How to Protect Your Remote Workforce from New Cybersecurity Threats

The “Old” Threats

Cyberattacks against businesses began well before the COVID-19 pandemic. Businesses have long faced risks like data loss, data theft, and misappropriation of trade secrets. And businesses understand the tremendous impact a data incident can have on company’s operations, legal spend, customer goodwill, and brand damage. Unfortunately, cyberattacks have only increased—in both frequency and sophistication—since the start of the pandemic. KuppingerCole reports that there has been a 238 percent increase in global cyberattack volume during the pandemic.

According to a recent survey by IBM, worldwide the average cyberattack costs a business $4.2 million. In the United States, the numbers are much worse, with the average cost of a data breach being $9.05 million. Cost and impact to the business are driven by a number of factors, but one of the most important is how quickly the company discovers the attack and takes action against it.

One of the biggest changes in the move to remote working has been a delay in businesses’ response to possible security breaches. According to recent survey information, U.S. businesses needed an average of 287 days to identify and contain a data breach, which was 7 days longer than in 2019. But companies that had less than 50 percent of their employees working from home averaged 189 days to identify a breach and 69 days to contain, or 258 days total; whereas businesses with more than 50 percent of their workforce working remotely averaged 235 days to identify and 81 days to contain, or 316 days total. With employees scattered remotely, businesses have a harder time identifying and containing data incidents. At least according to IBM’s study, heavily remote workforces may lengthen a company’s containment time by 22 percent.

The New "Hybrid" Workplace

Now that so many people are working from home (or somewhere other than their company’s offices), what are the new or increased risks? As with most cybersecurity, the weakest link is usually people. Recent surveys found that

• 70 percent of remote workers admit to using their work devices for personal tasks.
• 69 percent use personal laptops or printers for work.
• 30 percent of remote workers have let someone else (often a child or spouse) use their work devices.

People working at home are more likely to intermingle work and personal devices and tasks. Worse, while working at home, employees are accessing more company data, more often: 71 percent of those surveyed said they are accessing more company data, more frequently, than when they worked in the office. And when employees at home want to move some of these data, they often develop “work-arounds” to avoid company policies for their own convenience or the convenience of their coworkers (e.g., sending files through personal email accounts or saving company data on a local hard drive.)

Home “offices” can also vary widely in their technological and physical security. Employees, without direct help from information technology (IT) professionals, may not know how to secure their personal Wi-Fi networks. And we have observed that “working from home” often means working from a coffee shop, a store, or a beach. Employees are likely to use convenient—and therefore vulnerable—Wi-Fi networks when they are working remotely outside their homes. And, of course, any time an employee is moving his or her work computer or phone from place to place, there is an increased possibility of loss or theft.

In addition, modern homes may contain a variety of connected devices (the internet of things or IOT), which may be listening to confidential conversations and meetings. We have seen an increasing number of lawsuits growing out of breaches into data stored by nontraditional devices (e.g., FitBit, Alexa, thermostats). With devices now possibly recording and storing company data (in addition to the employee’s personal data), the risk to businesses increases. Finally, to the extent employees are generating or receiving paper, employees may not be securing or shredding hard copies of company data when disposing of paper.

Beyond the many technological vulnerabilities, when employees are at home, they have less opportunity to check in with a coworker or IT professional before engaging in a risky behavior. Phishing schemes are on the rise. How many new workers has your company added since March 2020? How many of them have you met in person? Hackers are trying to take advantage of this reality by posing as new workers or vendors seeking an “introduction” to other employees. Lonely employees at home may be more willing to “meet” a new coworker. And skeptical employees, without a nearby coworker to consult, may click on an attachment they otherwise would not have clicked on.

When at-home employees make a mistake, they appear to be slower to inform the company. Maybe they think they can “fix” the problem by themselves. Even when an employee does take action, it likely will take longer for the concern to reach the appropriate people at the company. And it will certainly take longer for the IT professionals to identify and isolate an infiltration that occurred through a network or device at someone’s home. But perhaps the most difficult situation is when an employee action triggers a ransomware attack. The employee’s machine might be frozen and unable to be used by the employee or the company (remotely). This gives the hacker significant time to steal company data.

Sufficiently uncomfortable about company security? Let’s discuss some ways that businesses can better protect themselves.

