As the world copes with the COVID-19 pandemic, working from home has suddenly become the “new normal” in many industries. The expanded use of remote working technology offers a lifeline to organizations that would otherwise have to close up shop, but it also threatens to expose organizational and personal home networks to attack, leading to disclosure of confidential enterprise information and protected personal data. In fact, there has been a steep rise of “phishing” emails since the outbreak. Some of these scams entice people to click on offers related to Coronavirus protections but then download malware or ransomware. Others contain urgent (and fraudulent) instructions from an organization official instructing an employee to wire funds to a thief’s account, or to transfer protected data to a hacker.
Organizations can reduce these risks by implementing new IT security infrastructure, and by requiring employees to follow policies and protocols to maintain data security and privacy, wherever their physical locations. Below are some of the most important steps companies can take to address privacy and security best-practices for all remote work:
Use a VPN—or expand the one you’ve got. Every organization that maintains sensitive information should set up a virtual private network (“VPN”). A VPN allows your employees to access the organization’s internal information systems and data over a secure channel, using the public Internet infrastructure as an extension of your private network. VPNs create an encrypted “tunnel” that is private and secure. Data transmitted across a VPN tunnel is encrypted “end-to-end” so that it is rendered unreadable if intercepted.
VPNs are created and managed at the organization’s perimeter firewall. They either require an “agent” to be installed on a user-client’s computer systems, or are hosted at a secure website controlled by the organization. Once a VPN is active and a user-client’s software is installed and configured to “point” at the organization’s designated VPN service, users log on to their computers, launch the VPN client agent or log on to the secure website, and connect to the organization’s network with their standard username and password. Once the connection is established, users can access data and use applications that are available through the VPN connection.
If you already have a VPN, it’s a good idea to expand its capacity so that more employees can use it at once without loss of performance.
What data and functions you make available for remote use is a matter for careful consideration. The most secure approach is that of “least functionality,” which permits a user to be able to complete only required business activities.
Require Frequent Password Changes and Set Up Two-Factor Authentication: A password expiration policy is a basic point, but is frequently overlooked. The policy should set employee passwords to expire automatically after a certain number of days (say, 90).
Companies should also enable two-factor authentication for all network access. Two-factor authentication employs a secondary authentication challenge to a user after they enter their username and password. This challenge may be via a One-Time-Passcode (OTP) that is transmitted via email or SMS text message, a code or click-through signal generated by an authenticator application (e.g., Google Authenticator), or phone call to a user’s mobile phone requiring a PIN for confirmation of the user’s identity. Depending on the sensitivity of the information processed by the organization, employers can consider biometric verification by requiring retina, voice, or fingerprint recognition.
Enable personal firewalls: Ensure that users enable personal firewalls on their computers. These security features are included in every current Microsoft Windows operating system and most anti-malware application suites.
Run anti-malware software: If you aren’t currently running anti-malware software, install and maintain it on all organization-issued devices. If personally-owned computers will be allowed to access the organization’s information systems remotely, require by policy that those computers be protected by an approved anti-malware software package.
Update end-user device software: Ensure that all end-user computers and devices that are permitted to access organizational information systems and resources are current with operating system security patches and updated virus definition files. All operating systems and third-party software packages need to be updated regularly as patches are released to address newly discovered vulnerabilities and newly discovered and defined viruses. Whenever possible, end-user computers should be set to automatically download and install these updates and security patches.
This is particularly important if remote employees connect to the organization’s server via a VPN, because outdated devices are more likely to be compromised by malware taking advantage of unpatched vulnerabilities, which are capable of capturing employees’ login credentials. A compromised computer that is connected to the organization’s internal network via VPN can infect other computers and servers on that network, and result in network-wide compromise resulting in data exfiltration, ransomware, or a host of other malicious attacks.
Use encryption: Install whole-disk encryption software on organization-issued devices, which prevents data stored locally on these devices from being read by unauthorized users.
