On March 11, the World Health Organization officially characterized the coronavirus (COVID-19) outbreak as a pandemic. During the outbreak, many employers around the world are seeking to prioritize the well-being and safety of their employees by asking them to work remotely instead of risking exposure while commuting and working in populated office spaces. Organizations need to take into account increased risks to the security of their networks, systems, and data during this time.
As employees head home, there is a potential for increased risk of exposure of sensitive data. One area of concern is that employees may take shortcuts to ease working on personal devices or outside of the organization’s environment. For example, employees may send emails to personal accounts with sensitive data attached or upload that data to personal cloud-storage accounts. These incidents of data being sent outside an organization’s network could potentially create an obligation to notify customers, regulators, or individuals under various laws, regulations, and contracts. For purposes of convenience, employees may also be tempted to take home sensitive documents that would otherwise remain in the office, thereby increasing the risk of loss, theft, or external exposure. Additional risks might arise if employees download information to personal devices. Working on personal devices may be convenient for employees who have not been equipped with employer-provided hardware, but the risks associated with the use of unsecured devices can be significant, particularly if those devices are able to connect to the organization’s network or systems remotely.
Organizations also can expect to see cyberattackers attempt to exploit this unfortunate situation. For example, attackers seeking to capitalize on fears associated with the pandemic could send phishing emails purporting to contain important updates to organizational policies associated with the outbreak, requesting that employees validate their credentials, or asking employees to install additional software to permit remote connectivity. These sorts of phishing attacks could provide attackers with opportunities to infiltrate the organization’s networks and systems. In addition, organizations may expect to see attacks increase on systems and networks operated by third-party service providers that are supporting the applications and data flows necessary to facilitate an effective remote workforce.
In addition, employer networks may be subject to increased risk of intrusion when significant numbers of their employees work from remote locations. Organizations may lack the infrastructure in place to support remote working by a large portion, or even all, of their workforce. As employers scramble to bolster their ability to support remote working, overburdening of IT infrastructure and rapid deployment decisions may create vulnerabilities that invite unwelcomed intrusions, increase the odds that malicious activity goes undetected as usage patterns generally veer outside the normal course, or increase the risk that malware might find its way onto internal networks. These risks increase if (i) employees are more frequently accessing the organization’s network via unsecured networks, (ii) there is increased reliance on third-party applications and services, (iii) monitoring and logging capabilities are diminished through increased use of remote access, or (iv) network security is weakened due to increased remote connectivity.
The increased risks to data and network security could expose weaker cybersecurity practices if organizations have not yet adopted robust security measures for these circumstances or communicated those practices to employees through training and internal policies. Organizations may wish to address data security topics in guidance shared with employees regarding remote working. Even if policies for remote working already are in place, it may be worth reminding employees of their obligations to help security the organization’s network, systems, and sensitive data when they are working from home. Organizations may also see value in confirming that their monitoring and auditing capabilities remain sufficient to detect and thwart cyberattack activity during this period of uncertainty and shifting work norms. Data protection regulators and cybersecurity authorities are issuing guidance and recommendations in light of the coronavirus situation; for example, the Cybersecurity and Infrastructure Security Agency (CISA) published an alert on VPN security.
In-house counsel whose responsibilities include privacy and cybersecurity can play a leading role in their organization’s efforts to adapt to this new and rapidly changing workplace paradigm. Partnering with the IT, cybersecurity, HR/employment, and risk functions, in-house counsel are uniquely positioned to assist with the assessment of the evolving threat landscape and modify the organization’s privacy and cybersecurity programs, policies, and practices accordingly.