The coronavirus pandemic has pushed telecommuting and digitalization of offices into overdrive, with many companies now requiring employees to work remotely and most large cities ordering non-essential employees to stay at home. Where the option to video conference into a meeting was once the exception, it is now the rule. And where office workers could once rely on IT departments to monitor and support all of their technological needs, work from home employees must now be more proactive than ever in understanding and adapting to a new remote work culture. Working from home has added many new variables into companies’ cybersecurity platforms that IT professionals are struggling to keep up with and that cyber criminals are exploiting.
Increased remote work means that more personal devices and Wi-Fi networks are being used to process and transfer business data. For law firms and many companies, this can include highly sensitive data like trade secrets, client information, financial records, and business plans. Additionally, employees are more connected to the Internet in their free time, utilizing streaming services and video-chatting for entertainment in place of in person socialization, putting an additional strain on bandwidth and cybersecurity controls.
Malicious actors have taken note. Cybersecurity watchdogs have sounded the alarm amid an increase in phishing attacks and credential thefts, according to this Wall Street Journal article. Cybercriminals have increased malware bait in the form of coronavirus statistics links, posed as IRS or CDC officials to gain financial information and are exploiting unsecure Wi-Fi networks to obtain sensitive information. Employers and employees alike should be aware of the growing concerns and precautions laid out below in order to secure themselves and their business information.
The Threats
Phishing for malware deployment and login credentials: Phishing is fraudulent practice of sending emails or text messages purporting to be from a reputable source, such as a government entity or a trusted individual within an organization. There has been an increase in phishing attacks using coronavirus references to induce employees to click on email links, attachments infected with malware or access user information through renewed login credentials. This piece from the U.S. Department of Homeland Security includes examples of recent phishing activities.
Exploitation of new teleworking infrastructure: As organizations reconfigure their IT infrastructure to allow for teleworking, such as increasing use of VPNs (Virtual Private Networks) and video conferencing apps like Zoom, malicious actors are scanning vulnerabilities in those software, as highlighted in this article. Hackers are also seeking access to new user endpoints, such as home Wi-Fi networks and personal devices that were previously unaffiliated with the user’s business activity.
Physical document management: While working at home, employees may print hard-copy documents containing sensitive nonpublic information on network printers with unsecured connections. This may give bad actors yet another opportunity to access confidential data. Employees may also take hard-copy sensitive or confidential materials off-site that they would not otherwise, and without a cross-cut shredder at home, the disposal of these materials may cause confidentiality problems as well.
Risk Mitigation
Below are some tips to consider implementing to help create secure and remote work environments. If you are in leadership at your company or law firm, you might want to make sure your team is taking these precautions:
Multi-factor authentication: Multi-factor authentication is a security enhancement that requires at least two pieces of evidence when logging into an account, fortifying accounts against stolen passwords and blocks up to 99% of attempted web attacks.
Use of VPNs: Connect to a secure network and using a company-issued Virtual Private Network (VPN) to access any work accounts. VPNs create an encrypted network connection that authenticates the user and/or device and encrypt data in transit between the user and their services. Avoid connecting to public or shared Wi-Fi networks whenever possible unless using a VPN.
Securing home networks: Home routers should be updated to the most current software and secured with a lengthy, unique passphrase.
Keep business and personal separate: Whenever possible, ensure company devices and personal devices are each on their own separate networks. Do not conduct business on personal devices in order to minimize vulnerabilities to business data.
Update all software: Ensure that your Internet-connected devices ‒including laptops, smartphones, and tablets ‒ are running the most current versions of software. Apple, Google, Microsoft, and other developers frequently push important security updates that improve performance and security.
Maintain vigilance about URLs: Phishing attempts are frequently paired with spoofing: the act of disguising the source of the information. There have been many lookalike domains impersonating the CDC and WHO in order to prey upon users’ curiosity or confusion about the coronavirus. Hackers can also imitate the email addresses of affiliates in your workplace, such as contractors or supervisors requesting information. Be skeptical and verify links you click and downloads you may accept. Go directly to a reputable website first or contact the sender through a credible means. When in doubt, consult your company’s IT professionals before proceeding.
Check your backup processes: Follow your employer’s protocols concerning data backups. Be careful to maintain separation of your personal cloud storage, which may be automatic and running in the background. Removable media storage (USBs or physical hard drives) can also run backups, increasing the risk of crossing business data over into your personal cloud. Only perform backup methods that are compliant with your business protocols and maintain separation of personal and business devices.
Additional Resources
List of updated threat information from the U.S. Department of Homeland Security: https://www.us-cert.gov/ncas/alerts/aa20-099a
Article from The Wall Street Journal: https://www.wsj.com/articles/hackers-target-companies-with-fake-coronavirus-warnings-11583267812?mod=article_inline
Guidance from The National Law Review: https://www.natlawreview.com/article/business-time-covid-19-us-cybersecurity-and-privacy-issues-you-to-consider
Tips for working from home from the United Kingdom: https://www.ncsc.gov.uk/guidance/home-working
Remote working tip sheet from the National Cybersecurity Alliance: https://staysafeonline.org/wp-content/uploads/2020/03/NCSA-Remote-Working-Tipsheet.pdf
About the Authors:
Yuan Tian and Tommy Sandstrom are attorneys with Legal Innovators. Contact Yuan and Tommy with any questions regarding cybersecurity threats and mitigation during the coronavirus pandemic or share your thoughts with our community on Twitter, Facebook, or LinkedIn.
Yuan Tian
Tommy Sandstrom
