We are monitoring the coronavirus (COVID-19) situation as it relates to law and litigation. Find more resources and articles on our COVID-19 portal. For the duration of the crisis, all coronavirus-related articles are outside our paywall and available to all readers.
The 2019 novel coronavirus (COVID-19) pandemic has increased employee teleworking and telecommuting. As a result, an increased amount of business is now conducted over the internet. This change brings significant risk to employers’ doorsteps.
In 2019, prior to the pandemic, the U.S. Federal Bureau of Investigation (FBI) Internet Crime Complaint Center (IC3) averaged 1,300 complaints daily from individuals and businesses regarding internet-enabled crimes and scams. The FBI reported that businesses and individuals lost more than $3.5 billion through cybercrimes. According to the FBI, most complaints involved phishing and other scams, as well as extortion carried out through email. Individuals and businesses suffered the greatest losses through compromised business email, as well as scams in which individuals mimicked the account of a person or vendor known to the victim in order to gather personal or financial information, also known as “social engineering.”
The FBI and Cybersecurity and Infrastructure Security Agency (CISA) have issued advisories and warned that the threat of vishing (social engineering through voicemail), smishing (social engineering through SMS or iMessages), and phishing schemes targeting remote employees is even greater today.
Employers must take steps to create and follow policies to limit the risk posed by cybersecurity threats. The following are nine high-level considerations and steps that employers can take to reduce their risk of a cybersecurity breach.
Ensure Access to Dedicated and Skilled Information Technology Resources
Remote work requires dedicated and skilled information technology staff and vendors. For any vendors, have your agreements reviewed by knowledgeable counsel to ensure that the arrangement addresses cybersecurity risks and liabilities, including when the vendor will notify you of any incident and how the vendor will secure your information.
Manage the Devices Accessing Your System
Perhaps the most important decision for employers to make is whether to allow employees to use personal devices when accessing your network, systems, and information. Personal devices present the greatest breach risk because they are not centrally managed and controlled with restrictions and security measures.
It is best practice to install mobile device management software on any device that accesses company email, systems, documents, etc., that will, at a minimum, allow the employer (1) to remotely terminate the employee’s access to the employer’s systems and (2) to delete or wipe employer information from the device. If the employer will remotely wipe information or use mobile device management to monitor employee activity on devices, employees must be made aware not only that such software is being installed on their personal or company-provided laptop but also of the corresponding consequences for misuse.
If the employer provides employer-owned mobile devices for employees, advise employees that they should not save personal information, documents, and photos on those devices because that information could be lost if their computer, phone, etc., is wiped upon termination, departure, or a cybersecurity incident.
Require Strong Passwords and Implement Multifactor Authentication
Employers should require employees to use complex passwords and change their passwords frequently. More importantly, multifactor authentication is best practice. Typically, this system requires an employee to enter a code generated on a separate device as a secondary step to logging in. Multifactor authentication helps guard against hackers guessing an employee’s password or using credentials harvested from a data breach to break into the employee’s account.
Update, Test, and Train Employees
Employers should send regular updates to employees regarding the latest cybersecurity risks and point out tips to identify scams. Training employees on good cybersecurity hygiene, how to identify phishing emails, and what to do if they have questions or concerns can go a long way toward preventing employees from responding to or clicking on links that threaten your operations. Finally, businesses should test their employees, particularly those working remotely, by sending mock phishing emails to see if employees are able to identify and properly address the scams. Most importantly, employees should be told whom to call and what to do if they suspect that an incident has occurred.
Monitor Employee Access and Activity
If possible, use software that alerts the business if an employee is downloading large amounts of company data or other sensitive information. Such activity, including sending this information to a personal email account, may signal that an employee is preparing to end employment and compete with the business, or that an attacker has gained access to the employee’s account.
Promptly Terminate Access
Employers should have a written procedure or policy to address cybersecurity in employee offboarding. If an employee is terminated, departs, or loses a device or has been targeted by a cyberattack, it is imperative that the business immediately terminate the employee’s access to the business’s systems. Employers should also consider immediately imaging the employee’s computer to preserve evidence of any theft of confidential and proprietary information. At a minimum, employers should preserve the employee’s equipment and consult with legal counsel before wiping the devices.
Develop and Maintain an Incident-Response Plan
Employers should develop and maintain an incident-response plan, which is communicated to the business, to address how it will respond when faced with a cyberattack. Minimally, the plan should address preparation, detection, containment, eradication and recovery, and postincident review. The incident-response plan should also include contact information for outside resources that will assist the business in responding to an incident, including forensic providers and outside counsel.
Implement a Telecommuting/Telework Policy
Implement a telecommuting/telework policy that, minimally, includes the following provisions to help enforce and support best practices that protect the business from cyberattacks directed at remote employees:
- Reference and incorporate the employer’s information technology and cybersecurity policies.
- Detail password, firewall, antivirus software, router encryption, and other security requirements.
- Make clear that third parties and members of the employee’s household cannot use or access employer-provided devices for any reason and should not access personal devices that have access to employer resources.
- Prohibit employees from using public or unsecured WiFi connections.
- Prohibit employees from emailing company information to personal email or cloud-based devices, or saving company information locally.
- Provide employees contact information and directions on reporting lost, stolen, or compromised devices and suspected cyber incidents.
- Remind employees that they do not have an expectation of privacy when using devices that have access to company resources and that any such device may be remotely wiped.
Review Restrictive Covenant Agreements
Now is also the time to review your restrictive covenant agreements to ensure that they properly address employees who are taking confidential information home and to provide for the prompt return of information and equipment after the employment relationship ends.
Copyright © 2021, American Bar Association. All rights reserved. This information or any portion thereof may not be copied or disseminated in any form or by any means or downloaded or stored in an electronic database or retrieval system without the express written consent of the American Bar Association. The views expressed in this article are those of the author(s) and do not necessarily reflect the positions or policies of the American Bar Association, the Litigation Section, this committee, or the employer(s) of the author(s).