jeremy Wolk is a partner in Nixon Peabody LLP's Business & Finance department. He developed this article with Nixon Peabody attorneys Jenny Holmes, Jason Gonzalez, and Troy Lieberman.
Published: Fri, Apr 24, 2020
