Michael Lambert and James P. Harris1
In the last year and a half, many businesses have significantly
increased the number of telecommuters to implement social
distancing in response to the COVD-19 outbreak. Increasing outside
access to the company’s network and dispersing access to
company data to more remote workers increases legal risk that must
be managed. Data privacy and security laws remain in effect through
the Coronavirus pandemic, and even if those laws are relaxed,
financial pressures mandate vigilance through this period of
unrest. In addition, the holiday season poses increased risk for
companies regardless of whether your office has not returned to
full time in person work. There are steps that companies can take
to mitigate the risks that the upcoming holidays pose.
If businesses have not already done so, they should draft and
implement written telecommuting policies that make employees
responsible to ensure a safe work environment at home, and alert
employees of the need for increased vigilance in upholding
telecommuting procedures during the upcoming holiday season. The
written telecommuting policy should address these cybersecurity
concerns:
1. Provide specific instruction as to the manner in which
employees can access company systems from the outside. If the
company provides a secure VPN connection, for example, employees
should be required to use it and no other. Companies need to limit
the “rogue IT” phenomenon, one in which employees
“find their own solution.”
2. Require employees to address the security of the home
networks. If employees must use personal computers or networks to
work remotely, companies’ IT staff should provide instruction
to ensure the security of the home networks is as solid as it can
be. Employees may need to be guided through the updating and
patching process for their computers and firewalls as well as
ensuring passwords to home routers are strong. Employees’
personal security hygiene impacts the chances their hardware will
be used by hackers to access employers’ data. As a remote
offshoot of the companies’ systems, the home networks need to
be secured as well.
3. Bolster password management. Companies should require
employees to change passwords more frequently and disallow the use
of the same password for personal accounts as is used to access the
companies’ systems. If possible, companies should utilize
multifactor authentication as another layer of security before
employees can access the companies’ systems. If it has not
already, this will become the “standard of care” or
expected minimum for most companies.
4. Disallow employees from saving any company data locally – on
their home computers. The more repositories of data, the more
places that need to be protected/the more places hackers can find
sensitive data. Saving locally might also contradict data privacy
rules/regulations and contractual promises made by the employer to
third parties (including the employer’s insurer, which could
jeopardize available cyber insurance).
5. Dictate sanctioned resources. Companies should create and
maintain a list of applications that are approved and disallow the
use of any other resources. The fewer applications that need to be
patched and updated, the better. Third party apps are an additional
vulnerability if they do not treat security seriously. Beyond that,
limiting the number of applications eases the burden on the IT
department.
6. Instruct employees that if they suspect an intrusion or
security incident, even one to their home systems, they must report
it to the company immediately. Employees’ home networks can be
the doorway for hackers to compromise their employers’ systems.
It is vital that employees report suspicious activity on their home
networks so that their employers can investigate whether there has
been an intrusion to the companies’ systems.
In addition to the above steps, companies need to be more
vigilant about phishing scams. Hackers are using COVID-19 as a
mechanism to deploy nefarious links to employees who are trying to
get up-to-date information. Employees must be reminded and trained
to refrain from clicking on links that come from unknown
sources.
IT departments must also remain disciplined about the
companies’ patches and updates. If companies employ a
third-party managed services provider, it would be wise to call the
provider to ensure they have the manpower necessary to handle all
of their clients’ challenges, monitor for intrusions, keep
systems up-to-date, and otherwise comply with their obligations. If
there is any uncertainty as to whether the provider can keep up,
companies should become the squeaky wheel to ensure resources are
reallocated and/or take back more control over their own
systems.
Companies need to make sure they remain compliant with
applicable data privacy laws and rules and, most importantly, honor
any representations made as to the security measures it employs.
For example, if a privacy policy on a website tells the public that
company data is encrypted and remains on company servers, the
company cannot deviate from the standard it has set for itself by
allowing remote workers to possess company data that is not
encrypted. If companies have made certain contractual promises to
its customers or partners regarding the measures taken to safeguard
data, the companies must be sure their remote workforce continues
to adhere to those promises.
