During the current COVID-19 pandemic, companies face most of the cyber challenges that exist during normal times, while also facing amplified threats from cyber criminals looking to exploit opportunities and vulnerabilities resulting from employees working remotely. In response to the heightened cybersecurity risks of the pandemic, companies should consider taking steps to safeguard company and client data and preserve the integrity of IT systems. Boards should review management’s response to heightened cyber threats. This Memo discusses the cybersecurity risks related to the pandemic and describes the ways in which companies can try to mitigate those risks.
1. Risks Associated with Working from Home
As social distancing mandates have forced non-essential businesses to adopt remote working measures, employees are increasingly turning to their personal devices for business purposes. Unfortunately, each employee’s endpoint remote device, especially personal devices not managed by their employer, offers a new and distinct opportunity for hackers and scammers to exploit the vulnerabilities inherent in systems and people.
For example, an employee working on a personal laptop that has not been properly vetted and approved by a company’s IT department may not have current anti-virus and anti-malware protections. This can compromise an entire network if sensitive information is accessed by just one remote computer that has had malware installed on it. Employees who have access to or transmit sensitive company data may now be using home computers shared by household members. This poses a danger if personal information has not been properly walled off from company information. For example, if while using a shared computer, a family member falls victim to a phishing scam or clicks on a malicious link, the employee’s company data could be exposed or compromised if it has not been properly secured or hosted on a separate Virtual Private Network (“VPN”). Use of unsecured or public Wi-Fi networks makes employees a relatively easy target for cyber criminals and exposes company networks and sensitive information.
Many of these risks are minimized by use of a VPN, which allows for secure remote access to the company network. The effectiveness of a VPN is, however, diminished if employees conduct work outside the VPN and through personal accounts. Sending sensitive information to a personal email account may also leave it unprotected by a company’s IT security. Similarly, there is an increased security risk if sensitive documents are saved on personal devices. These tempting and unfortunately commonplace practices caused many cyber incidents even before the COVID-19 outbreak.
Care should also be taken to protect physical files containing printed documents stored in an employee’s home. Employees should safely store physical files at home until they can be safely returned to the office or shredded.
2. Addressing Concerns Associated with Working from Home
To combat the cyber threats associated with a remote workforce, companies should consider the technical and legal challenges posed by remote technology and should consider reviewing their own internal policies to assess their preparedness for potential interruptions caused by COVID-19.
Reviewing Current IT Practices
Management should review company IT policies and remind employees of their obligations to adhere to these policies when working remotely. Some best practice guidelines and questions include:
- What devices are employees using to work remotely?
- Are the devices provided by the company, or are personal devices being used for work?
- Are approved devices capable of handling employee workloads? If not, employees may be tempted to use personal email accounts and unapproved devices.
- What policies are in place to ensure employees protect information while working remotely?
- If employees are permitted to use personal devices for work, are they required to have up-to-date virus and malware protection?
- Are employees required to use a VPN when working from home?
- Are employees permitted to work using public Wi-Fi and are employees required to secure their home Wi-Fi?
- Is confidential information being properly protected?
- Do employees have access to only the confidential information and internal systems they need?
- Do company IT policies explicitly prohibit the use of personal accounts?
- Does the company have a system in place that enables it to exercise rights of oversight, monitoring, and compliance to ensure employees abide by IT policies (for example, can the company access personal devices remotely through its VPN?)
- Are employees aware of best practices and IT policies?
- Have employees been formally and effectively reminded of IT polices?
- Have employees been trained or instructed on how to avoid phishing and other cyber-attacks?
- Are employees aware of who to contact in the event of a cyber-attack?
- Have employees been reminded how to safely use video conference and file sharing services?
- Are employees on notice of these employer oversight tools?
- Does the nature of the company’s business require special attention to privacy protection?
- Is the company subject to the SHIELD Act, NY Department of Financial Services (“DFS”) requirements, GDPR, HIPAA, or other state or federal laws on handling private information?
- What third-party vendors are providing services to the company?
- How has the company vetted new third-party vendors it will rely on in light of COVID-19?
- Does the company periodically review vendor practices, especially since the beginning of the COVID-19 outbreak?
Companies should consult with their IT departments and, if necessary, with outside consultants, to ensure that company systems are up to date, secure, and able to accommodate a fully remote workforce while still enabling productivity. The following are recommended technical considerations and measures:
- Require that company employees use exclusively company-issued hardware, if possible.
- Require the use of a VPN by all employees. Use of unsecured networks and Wi-Fi connections is something that hackers look for when identifying targets. VPNs, though not completely secure, make hacking more difficult and can deter bad actors. While the benefits of using VPNs are indisputable, many were not designed to withstand the volume that they are forced to handle in light of COVID-19. With this increased level of use, hackers will most likely target their efforts to exploit VPN vulnerabilities, heightening the necessity of training employees about how to spot phishing scams and cybersecurity breaches.
- Discourage co-mingling of personal and work devices, which increases the risk of phishing attempts.
- Establish multi-factor authentication for all employee logins.
- Consider what cloud system and automatic backups your employees may have; ensure that employees are not inadvertently saving company information to a personal cloud device via automatic uploads.
- Encrypt all external devices (e.g. hard drives, thumb drives) to prevent unwanted access.
