As COVID-19 spreads around the globe, cybersecurity and data privacy risks are expanding for organizations in two important ways.  First, cyber criminals are taking advantage of this pandemic to launch phishing campaigns specifically intended to lure email users into clicking on malicious links that appear to be legitimate information from public health officials and other news sources about the growing coronavirus risk.  Second, as organizations shift employees to remote work as part of their overall coronavirus response, there is a heightened risk that employees may use unsecured Wi-Fi networks, handle information outside of secure channels, use personal devices for remote work, and not follow the organization’s security policies. Together, these factors increase the risk of cybersecurity and privacy incidents that could lead to ransomware infections, business email compromise, or compromise of information that may be protected under state, federal, and international privacy laws. This alert addresses these privacy and security risks, and offers simple steps that organizations can take to address and mitigate those risks.

Changes in the Cyber Threat Landscape

Cyber criminals regularly use targeted, topical campaigns to gain unauthorized access to user credentials. In times of crisis, even companies that have training programs in place may find their staff – and especially their busy, time-pressed executives and employees new to remote work – tricked into clicking on a link or opening an attachment in what appears to be a COVID-19 outbreak-related email. Once that happens, the hackers may be able to use the compromised email account to cause a great deal of harm, which could include:

• gaining access to sensitive company information, protected personal data or financial information;
• embedding ransomware that can later be activated to encrypt or destroy the organization’s data and systems; or
• carrying out a business email compromise attack in which they use the compromised account to send fraudulent emails to other parties with directions to wire funds to fraudulent accounts.

Cybersecurity researchers are already reporting that nation-state threat actors are using bots and other online accounts to spread deliberate misinformation about the coronavirus, and to send targeted phishing attacks to users in countries where the virus has gained a foothold. With this increased cyber threat environment, organizations should proactively warn their staff about these risks and assess whether additional training, technical measures, or other steps may be helpful in counteracting them.

Cybersecurity and Privacy Risks Associated With Increased Remote Work

As more organizations shift employees to remote work, organizations should plan in advance to mitigate the increased cybersecurity and privacy risks associated with having employees work from home.  This includes a comprehensive planning that spans departments within the organization to adequately train employees and ensure their IT infrastructure can accommodate the increased demand.  It’s imperative to begin planning efforts now as organizations may have to implement remote work policies on short notice given the pace of the outbreak and changes in local conditions.  Failure to plan increases the risk that employees will handle information in ways (taking confidential information home, forwarding it to personal email accounts, uploading to personal cloud accounts, etc.) that compromise data privacy, security, or both.     

Organizations should consider the following as they plan and implement their COVID-19 response:

Infrastructure Protection

• Evaluate remote access capabilities (e.g., Virtual Private Network and other remote access systems are fully patched. Test web and voice conferencing capabilities and ensure employees have access to and understand how to use these);
• Test employees’ ability to work remotely (e.g., rotate staff to work remotely on selected days during the week to identify issues proactively in anticipation of a facilities closure or quarantine order);
• Provision laptop computers, monitors, keyboards, printers, docking stations, shredders, etc.; avoid, if possible, shifting work to personally owned computers;
• Consider employees that require access to paper documents/files; identify and securely provision access to cloud file stores where shared access to documents is required (use multi-factor authentication and encryption);
• Identify the ability to reset (remotely if possible) the schedule of exterior doors automatic lock and unlock related to business hours;
• Develop open communications and coordination with key vendors and other outside parties, including clients, shareholders, limited partners, regulators, and the media;
• Test the ability of critical service providers to support business during a disruption (e.g., ensure clients can access investor portables or continue to receive investor/client reports);
• Ensure organization’s firewalls are properly configured and log attempted and/or successful connections from unauthorized or suspicious Internet Protocol (IP) addresses;
• Develop backup/alternative processes (e.g., manual or in-house) to ensure continuation of critical business operations;
• Consider alternative service providers;
• Implement multi-factor authentication; and
• Review incident response plan to consider a workforce across a distributed environment.

Cybersecurity for Remote Working Employees

• Provide training to employees, especially those new to remote work, and remind employees of cybersecurity precautions;
• Ensure that employees transfer data securely and encrypt data on all portable storage devices (USB drives, external hard drive), and use secure data destruction (shred paper documents or return paper documents to the office when they return from remote work);
• Notify employees of the procedures for notifying the organization of a suspected data or network compromise;
• Notify employees that they should be on high alert for increased phishing attacks. Employees should verify the email address of the sender, especially in emails relating to authorization of expenses, funds transfers, any payment of money, financial account information, payroll information, and other sensitive data. Avoid clicking on links in unsolicited emails and be circumspect of email attachments;
• If not already in place, consider implementing an external warning banner that identifies emails sent from an external sender. This warning banner is a particularly useful reminder to verify the sender’s email address when employees view and respond to work email in the condensed format on their mobile devices;
• Require employees to carry laptop computers home each day as quarantines and closures may be enacted with little warning;
• Notify employees to take particular care when they are handling core business functions from a smartphone or other mobile device – as is likely to be the case with increased remote work throughout the coronavirus outbreak – to verify the authenticity of the email sender, recipient, and information contained therein.  When in doubt, call the recipient to verify over the phone or another means of verification;
• Ensure that all remote employees have access to IT support; and
• Remind employees to enable automatic updates on their personal computers or work laptops; and to turn off their computers and restart for updates at least once every three days.

How Can Counsel Help?

In-house counsel who are participating in their organization's crisis response planning can ensure the team is taking an interdisciplinary approach that considers all aspects of the organization’s COVID-19 preparedness and response, including legal, operational, and other risks associated with a potential cybersecurity or privacy incident. Counsel should be involved in preparing or revising training and policies; in assessing the organization’s overall data governance health; in identifying particular areas of privacy or other legal risks, based on the organization’s unique circumstances; reviewing vendor and supplied contracts for potential areas of risk (e.g., if those entities are shifting to remote operations); reviewing new vendor contracts (e.g., for products or services that support remote work or overall COVID-19 response) to assess the contracting party’s cybersecurity preparedness and specific contractual provisions that could mitigate cybersecurity and privacy risk.