Deploy Mobile Device Management: If you permit mobile phones and tablets to access organizational information systems and resources, your organization should invest in a Mobile Device Management (MDM) system that includes the ability to wipe data remotely if devices are lost or stolen. MDM systems also include an encrypted container on the mobile device that requires an additional and unique password to access, giving further protection to confidential and legally protected information from unauthorized users or malware.
Secure email and messaging: Even when email within your organization’s corporate domain is encrypted by default (i.e., all email native to the Exchange Server/Outlook Client software), any email sent outside the organization’s email domain may be unencrypted and therefore vulnerable. Therefore, implementation of a secure messaging solution is critical if the organization’s confidential and legally protected personal information is to be transmitted via email outside the organization. Microsoft Office 365 offers secure messaging—other systems, e.g., Zix and ProofPoint, are also available with more functionality to protect email and messaging communications.
Software Enabled End-Point Controls:
Within a VPN configuration, use end-point controls to prevent remote users from copy and pasting and printing to local printers. Within anti-malware systems, use end-point controls to block the use of removable media, e.g., USB drives.
Train Your Employees: Your organization should regularly train employees on basic security practices, especially how to recognize and avoid common Internet scams and social engineering attacks. Employers should send regular reminders to employees to be on heightened alert for “phishing” and “pretexting” attacks. Employees should always use their cursors to hover over hyperlinks before clicking to ensure the actual link destination URL is not fraudulent, and generally refrain from clicking on all links or attachments until the sender’s identity and source of information is confirmed. Train users to always err on the side of caution, and if there is any suspicion, to contact the IT helpdesk or immediate supervisor for guidance before clicking. If a user suspects they have clicked on a fraudulent link, train them to immediately contact their immediate supervisor, and avoid punitive action to ensure users are not discouraged from seeking help.
Policy Requirements and Reminders for Your Employees: Organizations should implement necessary policies and require employees to take the following safeguards when working remotely from home or other non-office locations:
Avoid the use of public Wi-Fi networks that are “open,” which means they do not require a passkey to access, and are unencrypted. Public WiFi networks are more susceptible to attack, as proximity hackers can intercept username and password information as well as the data and information transmitted between the user’s device and the WiFi connection point.
On home routers, enable WPA2 encryption to protect the data and information sent and received over employee WiFi networks. If WPA2 encryption is not available, a new home router must be purchased, because older encryption standards like WEP are easily hacked. To set a router’s encryption settings, follow the manufacturer’s instructions. Also, ensure that the default administrator login credentials set by the manufacturer and included with the WiFi router are changed to a unique username and a strong password (see below).
Have employees use strong and unique passwords on their devices, which include at least 12 characters, a combination of numbers, symbols, upper- and lower-case letters, aren’t a dictionary word or combinations of dictionary words, and don’t rely on obvious substitutions. Generally, the more characters there are in a password, the stronger it will be. A useful trick for creating and memorizing unique passwords is to write down a sentence and create an acronym using the first letter of each word, or numbers, as the basis for a strong password. Convert at least one letter to uppercase, convert at least one letter to a symbol, and ensure there is at least one number included. For example, the sentence, ”My best friend in 4th grade was named Alvin and he had 3 pet snakes!” would become this strong password: “Mbfi4gwnAahh3ps!”.
Ensure sensitive and unencrypted organization information is not saved locally onto your employees’ personal devices used for work. This protects against loss and theft. Also, instruct employees not to send organization information unencrypted to their personal email inboxes.
Shred confidential documents that are printed at home, or collect any printed documents and store them in a safe place until they can be properly disposed per the organizational policy at a later time. Employees should treat confidential documents and materials the same way as if they were working in the office.
Ensure that all devices are kept in a safe place while not in use. Theft of employee laptops and smartphones from cars and public WiFi-hotspot locations has led to many data breaches.
Don’t Forget Your Physical Spaces. Employers should be aware of an increased risk of insider and criminal threats during this time, especially due to reduced vigilance and the potential for compromise of physical security in mostly empty or even vacant office spaces. This is particularly relevant to professional service providers and healthcare providers that handle sensitive client information or protected patient health information. Offices, desks and file cabinets should be locked while employees are away, with any confidential documents or materials stored away in such secured spaces. Arrangements for increased security patrols of vacant workplaces or office spaces should be arranged and implemented.