- Establish automatic deletion capabilities so that data can be erased from lost or stolen endpoint devices.
- Remind employees of the remote work protocols; re-circulate written policies to increase awareness of employee obligations in the event information is compromised or breached on their remote system. This will also encourage escalation of issues to management as soon as they arise, which will prevent minor issues from becoming major disruptions.
- Install and require the use of trusted remote collaboration software to avoid reliance on publicly available collaboration tools that could endanger information security.
3. Legal Concerns
Recent updates to privacy and cybersecurity regulations at the state and federal level have increased the responsibilities of companies to take preventative measures and to report compromising cybersecurity events to various authorities during the pandemic.
Statutory Cybersecurity and Privacy Requirements
New York Department of Financial Services (“DFS”) Requirements
The DFS issued new guidance on March 10, 2020, requesting information from covered entities (which include banks, insurance companies and financial service companies) regarding internal preparedness for COVID-19. In particular, the guidance required all covered entities to submit a response to the DFS describing the details of their preparedness and plans to manage increased risks of service and operational disruptions caused by the pandemic. The plans must include an assessment of covered entities’ readiness and capacity of its IT systems and policies to handle a potential increase in cyber-attacks and fraud perpetrated by hackers in light of increased remote working. This guidance does not suggest that existing requirements under the DFS rules are relaxed in any way, but instead suggests that compliance with the requirements is more important than ever.
Health Insurance Portability and Accountability Act (“HIPAA”)
The U.S. Department of Health and Human Services issued a novel Coronavirus bulletin on February 2, 2020, requiring that all entities covered by HIPAA maintain stringent security safeguards during the COVID-19 crisis. Companies are required to maintain the administrative, physical and technical safeguards required by the regulation despite the challenges posed by this health crisis. Keep in mind that many third-party conference and video platforms like Zoom have not been built to the standards required by applicable regulatory bodies and may not be appropriate for transmitting sensitive health-related data.
Generally, if a company is covered by HIPAA and in compliance with the mandated cybersecurity requirements, it will highly likely be in compliance with New York’s Stop Hacks and Improve Electronic Data Security (SHIELD) Act, which requires that any company that collects or stores data of New York residents maintain proper administrative, technical and physical safeguards to protect sensitive data.
Boards should continue to apply standard good practices when addressing cybersecurity concerns related to the pandemic. Practices such as maintaining agendas, minutes, and resolutions that accurately reflect consideration of cybersecurity matters will assist boards in responding to increased scrutiny resulting from the COVID-19 outbreak. Ultimately, directors should ensure they are well-informed and decisive, while creating a record reflecting that.
4. COVID-19 Specific Rise in Threats
In recent weeks, hackers have targeted the financial and healthcare industries, as well as law firms, to try to catch distracted, overwhelmed employees off guard. Recent phishing emails have purported to provide helpful information about the recently enacted CARES Act. A joint advisory published on April 8, 2020 by the UK’s National Cyber Security Centre (NCSC) and the US Department of Homeland Security Cybersecurity and Infrastructure Security Agency (CISA) reported that cyber criminal groups are targeting individuals and organizations with a range of ransomware and malware. For example, cyber criminals have sent emails masquerading as legitimate organizations, such as the World Health Organization (WHO), claiming to provide useful information about COVID-19. These messages contain phishing links that embed malicious software onto the victim’s device. The subject line of the email may come from what appears to be a trustworthy sender and contain a subject line such as “2019-nCov: Coronavirus outbreak in your city (Emergency)”.
The NCSC and CISA have also observed criminals scanning for known vulnerabilities in remote working tools and software, evidence that they are seeking to take advantage of the increasingly remote workforce. This includes exploitation of the increased use of video conferencing software, such as Microsoft Teams or Zoom, used to trick users into downloading malicious files. A recent vulnerability discovered in Zoom, for example, permits calls to be recorded without a participant’s knowledge. Companies should assess third-party software settings to enhance privacy and security of users and information and should adopt policies for using video platforms if a third-party vendor must be utilized. For example, virtual meetings may be able to be password protected, and parties should be cautious when utilizing the recording feature, as many states have surreptitious recording statutes that could result in civil or criminal liability depending on the factual circumstances of the recording. While vetting third-party communication services may seem daunting during such a busy time, it is critical that third-party platforms have adequate security.
Perhaps now more than ever, it is vital to ensure that employees are vigilant in avoiding cyber threats and attacks. Companies should regularly remind employees of the following best practices:
- Avoid clicking links in unsolicited emails and be wary of attachments which are often used in phishing attacks.
- Use only trusted sources such as legitimate government websites for information on COVID-19.
- Never reveal personal or financial information via email or respond to email solicitations for such information. Common phishing scams include emails from banking institutions requesting banking information. Rarely, if ever, will a bank request your personal banking information via email.
- Verify a charity’s authenticity before making donations. Review the Federal Trade Commission’s page on Charity Scams for more information.
* * *
For more information concerning the matters discussed in this publication, please contact the authors Brielle E. Kilmartin (212-238-8652, firstname.lastname@example.org), Matthew J. Schwartz (212-238-8692, email@example.com), Matthew D. Dunn (212-238-8706, firstname.lastname@example.org), John M. Griem., Jr. (212-238-8659, email@example.com), or your regular Carter Ledyard attorney.