Legal Update
Mar 20, 2020
Cybersecurity, Data Privacy, and Compliance Issues Related to Remote Workers
Sign up for our Coronavirus roundup email.
Visit our Coronavirus resource page.
In this unprecedented time, businesses are, more than ever, implementing and rapidly rolling out programs for remote or at-home work by employees. The quick changes in local and state governmental “shelter in place” instructions and Public Heath directives have placed significant strains on remote networks and caused local shortages of laptop computers at office supply and electronic stores across the country.
With this unexpected increase in remote workers, many companies are pushing the limits of their existing remote access technology, or deploying ad hoc technology and access solutions as quickly as possible. Some of those companies are not taking the time to consider potential information security, privacy, and other compliance ramifications for those same remote workers.
It is entirely appropriate and necessary for companies to adapt their technology and work networks are utilized to the greatest degree possible to remain in operation and serve business and customer needs. But as always, data security and privacy should always be part of the equation.
Below are some essential things to know about the security risks posed by remote or at-home worker, and a Technical Checklist for Remote employees to make sure your corporate data is safe, and you do not risk compliance challenges with data privacy law and requirements.
The Current Situation
It’s likely your workforce is operating remotely, either entirely or in large part. This means that employees could potentially be using non-corporate assets to conduct work. There are some immediate information governance issues associated with this. Namely, that the corporation loses control of where data is being transferred and where it gets stored.
There are three basic situations companies find themselves in right now. The first are those companies using products like Citrix or VMWare that are virtualized environments and disable copy/paste from the remote virtual machine to the local employee home computer. However, even the most prepared organizations are struggling with the demand on their virtualized environments. Other companies have allowed laptop users to connect to the corporate VPN, and it’s more or less business as usual for those companies. A third category are businesses that are allowing employees to use home computers to actually do the work—not just for logging in to corporate VMs or VPNs.
Obviously, this third category is where corporate data governance and compliance issues boil up quickly. For example, sensitive data on customers, clients, and employees may exist on employee home computers now. What is the likelihood that the employee is using best practices to securely transmit and store that data with strong encryption? What is the likelihood they have enterprise-grade anti-malware software on their computer? The answer to both is “low” at best unfortunately. Aside from this, corporate Data Loss Prevention software may have been adjusted to a less secure state or disabled completely. Or, it could just not function as intended in this environment. This leaves organizations at risk for not knowing where their data is, and what the data itself actually contains.
Privacy Issues
There are increased compliance requirements and risk if remote workers handle, store or transfer information that identifies individual customers, employees or marketing prospects. There are multiple federal privacy laws that place restrictions on the storage of certain categories of health, background, credit and financial information. This includes individual names combined with non-publically available information, such as account numbers, government identification numbers, and payment information. Additionally, state privacy laws like the California Consumer Privacy Act (CCPA) have increased the stakes of data breaches with increased statutory penalties and notification requirements for the loss of many categories of personal information. Regardless of the situation, companies entrusted with personal information are required implement and use reasonable security measures to protect PHI and PII at all times; limit the use and disclosure to only what is necessary; and securely delete information after it is no longer needed.
How Hackers Will Attack
Threat actors are obviously aware of the remote work situation. Right now, they are working out how to best capitalize on this situation. In all likelihood, threat actors will attempt to use some form of social engineering to carry out their attacks on unknowing or scared employees. We think it could happen via a few different attacks:
- Phishing Emails: As usual, threat actors will attempt to use phishing emails to get people to click links. Emails that have “clickbait” type titles about COVID-19 news or warnings have already been seen in the wild. Employees who are adjusting to remote work with family health concerns and livelihood concerns may not be paying attention even as much as usual. We think there will be an uptick in attack success through this vector. Both home and corporate computer assets and networks are at risk. Deploying aggressive email scanning software is recommended.
- Fake Apps: News has already come out that fake smartphone and websites are serving malware to unwitting users. Users should be vigilant to only seek information from trusted sources that they already use. While Google and Apple do everything they can to stop malicious software on their app stores, users need to remain suspicious of what they are installing and what websites they visit. If your organization has an internal DNS, consider using known black-hole lists that will prevent employees from actually reaching malicious websites on your corporate network. More technically advanced home users and small businesses can use a Raspberry Pi with pi-hole software on it.
