By Mark Rasch & Brett Krantz
Undoubtedly, the COVID-19 pandemic has changed the way companies conduct business. From a cybersecurity regulatory/contractual compliance point of view, two aspects of the COVID-19 pandemic are paramount.
Various laws and regulations, as well as contractual provisions, consumer protection provisions and simple negligence law dictate that entities maintain “reasonable” security either in general or with respect to specific classes of data or networks that process specific classes of data. With a massive increase in telecommuting, the security posture of many companies has changed. Security which was once provided in a controlled environment with management and IT oversight may now be provided on personal devices connecting over unsecured networks with oversight by stressed and remote IT staffs. While the duty to protect data may not have changed, the ability to do so certainly has.
Now is a good time to review your telework policies (or create one if you don’t have one) to ensure not only that employees are able to telework during the crisis, but also to set out rules of engagement for such telework, both from a data privacy and a data security standpoint. These policies should include reference to who can telework (under normal circumstances and during the COVID pandemic), what kinds of devices they can use, how they can connect (VPN or other secure means), what software they can (must) use and any rights the company may have to remotely access or monitor employee activity when working remotely. The telework policies should also include policies on access to cloud-based or third party applications. Finally, telework policies should include policies on security and privacy of Bring Your Own Device (BYOD) hardware and software — particularly shared BYOD devices that employees may be sharing with their children or other family members.
As employees access corporate data or networks remotely, companies will also have to review privacy and data security policies as they apply to insecure home networks, wifi access devices and routers. This may include adding layers of encryption, virtualization or Mobile Device Management (MDM) as well as walking employees through how to establish and maintain more secure mobile access through WPA-3 enabled routers. A good deal of corporate policies on anti-malware and anti-phishing are enforced at the network level, with corporate firewalls configured to prevent malicious programs from impacting corporate devices. A telecommuter is likely accessing outside the corporate environment, and things like endpoint detection, intrusion detection, firewall blocking and logging and log monitoring may not be occurring. Since you are a fiduciary of the data you are collecting, your policies should provide for an effective substitute for these security procedures.
Hackers and other threat actors are using the COVID-19 pandemic to launch attacks on individuals and corporate networks through a series of scams and other threats. E-mails from untrusted sources promoting COVID-19 treatments or cures, or purporting to contain “Important Information” about the COVID-19 pandemic (some purporting to come from sources like the CDC or WHO) are pervasive, and often bring malware or phishing attacks. Employees working from home may be more likely to click on these emails. Part of your information security compliance program must include employee education and training specifically giving guidance on these kinds of attacks.
Not only are the risks and threats to enterprises enhanced during the pandemic, but IT staff, IT security staff and Incident Response staffs are depleted, diffused and overworked (and often working from home as well, without access to the full panoply of tools and resources). Make sure that they are equipped with remote collaboration tools – including tools that don’t depend on the proper functioning of your network – to allow them to effectively communicate. Share phone numbers, personal email addresses and even personal fax numbers, and encourage IR teams to print and store these in a way that they can conduct business even if networks are down. Include relevant business partners, vendors and IT partners in your remote readiness program, and be prepared to create a virtual Security Operations Center and virtual war room.
Now is a good time to review relevant contracts with vendors, suppliers, cloud service providers, web application and hosting platforms and others to continue to ensure that these entities – which have similarly been impacted by the COVID-19 pandemic – continue to provide a level of service and responsiveness that will adequately protect your enterprise. At the same time, you want to review any agreements you may have with customers or third parties to see how any disruptions that impact you may be accommodated or excused under the terms of the contract, including force majeure or Act of God provisions. Finally, this is a good time to re-examine your cyber-security, cyber-business interruption, e-commerce and data breach insurance policies to make sure that the change in circumstances has not impacted your coverages. As a brief example, if your coverage includes “business property” including computers, a BYOD device may or may not be included –even if it is being used for business purposes. A quick check-up is a good idea.
A final cyber-trend during the COVID-19 pandemic has been opportunistic threats by hackers and others. In particular, there has been a marked increase in ransomware and cryptolocker attacks on healthcare providers, where attackers demand ransom in return for unlocking access to providers’ computers or data. Knowing that these systems are critical to the functioning of the healthcare system, the attackers are demanding immediate payment or large ransoms. Effective anti-ransomware programs and ransomware readiness programs need to be part of your COVID-19 pandemic cyber response.
KJK is prepared to work with its clients to meet their needs during this trying time. Our Cybersecurity group is experienced in cyber-regulatory compliance, data sharing agreements, data breach management, training and overall cyber-risk reduction. If you have any questions or would like to discuss further, please reach out to Mark Rasch at mdr@kjk.com or 301.547.6925 or Brett Krantz at bk@kjk.com or 216.736.7238.