Policies and People to Reduce Risk

Technological tools are available. But it has been shown repeatedly that humans are the weakest link in a business’s cybersecurity plans. So, in addition to great technology, businesses should consider the following:

Review of Devices and Device Usage Policies

In the new hybrid workplace, companies need to consider what standards and expectations they are going to have for employees—in the office and at home.

• Do existing policies adequately address the company’s current workplace?
  •  If not, does the company need a new, separate “remote working” policy?
• How often has network vulnerability been reviewed? How often are those risk assessments made or updated?
• Has the company analyzed what devices are present on the network? And why?
  • Does the company want or need to support certain types of devices?
• Do all employees need access to all systems and all data?
  • Particularly for at-home workers, consider limiting access to only those systems and data that are regularly and critically necessary to each employee’s work responsibilities.

• Are employees allowed to use personal machines to access company data?
  • If not, how will employees be provided with company-owned machines?

• Can employees use company-owned devices for personal matters?
  • If not, how will this rule be enforced?

• If personal devices can be used (if the business knows or expects they will be used regardless of the policy), will software security be deployed on the devices?
• And how often will the devices be checked or updated by the company?
• Will employees’ devices—whether company owned or personally owned—be subject to company monitoring?

• Consider whether home offices need to be physically examined for security and compliance with company policies (or, at a minimum, whether the company wants to reserve the right to do so).

Whatever the company decides on devices, it is vital that employees know (and be frequently reminded) about the company’s policies. Meaningful notice and training programs should be part of the plan.

Employee Training and Procedures

Most employees were trained for the ordinary, in-the-office workplace. New (or renewed) training may be required for at-home workers.

• Are employees trained on security software? Are they trained on how to update and install necessary patches on their systems?
• Do employees understand what data are most important to the company, what data are most vulnerable, or what data are most attractive to hackers?
• Do employees have a set of procedures for vetting emails and file attachments?
• Are employees well trained as to what they are to do when they suspect an infiltration or an attempted infiltration?
  • What are the built-in incentives (and disincentives) for an employee reporting a potential breach as soon as possible?
• Do employees know how to disconnect a home device from the network?

Resilience and Continuity Measures

Most cybersecurity experts say that, for large companies, it is a question of when, not if, they will have some sort of security breach. Planning now and repeatedly for worst-case scenarios allows businesses to better mitigate the impact of a hack. Studies have confirmed that organizations that have formal incident response teams and that regularly test those teams spent, on average, $2.5 million less than organizations without regular testing of a formal incident response team.

When responding to a potential threat, speed and organization are critical. In the midst of handling a data breach is a bad time to figure out who needs to be informed at the company. And it is a particularly bad time to look for a new law firm. The following are some recommendations to improve a company’s response to what may be inevitable:   

• Has the company conducted exercises or tested hypotheticals for ransomware, data breach, and other cyber breaches? 
  • Tabletop exercises have proven effective for locating vulnerabilities and missteps.

• Are there (un-networked) backup servers for critical company data? 
  • How easily and quickly could the company get back to work if data were held for ransom?   

• Is there an established, internal cybersecurity team with clearly defined roles?
  • People on the incident response team should know, in advance, what their respective tasks and priorities are.

• Is there an established external cybersecurity team, also with clearly defined roles? 
  • Does that team include insurance carriers, technology vendors, public relations firms, governmental relations firms, and—of course—law firms? 
• Does the company have cyber insurance? More importantly, is the insurance coverage consistent with the company’s current at-home workforce—and the devices they are actually using?

Summary

The new hybrid workplace is here to stay, at least in some portion. Employees and employers have adapted to “work from home.” Both have seen benefits to employees having the option of working from home.

However, this new workplace comes with cybersecurity vulnerabilities that should be investigated and then quickly addressed. Practices will vary significantly, as the businesses themselves vary. But employers need to be mindful of the cybersecurity risks and plan ahead to consider possible responses to those risks.

Jason R. Scheiderer is a commercial litigation partner at Dentons in Kansas City, Missouri.

_{Copyright © 2021, American Bar Association. All rights reserved. This information or any portion thereof may not be copied or disseminated in any form or by any means or downloaded or stored in an electronic database or retrieval system without the express written consent of the American Bar Association. The views expressed in this article are those of the author(s) and do not necessarily reflect the positions or policies of the American Bar Association, the Litigation Section, this committee, or the employer(s) of the author(s).}