- Impersonated Telephone Calls: It’s likely that during the remote-work adjustment confusion, attackers will be preying on the goodwill of people to help others by masquerading as someone with authority to get what they want. Employees in IT, HR, Finance, and other key operation centers should operate under “trust but verify” protocol. That being that they should receive phone calls as usual, but take additional measures to validate that the caller is truly the person they say they are. They should NOT trust caller ID. They should use corporate directories to ask questions of the caller. Do not lead the caller with any information. When in doubt, ask them for a callback number and seek guidance from managers or your Information Security department.
- Stolen Credentials: Right now, hackers are taking advantage or mass remote-work to wardrive through residential neighborhoods looking for unsecured wifi. Even secured wifi with easy-to guess passwords is fairly easy to crack. Their goal is to find networks to sniff data from, ultimately to find corporate credentials. Instructing employees to use VPN (even if not corporate, such as WireGuard) will mitigate this threat against all but the most sophisticated attackers. Employees should also be instructed to change their home WiFi passwords to 24+ digits, and not use dictionary words. Further, their security should be set to WPA2 and utilize mac address filtering. Your IT department can give general guidance on how to accomplish these things. Aside from WiFi risk, attackers may be using the mass remote-work situation to harvest corporate credentials from the Dark Web and attempt logins. The reason this may be more successful now than in the past is because in the past, logins from IP addresses that geographically didn’t make sense to a company and might have set off triggers will now be buried amongst logins from an entire workforce. Basically, it will be hard for a company to know what logins are valid attempts, and which are malicious. Companies like DigitalStakeout can help find corporate credentials on the Dark Web before they become a problem.
What You Should Be Thinking About
If you haven’t already, now is the time to discuss with your IT or Information Security team about what they are doing to protect corporate data in this era of mass remote work. Some talking points to arm you for that discussion are:
- Are we requiring VPN for remote employees to connect to corporate networks?
- If so, what devices are allowed to connect via the VPN? Corporate assets? Home computers? If home computers, how do we know those devices are not compromised and could introduce threats to our corporate network?
- Are we utilizing any virtualization technology to enable more secure remote workers? Which product are we using? What is the capacity of the system? Can it handle the demand? Has the ability to copy/paste data from that environment to the employee computer environment been disabled?
- Are we enforcing two-factor authentication on logins to the corporate network?
- What are we doing to enable collaboration with employees? How can they work on documents together in a secure way?
- Are we using any encryption to secure data in transit and at rest?
- How are we tracking who accesses what files from unstructured data repositories like network shares, personal shares, etc? Do we have software that allows auditing of access and copying/moving of files for later remediation?
- Are we issuing clear, actionable guidance to employees to help them remain vigilant?
- How are we informing employees about the risk of ransomware and phishing attacks during these times? Have we put a warning banner on external email senders’ emails?
- Do we have email security systems in place that will automatically open attachments and analyze whether they are dangerous before allowing the email to be sent along to the recipient employee?
- Do we have cybersecurity training available for our employees that focuses on data protection and cybersecurity while working remotely?
- Do we have mobile device management software to prevent employees from loading fake Coronavirus tracking/news apps to their devices?
HIPAA Concerns
If your company has to comply with HIPAA, it is important to remember to implement appropriate safeguards to ensure the privacy and security of PHI. All types of workforce members may be required to work remotely. Therefore, safeguards are necessary for virtually every type of medium, data, and image created for PHI. While it is impossible to eradicate all risks, control can be attained by taking prudent precautions and establishing the required technological and administrative/operational solutions through your company’s policies and procedures
Conclusion
With almost daily changes to work environment and public health recommendations, it is understandable that companies would be scrambling to deploy technology and open network accessibly in the interests of business continuity. However, it is always important to remember that malicious attackers will attempt to take advantage of situations like this when companies may have their guard down. Vigilance now will prevent misery in the future.