COVID-19 has been dominating the news, and with good reason. While the situation is certainly “fluid,” it is likely that many organizations will continue to ask their employees to work remotely — at least periodically — for some time. It is important to remember that doing so is not without risks. As most organizations have information to protect, now is the time to consider the potential “cyber” risks of remote working, and remedial actions that can be taken to mitigate these risks. The fact is that home office environments are not as secure as work environments. Unfortunately, hackers are well aware of these vulnerabilities, and “phishing” and other schemes aimed to compromise personally identifiable information has been on the rise over the past couple months.
This is a good time to audit the protocols your organization recently implemented and ensure that your colleagues recognize and alleviate risks when they are routinely working from home. Below are some typical risks, with strategies to minimize those risks.
- Unsecured WIFI networks: Home networks (and use of public networks) may be vulnerable to malware or ransomware attacks through their wireless router – Secure home WIFI networks with a robust password and, when possible, avoid use of public networks.
- Working on unsecured personal devices: Home computers may lack critical security patch management – Employees should only conduct work on their employer-issued computers. Where this is not possible personal laptops should not be allowed to leave the home.
- Transferring corporate data using personal email accounts: Employees may send sensitive information to their personal email accounts; non-enterprise email accounts usually lack the protections that commercial accounts often have – Advise employees against sending sensitive company data to their personal email accounts, and to permanently delete any corporate data remaining on their email accounts after they return to their normal working arrangement.
- “Hard-Copy” document management and destruction: Employees may take hard-copy sensitive or confidential materials off-site that they would not otherwise – Advise as to proper destruction and to avoid disposing of documents at home or in a public place without proper cross-cut shredding.
- Unsecured connections to organizational systems: Absent a secure virtual private network (VPN), employees may attempt to connect to your systems in an insecure manner – Investigate the viability of configuring a VPN for employees accessing your systems.
- Syncing with personal cloud storage accounts: Employees working remotely may use a personal cloud service account to transfer documents or data to and from office that may be less secure – Monitor use and consider creating a list of recommended providers.
- Key vendor relationships: Most organizations rely on third-party vendors to support both internal and external mission-critical services. These services could be impacted should these companies also ask their employees to work from home – Proactively reach out to these vendors to inquire as to their plans to continue to support your organization and to keep your data safe (as summarized above); also review the contracts in place to be aware of your rights and remedies.
It is important to remember that although COVID-19 has posed challenges in regard to good cyber practices, privacy laws, regulations and expectations still apply.
For example, the New York State’s Stop Hacks and Improve Electronic Data Security Act (“SHIELD Act”), went into effect on March 21 of this year. This new law applies to any for profit or nonprofit organization that receives or collects private information about New York residents. Simply put, if your organization has a website, it’s likely you need to comply with the provisions of the SHIELD Act (and there are substantial fines for noncompliance). Among the many obligations, the SHIELD Act expects organizations to 1) implement reasonable [administrative, physical and technical] safeguards to protect the security, confidentiality and integrity” of data, and 2) properly vet all third-party service providers and include specific provisions related to cyber-security practices, and 3) designate a “point person” to coordinate your data security program. Many organizations would have fallen short of these requirements prior to COVID-19 — many more will fall short today as employees continue their work from home. While meeting these requirements may seem daunting, they are more easily achieved than one might initially think. I routinely help organizations to achieve compliance with the SHIELD Act and other similar regulations and best practices, and in doing so these organizations become better “stewards” of the personal information they collect on behalf of their employees and donors.
Jon Dartley is an attorney with in-depth knowledge of the laws of data privacy regulation. You may reach him at firstname.lastname@example.org.