The COVID-19 pandemic increased employee teleworking and telecommuting, a trend that is likely to continue for the foreseeable future. Whether through the adoption of flexible work schedules or companies transitioning to remote work for some or all of their employees, an increased amount of business will continue to be conducted over the internet. This change brings significant risk to employers’ doorsteps.
In 2020, the U.S. Federal Bureau of Investigation (FBI) Internet Crime Complaint Center (IC3) received a record 791,790 complaints with reported losses exceeding $4.1 billion. This represents a 69 percent increase in total complaints from 2019. According to the FBI, most complaints involved phishing, ransomware and cyber scams, as well as extortion carried out through email. Individuals and businesses suffered the greatest losses through compromised business email as well as social engineering, scams where individuals mimic the account of a person or vendor known to the victim to gather personal or financial information.
The FBI and Cybersecurity and Infrastructure Security Agency (CISA) have issued advisories and warned that the threat of vishing (social engineering through voicemail), smishing (social engineering through SMS or iMessages) and phishing schemes targeting remote employees is even greater today than it was in 2020. As such, employers must take steps to create and follow policies to limit the risk posed by cybersecurity threats. The following are nine high-level considerations and steps employers can take to reduce the risk of a cybersecurity breach:
1. Ensure access to dedicated and skilled information technology resources
Remote work requires dedicated and skilled information technology staff and vendors. For any vendors, have your agreements reviewed by knowledgeable counsel to ensure the arrangement addresses cybersecurity risks and liabilities, including when the vendor will notify you of any incident and how the vendor will secure your information.
2. Manage the devices accessing your systems
Perhaps the most important decision to be made is whether to allow your employees to use personal devices when accessing your network, systems and information. Personal devices present the greatest breach risk because they are not centrally managed and controlled with restrictions and security measures.
It is best practice to install mobile device management software on any device that accesses company email, systems, documents, etc. that will, at a minimum, allow the employer to remotely terminate the employee’s access to the employer’s systems, and to delete or wipe employer information from the device. If the employer will remotely wipe information or use mobile device management to monitor employee activity on devices, employees must be made aware that such software is being installed on their personal or company-provided laptop and of the corresponding consequences for misuse.
If the employer uses employer-owned mobile devices, advise employees that they should not save personal information, documents and photos on those devices because that information could be lost if their computer, phone, etc. is wiped upon termination, departure or a cybersecurity incident.
3. Require strong passwords and implement multifactor authentication
Employers should require employees to use complex passwords and change their passwords frequently. More importantly, multifactor authentication is best practice. Typically, this system requires an employee to enter a code generated on a separate device as a secondary step to logging in. Multifactor authentication helps guard against hackers guessing an employee’s password or using credentials harvested from a data breach to break into the employee’s account.
4. Update, test and train employees
Employers should send regular updates to employees regarding the latest cybersecurity risks and point out tips to identify scams. Training employees on good cybersecurity hygiene, how to identify phishing emails, and what to do if they have questions or concerns can go a long way to prevent employees from responding to or clicking on links that threaten your operations. Finally, businesses should test their employees, particularly those working remotely, by sending mock phishing emails to see if employees are able to identify and properly address the scams. Most importantly, employees should be told who to call and what to do if they suspect an incident has occurred.
5. Monitor employee access and activity
If possible, use software that alerts the business if an employee is downloading large amounts of company data or other sensitive information. Such activity, including sending this information to a personal email account, may signal an employee is preparing to end their employment and compete with the business, or that an attacker has gained access to the employee’s account.
6. Promptly terminate access
If an employee is terminated, departs, loses a device or has been targeted by a cyberattack, it is imperative that the business immediately terminate the employee’s access to the business’ systems. The employer should have a written procedure or policy to address cybersecurity in employee off-boarding.
7. Develop and maintain an incident response plan
Businesses should develop and maintain an incident response plan that is communicated to the business to address how it will respond when faced with a cyberattack. Minimally, the plan should address preparation, detection, containment, eradication and recovery, and post-incident review. The incident response plan should also include contact information for outside resources that will assist the business in responding to an incident, including forensic providers and outside counsel.
8. Implement a telecommuting/telework policy
Implement a telecommuting/telework policy which, minimally, includes the following provisions to help enforce and support best practices that protect the business from cyberattacks directed at remote employees:
- Reference and incorporate the employer’s information technology and cybersecurity policies
- Detail password, firewall, antivirus software, router encryption and other security requirements
- Make clear that third parties and members of the employee’s household cannot use or access employer provided devices for any reason and should not access personal devices that have access to employer resources
- Prohibit employees from using public or unsecured WiFi connections
- Prohibit employees from emailing company information to personal email or cloud-based devices, or saving company information locally
- Provide employees contact information and directions on reporting lost, stolen or compromised devices and suspected cyber incidents
- Remind employees that they do not have an expectation of privacy when using devices that have access to company resources and any such device may be remotely wiped
9. Restrictive Covenant Agreements
Now is also the time to review your restrictive covenant agreements to ensure they properly address employees who are taking confidential information home and to provide for the prompt return of information and equipment after the employment relationship ends.
For more information on this topic, or to learn how Godfrey & Kahn can help, contact a member of our Data Privacy & Cybersecurity Practice Group.