July 14, 2020

Volume X, Number 196

July 14, 2020

Subscribe to Latest Legal News and Analysis

July 13, 2020

Subscribe to Latest Legal News and Analysis

Working (Cyber) Safely From Home During COVID-19

Amid the Coronavirus (COVID-19) pandemic, more people than ever before are working remotely from home. This raises new cyber security challenges for businesses but there are ways to mitigate the risk.

This sudden shift to working from home significantly increases cyber risks to businesses. The United States Department of Homeland Security and Cybersecurity and Infrastructure Security Agency, together with the United Kingdom’s National Cyber Security Centre, issued a joint alert on how COVID-19 is being exploited by malicious cyber actors. The French National Information Security Agency, the ANSSI, has also noted an increase in fraud related to the public health emergency and attempts to exploit COVID-19 for phishing or scams. There are, however, steps individuals and organisations can take to help reduce cybersecurity risks.

SECURE AND HARDEN VIRTUAL PRIVATE NETWORKS

The virtual private network (VPN) must now support an entire workforce working from home, around the clock, and on sensitive matters. VPNs need to be able to scale expected and excess or “overflow” traffic. Scalability can be handled via a software or appliance solution. Certain solutions require user companies to maintain software licenses, which can generally be purchased on an individual basis. Multi-factor authentication (MFA) should be used for all VPN access. If MFA is already deployed, businesses should expand it to additional staff and endpoints. Although an MFA rollout is potentially disruptive, requiring MFA for VPN access is an important step in warding off unauthorised access. Servers running VPNs should be updated and vulnerabilities patched promptly. Vulnerabilities should be prioritised according to severity and the likelihood that they will be exploited. Administrative access to a network should be restricted and “least privileged access”, the concept of restricting access rights to only those who absolutely need it, should be practised religiously. An attacker who obtains those credentials could access the VPN and move laterally through company systems. Of course, default and administrative passwords should be changed regularly and made more complex. Now is the time to consider changing a password policy to require lengthier and more complex passwords. Companies should prevent employees from disabling security features and remote access precautions, or creating security workarounds.

“Bring Your Own Device” (BYOD) rules and standards should be updated to securely manage employee devices using mobile device management (MDM) software in order to allow secure access to internal resources. Endpoints with VPN access must be equipped with adequate endpoint security software and meet system security configuration guidelines, including items such as Split Tunneling, least privilege and host-based firewalls. Employee devices with access to internal applications should be managed by MDM software in order to ensure compliance with security requirements.

To ensure the implementation of new or strengthened security measures, there should be executive- and chief information security officer (CISO)-level oversight of any change management, including to the network baseline or devices.

STRENGTHEN EMAIL AND PHISHING ATTACK PRECAUTIONS

It is worth reminding employees to stay vigilant and follow cybersecurity best practices, as they may be less alert to corporate policies when working from home. As a precaution, companies should set up or strengthen email filters to guard against phishing and spoofing attacks.

Email filters generally work by blocking potential spam email or malicious content, or through specifically configured rules-based approaches, which may be bolstered by machine learning. A comprehensive email solution protects against all threats, including phishing, impersonation and spam. Employee training regarding phishing techniques and frequent updates on common COVID-19 spam email campaigns can help keep a network safe. The following are broad but useful tips to send to employees:

• Treat emails that appear to come from health authorities, such as the World Health Organization (WHO), with caution as threat actors are impersonating high profile organisations.

  • Trust only well-known sources for information on COVID-19. Fake donation websites and email addresses are being used to steal passwords and financial information.

  •  Exercise caution when opening attachments or clicking links from unfamiliar senders or websites.

  • Be wary of attempts by threat actors to reach out by telephone (vishing) or text (smishing).

  •  Stay alert for indications of an attack, e.g., a false sense of urgency or pressure to ignore security procedures.

  • Ensure the Wi-Fi router and all devices are protected by a strong password and the latest encryptions.

  • Promptly install updates.

  • Don’t let family members use work equipment.

  • Prohibit “shoulder surfing”, photographs and “snapshots”, and otherwise secure physical locations at home.

  • Notify the helpdesk or information security team immediately when you receive suspicious communications.

The following helpful resources address these threats:

Coronavirus Fraud Schemes Surge, as FBI, HHS OIG Advise Cyber Hygiene

Defending Against COVID-19 Cyber Scams

COVID-19 Complication: Ransomware Keeps Hitting Healthcare

SANS’ Working From Home factsheet and guidance on Creating a Cyber Secure Home

• The European Union Agency for Cybersecurity’s Tips for cybersecurity when working from home.

STAY ON TOP OF PATCHING AND BACKUPS

Organisations should ensure they continue to deploy security patches for infrastructure and software. Bad actors may take advantage of lax patching practices, so it is important to be mindful of the availability of patches to address vulnerabilities. Backups ensure that data can be recovered in the event of data security incidents, such as ransomware, system failures and other data integrity issues. Having a reliable, recent backup that has been tested can help a business avoid paying a ransom to malicious actors. In addition, enhanced logging enables the identification of errors and course correcting.

