As the response to the spread of the coronavirus escalates, companies are becoming increasingly dependent on a work-from-home workforce. Experts at Manatt discuss what security concerns companies must take into account with this increase in remote work.
Businesses’ responses to the COVID-19 health crisis – and in particular, the increased demands for personnel to work remotely – present increased security risks and considerations. Workforces have been mobilized, and for many, this transition is expected to last for a significant period of time. For some, this transition to working remotely may be permanent.
Because of these rapid and dramatic changes in how and where personnel perform their daily responsibilities, businesses must ensure that the security of their electronic infrastructure and data is prioritized to the highest levels on their response agenda. In particular, existing security vulnerabilities — arising, for example, from an increased reliance on technology (e.g., VPN traffic) or personnel handling sensitive company or customer matters in environments that the company does not control (e.g., the challenge of destroying paper files if the remote worker does not have a shredder) — will be stressed. Given threat actors’ and criminals’ desire to take advantage of any situation, businesses should anticipate seeing inbound security risk that evolves as quickly as businesses’ response to COVID-19.
Business Continuity
With many businesses moving toward a mandatory or liberal work-remotely policy, the (significant) increased demand for remote connectivity, technology and resources has the potential to strain the availability and reliability of electronic infrastructure. Organizations must ensure critical systems have the capacity to withstand increases in demand and avoid interruptions in service. Further, the company’s business continuity plan should address fail-over and other backup procedures in the event a business-critical system becomes unavailable. In addition to increased demand for technology and infrastructure, there likely will be a greater need for IT support. Businesses may consider whether additional support staff is warranted during the transition to a fully remote work environment.
Security Vulnerabilities in the Remote Workforce
Beyond the possibility of overwhelming resource availability, a remote workforce introduces potential security vulnerabilities, in particular with respect to network access and authentication. Organizations should consider how best to address risks associated with securing and verifying credentials in a remote environment, such as enabling multifactor authentication. In addition, with decreased opportunity for physical oversight of the workforce, companies may need to pay closer attention to user activity, including through analyzing access and event logs and leveraging behavioral monitoring functionalities (consistent with the firm’s workplace monitoring policies).
Phishing Attempts and Malware
Threat actors quickly capitalized on fears associated with COVID-19 by identifying opportunities to initiate phishing attempts and embed malicious links in purported news articles and communications surrounding the pandemic. For example, the World Health Organization (WHO) recently issued a warning regarding cybercriminals impersonating the WHO in an attempt to steal money or sensitive information. It is good “cyber hygiene” for companies to regularly educate, train and test employees on phishing risks, and current events present a prime opportunity to remind employees of the threats and best practices associated with phishing scams.
Security Governance and Communications
As security professionals, attorneys and compliance and audit teams work remotely, coordination among the constituents responsible for monitoring and addressing security risks is critically important. Actual threats and materialized risk must be communicated in a timely and secure manner. For example, and to use an obvious illustration of the risk, if a company’s VPN is compromised, that company’s ability to operate may suddenly be threatened if its workforce is relying on the VPN for connectivity. Incident response plans should be immediately evaluated and updated to reflect the company’s current communications structure and expectations. Ensuring that decision-makers are available promptly to address any security events or security incidents is another critical step. Companies must ensure that the workforce is aware of how to report security risks or threats through multiple channels of communication (not just by email).
In assessing and managing quickly evolving security risks, transparent and timely communication with personnel is imperative. Businesses should provide clear direction on what employees should expect during a modified work environment, including what technologies will be deployed, how to use them and whom to contact with any questions or concerns. Companies should also educate personnel on the risks associated with a remote work environment and ensure employees are equipped with direct and timely reporting mechanisms for any security concerns. Finally, decision-makers should ensure the organization is speaking with a unified and consistent voice in establishing and communicating COVID-19 protocols and procedures to its workforce.
This piece was originally shared by Manatt as a client alert and is republished here with permission.
Scott Lashway is a disputes partner based in the Boston office of 
Kaylee Cox Bankston is a privacy and data security attorney in Manatt’s Washington, D.C., office. She focuses her practice on complex cybersecurity and privacy matters, including data privacy and security compliance, information governance, security incident response and breach preparation, regulatory investigations, litigation and class action defense, and development of corporate privacy and security programs.
Kaylee advises clients in a wide range of industries on data privacy and security risk management as well as compliance with state, federal and international privacy laws and regulations, such as the California Consumer Privacy Act (CCPA) and the European Union’s General Data Protection Regulation (GDPR), among others. She develops and conducts information security and privacy program assessments and leads cybersecurity simulations and war games to evaluate and develop incident response protocols and risk mitigation strategies.
Kaylee also has substantial experience representing clients in privacy and security investigations and related regulatory actions. She represents companies before U.S. and international regulators, including the U.S. Federal Trade Commission and state attorneys general. Kaylee defends clients in privacy and security class action litigation matters in various federal and state courts.
Kaylee is a Certified Information Privacy Professional for the U.S. private sector (CIPP/US). Before joining Manatt, Kaylee worked at an international law firm as co-chair of the firm’s cybersecurity, data breach and privacy team.
Kevin Powers is a senior cybersecurity advisor in Manatt’s Boston office. A renowned thought leader on data privacy and cybersecurity policy and law, Kevin regularly provides high-level counsel to private and government entities regarding cybersecurity, including assessments, strategies and frameworks, employee training, data security and privacy, incident response, government investigations, and “table top” exercises.
Kevin is the founding director of and a professor for Boston College’s premier master’s degree in cybersecurity, which he created, developed and implemented to better address the needs and issues of the rapidly changing cyber ecosystem. With a combined 20 years of law enforcement, military, national security, business, higher education and teaching experience, Kevin has worked as an analyst and attorney for the U.S. Department of Justice, U.S. Navy, U.S. Department of Defense and law firms in Boston and Washington, D.C., and as the general counsel for an international software company based in Seattle, Washington. Along with his advising for Manatt and teaching at Boston College, Kevin is a research affiliate at the MIT Sloan School of Management, and he has taught courses at the U.S. Naval Academy, where he was also the deputy general counsel to the superintendent. Kevin regularly provides expert commentary regarding cybersecurity, privacy and national security issues for varying local, national and international media outlets.
