Legal experts are warning companies to beef up their cybersecurity defenses as COVID-19 presents new opportunities for fraudulent email, increased phishing and other risks related to the rise of employees working from home.
The US law firm, Debevoise, has published a checklist for firms to consider when preparing for possible disruptions and remote working due to COVID-19.
Cyber risks checklist
In a NYU Law School blog published recently, the firm listed the following cybersecurity considerations:
1. Phishing
Look out for coronavirus phishing scams. We have already seen fake CDC updates, IT alerts and software notices that attempt to obtain user credentials or install malware, so consider implementing coronavirus-specific phishing training or testing. It is also a good idea to redistribute any company policies that cover the use of personal computers, smartphones, tablets and WiFi networks for work and emphasise that (a) those policies still apply to those working from home, and (b) security protocols will not be relaxed absent a clear change in policy.
Do not send legitimate emails to employees that look like phishing emails, so official COVID-19 updates to employees should have a consistent format and not include links or attachments, which will help employees properly identify phishing emails.
2. Remote capacity
Consider testing the company’s remote capacity by having many employees try to login remotely simultaneously, and consider adding or expanding use of secure, web-based video conferencing options.
3. Real time vulnerability updates
It will be important to keep on top of new vulnerabilities and scams by subscribing to various threat-sharing groups, including the CISA Alert service, FBI cyber alerts, IT-ISAC and industry threat-sharing groups in the countries your firm or organisation operates in.
4. Help for the help desk
Anticipate the additional burden on the IT help desk and make sure your employees have the policies, training and tools they need to handle the increased number of requests for technical assistance from people working from home, including the ability to verify the identity of employees using measures like phone number authentication, challenge questions and two-factor authentication.
5. Anticipate remote work problems
Employees who experience difficulties using their home computers (for example, printing) will be tempted to use less secure means to accomplish work tasks, such as emailing confidential documents to their personal email accounts so that they can be easily printed at home. Companies should try to anticipate and solve for these problems ahead of time.
6. Essential employees
Determine how many people, if any, will be needed on-site to protect the network, including patching systems and conducting information security reviews of any new systems that need to be added in haste throughout this period, as well as those needed to conduct investigations and remediation if a cyber event were to occur. Consider backup personnel in case some of those people become unavailable.
7. Vendors
Coordinate with the company’s key third-party data vendors to make sure that their cybersecurity contingency plans are adequate.
8. Update contact information
Ensure that contact information is up to date for key employees, especially mobile numbers.
9. Protect medical information
If employees become ill, there will be good reasons to want to share that information, but it is also important to maintain the confidentiality of employees’ medical data as required by law, including the medical status and identities of diagnosed employees or family members of employees.
This article was written by Henry Engler, North American Regulatory Intelligence Editor, for the Answers On Blog, a Thomson Reuters publication. Legal Insight has republished this article with permission.