ENSURE IT AND SECURITY STAFF RESILIENCY

The exceptionally wide reach of COVID-19 may necessitate cross-training, teaming and collaboration between IT and information security in the event that a number of key employees are affected at the same time. At the very least, organisations should appoint a backup CISO who takes the helm when the CISO is traveling or out sick, and the incident response plan should designate a backup to the backup leader, in case personnel are unavailable.

REVIEW THE INCIDENT RESPONSE PLAN

In addition to being required by certain regulators, a good incident response plan (IRP) is like the coach’s playbook for an entire game. It should tell the incident response team how to respond to an cyberattack, such as credential harvesting attacks, ransomware attacks or a network intrusion. All organisations should review their existing IRPs to ensure they account for a remote workforce scenario and comply with the following: • Key personnel should have access to the latest version of the IRP from home. • The IRP must be accessible if company systems are encrypted in a ransomware attack or otherwise disabled. • There must be a hard copy of the IRP, easily located in a secure home workspace. • Ideally, all critical team members should have hard copies. • The IRP should include updated cellphone contact information and alternate email addresses for all incident response team members, and a plan for offline or out-of-band communications, in the event that connectivity is disabled or the threat actor is inside the network.

MANAGED SECURITY SERVICE PROVIDERS

When healthcare organisations are inundated with seriously ill patients, they can’t afford downtime caused by data security incidents. When security teams are shorthanded or personally affected by the virus, oversight of IT systems may be impaired. Both situations make organisations extremely vulnerable to cyber criminals. Organisations should consider engaging a trusted cybersecurity firm to provide managed security services. They can help the in-house security team augment managed detection and response in order to identify threats early and reduce the consequences of a breach. A Security Operations Center can provide remote monitoring of IT systems to detect intrusions and anomalous activity. Implementing 24/7 managed detection and response can allow internal teams to focus on building resilience.

© 2020 McDermott Will & EmeryNational Law Review, Volume X, Number 149

TRENDING LEGAL ANALYSIS


About this Author

Laura E. Jehl Partner Global Privacy & Cybersecurity  Autonomous Vehicles  Compliance  Consumer Data & Digital Marketing  Cross-Border Data Protection  Data Breach Management  Data Licensing & Strategies  Employer Data Privacy  Health Information Privacy  Information Security & Risk Mitigation  Privacy Litigation & Governmental Investigations  FinTech and Blockchain  Technology & Commercial Transactions  Telecommunications Transactions  Energy  Food, Beverage & Agribusiness  Healthcare  Technology  Alcohol
Partner

Laura Jehl serves as global head of the Firm’s Privacy and Cybersecurity Practice. Focusing on the intersection of data, law and emerging technologies, Laura advises clients on a broad range of privacy and cybersecurity issues. She has extensive experience identifying and mitigating privacy and data protection issues arising out of the collection, use and storage of data as well as the design of new business models, products and technologies. With unique experience as a former senior in-house counsel and C-suite executive, she understands the business, legal and technological challenges...

202-756-8930
Mark Schreiber, McDermott Law Firm, Boston, Cybersecurity Law Attorney
Partner

Mark E. Schreiber focuses his practice on cybersecurity, data breach response and global privacy coordination. He advises entities facing cross-border data protection, Privacy Shield and related issues, strategic decisions, and investigations. Mark has led numerous multi-national and cross-border matters, including those involving data breaches, and has advised senior management, boards, and special board committees on a variety of investigations, including data breach prevention and response. Mark is a leader of the Firm’s Global Privacy and Cybersecurity practice.

Mark has spoken around the world on topics related to data breaches and related defense litigation strategy, overlapping international data protection compliance, and other privacy topics. He helped found and was chair for over a decade of the Privacy and Data Protection Group of the World Law Group, an international affiliation of 54 large law firms in some 65 countries, and received the “2012 World Law Group Practice/Industry Group Leader of the Year Award” in recognition of his privacy and data protection work. In addition, Mark helped found and was co-chair of the Boston Bar Association's Privacy Law Committee.

617-535-3982
Kari Prochaska Associate  Chicago Corporate & Transactional  Global Privacy & Cybersecurity  Cross-Border Data Protection  Data Breach Management  Employer Data Privacy  Government Investigations  Health Information Privacy Corporate Reorganization  Corporate Services  Mergers & Acquisitions  Post-Merger Integration  Technology & Commercial Transactions  White-Collar  Discovery
Associate

Kari Prochaska focuses her practice on data privacy and cybersecurity, corporate due diligence, and complex civil litigation. She has counseled clients regarding incident response, breach notification obligations under state privacy statutes, and data governance. Kari has advised clients on General Data Protection Regulation (GDPR) contractual compliance and cross border data transfer mechanisms. She is a Certified Information Privacy Professional (CIPP/US) by the International Association of Privacy Professionals (IAPP). Also, she has extensive experience supporting clients in corporate...

312-984-2181
Partner

Paul Ferrillo focuses his practice on corporate governance issues, complex securities class action, major data breaches and other cybersecurity matters, and corporate investigations.

Paul has throughout his career represented public companies and their directors and officers in shareholder class and derivative actions, as well as in internal investigations. In particular, he has coordinated numerous internal investigations on behalf of audit committees and special committees, and handled the defense of securities class actions alleging accounting irregularities and/or financial...

212-547-5329