As the response to the spread of the coronavirus escalates, companies are becoming increasingly dependent on a work-from-home workforce. Experts at Manatt discuss what security concerns companies must take into account with this increase in remote work.
Businesses’ responses to the COVID-19 health crisis – and in particular, the increased demands for personnel to work remotely – present increased security risks and considerations. Workforces have been mobilized, and for many, this transition is expected to last for a significant period of time. For some, this transition to working remotely may be permanent.
Because of these rapid and dramatic changes in how and where personnel perform their daily responsibilities, businesses must ensure that the security of their electronic infrastructure and data is prioritized to the highest levels on their response agenda. In particular, existing security vulnerabilities — arising, for example, from an increased reliance on technology (e.g., VPN traffic) or personnel handling sensitive company or customer matters in environments that the company does not control (e.g., the challenge of destroying paper files if the remote worker does not have a shredder) — will be stressed. Given threat actors’ and criminals’ desire to take advantage of any situation, businesses should anticipate seeing inbound security risk that evolves as quickly as businesses’ response to COVID-19.
With many businesses moving toward a mandatory or liberal work-remotely policy, the (significant) increased demand for remote connectivity, technology and resources has the potential to strain the availability and reliability of electronic infrastructure. Organizations must ensure critical systems have the capacity to withstand increases in demand and avoid interruptions in service. Further, the company’s business continuity plan should address fail-over and other backup procedures in the event a business-critical system becomes unavailable. In addition to increased demand for technology and infrastructure, there likely will be a greater need for IT support. Businesses may consider whether additional support staff is warranted during the transition to a fully remote work environment.
Security Vulnerabilities in the Remote Workforce
Beyond the possibility of overwhelming resource availability, a remote workforce introduces potential security vulnerabilities, in particular with respect to network access and authentication. Organizations should consider how best to address risks associated with securing and verifying credentials in a remote environment, such as enabling multifactor authentication. In addition, with decreased opportunity for physical oversight of the workforce, companies may need to pay closer attention to user activity, including through analyzing access and event logs and leveraging behavioral monitoring functionalities (consistent with the firm’s workplace monitoring policies).
Phishing Attempts and Malware
Threat actors quickly capitalized on fears associated with COVID-19 by identifying opportunities to initiate phishing attempts and embed malicious links in purported news articles and communications surrounding the pandemic. For example, the World Health Organization (WHO) recently issued a warning regarding cybercriminals impersonating the WHO in an attempt to steal money or sensitive information. It is good “cyber hygiene” for companies to regularly educate, train and test employees on phishing risks, and current events present a prime opportunity to remind employees of the threats and best practices associated with phishing scams.
Security Governance and Communications
As security professionals, attorneys and compliance and audit teams work remotely, coordination among the constituents responsible for monitoring and addressing security risks is critically important. Actual threats and materialized risk must be communicated in a timely and secure manner. For example, and to use an obvious illustration of the risk, if a company’s VPN is compromised, that company’s ability to operate may suddenly be threatened if its workforce is relying on the VPN for connectivity. Incident response plans should be immediately evaluated and updated to reflect the company’s current communications structure and expectations. Ensuring that decision-makers are available promptly to address any security events or security incidents is another critical step. Companies must ensure that the workforce is aware of how to report security risks or threats through multiple channels of communication (not just by email).
In assessing and managing quickly evolving security risks, transparent and timely communication with personnel is imperative. Businesses should provide clear direction on what employees should expect during a modified work environment, including what technologies will be deployed, how to use them and whom to contact with any questions or concerns. Companies should also educate personnel on the risks associated with a remote work environment and ensure employees are equipped with direct and timely reporting mechanisms for any security concerns. Finally, decision-makers should ensure the organization is speaking with a unified and consistent voice in establishing and communicating COVID-19 protocols and procedures to its workforce.
This piece was originally shared by Manatt as a client alert and is republished here with permission.