Revise and Distribute Your Policies. Finally, employers should consider implementing Bring-Your-Own-Devices policies or other remote user and remote work security-related policies, if they have not already done so. These policies should be included in revised versions of the employee handbook and employee confidentiality agreements, and distributed throughout the organization (1). Employers should require all users to sign an Acceptable Use Agreement that states users have read, understood, and will adhere to requirements set forth in all policies, agreements, and/or employee handbook. This way, everyone in the organization is aware of the minimum technical, physical and administrative security guidelines that they must abide by while working in the office, as well as remotely. Likewise, employers should consider developing a data incident response plan in the event that a data breach or incident does occur, as discussed in our previous client Alert (https://princelobel.com/managing-your-cyber-risk-one-important-step-development-of-a-data-incident-response-plan/).
If you need help with managing cybersecurity risks from having employees working remotely, please contact Bill Rogers, Data Privacy and Security Practice Group Chair, at [email protected] or (617)456-8112.
Prince Lobel and the co-authors thank our strategic partner in Data Privacy and Security client services, John H. Rogers, CISSP, Senior Consultant at MonarchISC, (www.MonarchISC.com) for technical guidance and the specific software product information and specifications cited in this Alert.
___________________________
(1) Each State may have its own cybersecurity statutes and regulations to protect personal, health or financial data applicable to individuals, organizations or industries. You should consult counsel for advice on local compliance requirements in your state. In particular, for all individuals or organizations anywhere owning, licensing or storing protected personal data of any Massachusetts resident(s), Massachusetts’ regulations require them to develop, implement, and maintain a comprehensive written information security program (“WISP”). 201 CMR 17.03(1). The regulations require certain cybersecurity administrative procedures, as well as physical and technical safeguards that must be addressed in a WISP, and incorporated into all operations, many of which are discussed generally in this Alert. In relevant part, the regulations provide that every WISP must include:
Designating employees responsible for maintaining the WISP (201 CMR 17.03(2)(a)),
Identifying security risks of personal information and evaluating the effectiveness of current safeguards (201 CMR 17.03(2)(b)),
Developing security policies for the storage, access, and transportation of personal information outside of business premises (201 CMR 17.03(2)(c)),
Imposing disciplinary measures for violations of the WISP (201 CMR 17.03(2)(d)),
Preventing terminated employees from accessing personal information (201 CMR 17.03(2)(e)),
Oversee third-party service provider compliance (201 CMR 17.03(2)(f)) by contractual and other means,
Restrictions on physical access to personal information, and storage of such records and data in locked facilities (201 CMR 17.03(2)(g)),
Regular monitoring to ensure that the WISP is operating in a manner to prevent unauthorized access to or unauthorized use of personal information, and upgrading information safeguards as necessary to limit risks (201 CMR 17.03(2)(h)),
Reviewing compliance, at least annually, or whenever there is a material change in business practices (201 CMR 17.03(2)(i)), and
Documenting steps taken in response to a breach of security or data incident (201 CMR 17.03(2)(j)).
A WISP must also establish certain computer system security standards, when technically feasible, including:
Secure user authentication protocols and access control measures (i.e., password expiration policy, two-factor authentication, and restricting access to personal information to only those who need it) (201 CMR 17.04(1)-(2)),
Encryption of all transmitted and stored personal information (201 CMR 17.04(3) and (5)),
Reasonable monitoring of systems, for unauthorized use of or access to personal information (i.e., monitoring through the use of a MDM system) (201 CMR 17.04(4)),
Reasonably updated firewall protection, operating system security patches, and antivirus and antimalware software (201 CMR 17.04(6)-(7)),
Training of all employees on the proper use of the computer security system and the importance of personal information security (i.e., training on the risks of phishing, spear phishing and other forms of social engineering) (201 CMR 17.04(8)).