As many businesses and organizations adapt to the impact of COVID-19 on their operations, the systems and data security risks they face continue to increase and must be an area of focus in all planning for COVID-19. While moving to a remote-working arrangement (especially for the first time) is certainly fraught with risk, even those who continue with a “business as usual” approach are at an increased risk for systems and data security incidents. The uncertainty and the understandable concern created by COVID-19 combine to create much more fertile ground for malicious actors looking to gain access to systems and data. Here are some practical security points to keep in mind as you work to continue serving your customers, clients, members or patients during these unprecedented times:
- Legal Requirements. As you modify your operations, it’ll be important to keep in mind the legal requirements applicable to your business or organization. For example, consider the HIPAA Security Rule for healthcare-related entities, the Safeguards Rule for financial services entities, PCI-DSS requirements for those processing credit card information, state and foreign government data security requirements that may be applicable, and any contractual data security commitments you’ve made to other parties. In addition to helping ensure your legal compliance, working through the applicable legal standards can also help you improve your overall cybersecurity posture.
2. Plan (and Train!) for the Phish. Every business and organization should consider planning for an increase in “phishing” attacks, as the malicious actors know this is an opportune time to strike. In fact, security experts are already pointing to an uptick in phishing attacks. Amidst the concern around the virus and the desire to keep abreast of the latest developments, employees may be more susceptible to malicious emails, calls and texts – both from external sources and from purported “internal” sources.
a. Business as Usual. Even employees working in their usual environment may be tempted to click on a link or visit a website that purportedly provides breaking news around the virus, a country-by-country update or an important “internal” memo – only to download malware or unwittingly provide authentication credentials to a malicious actor.
b. Newly Remote. For employees who are new to remote working, unfamiliarity with the tools and processes for communicating and working may make it more likely that they will fall prey to malicious communications. For example, a well-meaning employee who isn’t sure about how others are communicating within the organization, may be more likely to act on an “urgent” email that purports to be from someone at the executive level within the organization – even though the “from” address is a personal email address.
c. Identifying a Phish. Businesses and organizations should remind individuals to be careful about the phishing (and smishing [text] and vishing [phone]) risks, and help them understand what to look for. Some likely subject matters for such communications include COVID-19 updates or instructions, COVID-19 charitable efforts and donations, vendor payment instruction changes, payroll change instructions, technology updates or requests, and “urgent” requests for help or information from others supposedly in the organization.
d. Encourage Confirmation. In addition to using caution with all incoming communications and visiting outside websites, employees should be encouraged to confirm any suspicious communications through a different means of communication. For example, if an email purportedly comes from a colleague with a personal email address, the recipient could send a text to confirm whether the email is actually from the colleague before responding, clicking links or opening attachments. Some employees will need the encouragement, as they might fear being seen as a roadblock or delay in accomplishing what appears to be an important task.
3. Limit Access to Systems and Data. Consider limiting an individual’s access to systems and data to that necessary for the particular role. This will help reduce the impact of any compromise on the user’s end when working remotely.
4. Limit the Type of Access. Consider technological solutions to limit a user’s ability to do more than view particular information on the network. For example, can the user perform his or her function with “view only” access to relevant documents on the network? This approach may help reduce the impact of any unauthorized access to the user’s machine or any loss or theft of the user’s machine.
5. Encryption. Consider implementing encryption in connection with your modified operations. For example, consider full-disk encryption for employer-owned machines that will be used remotely, and encryption of sensitive data at rest or in transit.
6. Multifactor Authentication. Consider implementing multifactor authentication (MFA) in connection with your modified operations. For example, you might require MFA for remote access to your network. MFA helps reduce the chances of a malicious actor gaining access to the network even if they have access to your employee’s remote machine.
7. Keep Patches and Updates Current. A simple and sometimes overlooked security measure is making sure your patches and updates are current. In the craziness of a global pandemic, it can be easy to put off daily or simple tasks to deal with seemingly more important issues. Software updates might include security patches, so they should not be pushed off to a later time.
8. Training for Security. As employees take on new working arrangements, make sure you help them understand what they need to do to maintain appropriate security and operate within your business’s or organization’s security requirements. New policies and procedures might be needed to address new arrangements in the (remote) workplace, and you’ll need to make sure your employees understand them so that they can do their part in maintaining security.
9. Prioritize Security Measures. Where it’s not possible to tackle all of your security concerns at one time, consider prioritizing your actions based on the relative sensitivities, potential impact and organizational risks of the roles, systems, data, applications and vendors involved. For example, it might be more important to focus on setting up a secure remote working arrangement for one group of employees before focusing on another group in light of the data and access needed by each group.
Sands Anderson’s Cybersecurity and Technology Team advises clients of all sizes concerning their data security obligations and risks, and we’re here to help with any questions or concerns you might have. Please reach out to any of our team members and we’ll be happy to help.