Companies need to ensure that their current configuration, with
remote workers, is consistent with representations made when the
company applied for cyber insurance. During the application and
underwriting process, the company undoubtedly completed a
questionnaire that included questions about security measures in
place. If the remote workforce arrangement contradicts the
representations made in the insurance application, it is possible
the insurer will later decline coverage for an incident.
The interplay between IT and legal is complicated enough, but it
is even more so when scores of employees work from home. Vigilance
is best medicine, at least when it comes to data security and
managing the legal risks.
Regarding the upcoming holiday season and cybersecurity concerns
of a remote workforce, increased vigilance in conforming to the
above and below policies must be practiced. The FBI and the CISA
(Cybersecurity and Infrastructure Security Agency) have observed an
increase in impactful ransomware attacks occurring on holidays and
on weekends when offices are normally closed. Based on recent
tactics, techniques, and procedures used by bad actors during
holidays and weekends, the FBI and CISA have recommended the
following procedures to increase vigilance in conforming to and
implementing company cybersecurity procedures for ransomware
attacks.
1. The FBI and CISA suggest organizations engage in preemptive
threat hunting on their networks. Threat actors can be present on a
company’s network before the actor shuts down the network
alerting the victim to the ransomware attack. Thus, threat hunting
involves understanding the company’s IT environment by
developing a baseline through a behavior-based analytics approach,
evaluating data logs, and installing automated alerting
systems.
- Behavior-based analytics approach: By implementing this
approach, companies can compare their usual online activity with
suspected threat actor activity. This would make suspicious
activity easier to spot and potentially mitigate or prevent a
threat actor from demanding a ransom payment. Differences in normal
log-in hours, normal log-in locations, and in server traffic
patterns can help detect anomalies caused by threat actors. - Evaluating data logs: When evaluating company data logs for
anomalous activities, companies should look for: 1) numerous failed
file modifications, 2) increased CPU and disk activity, 3)
inability to access certain files, and 4) unusual network
communications. - Automated alerting system installation: These systems include
intrusion detection systems, endpoint detection, and
honeytokens. - Overall Indicators to look for to catch suspicious activity
performed by threat actors.- Unusual network traffic
- Theft of login and email passwords
- Increase in database read volume
- Irregularities in login times and locations
- Attempted user activity at suspicious times such as during
holidays - Deviations from the company’s baseline network
activity
2. Make an offline backup of your data. Encrypted offline
backups of company data can mitigate damages done by ransomware and
can prevent the need to pay a ransom. Backup procedures should be
regularly conducted.
3. Once again, avoid clicking on suspicious links. It is better
to be safe than sorry when it comes to ransomware phishing links.
Update employees on the latest trends in phishing scam activity. In
addition, alert clients to the need for extra vigilance over the
holiday season regarding phishing links as threat actors are aware
of increased distractions over the holiday season.
4. Secure and monitor RDP or other risky services. Companies
should monitor remote access/RDP logs, enforce account lockouts
after a specified number of login attempts, record these attempts,
and disable unused remote access/RDP ports. In addition, companies
should review the security procedures and postures of their
third-party vendors ensuring all their connections are sufficiently
monitored for threat actors.
5. Update your software and scan for vulnerabilities. Upgrade
software that is no longer supported by vendors to currently
supported versions. Regularly patch and update out of date software
to ensure the latest available security procedures. Companies
should prioritize timely patching of internet facing servers as
well as software processing internet data such as web browsers,
browser plugins, and document readers. Look for vulnerabilities in
these internet facing servers and software processing internet
data. In addition, implement automatic updates to antivirus
scanning and conduct regular malware scans. Lastly, conduct regular
vulnerability scanning to identify and address vulnerabilities to
internet facing servers and devices.
6. Re-emphasize the need for strong passwords and multi-step
authentication.
7. Implement segmentation, filter traffic, and scan ports.
Network segmentation should have multiple layers where critical
communications occur within the most secure layer. In addition,
when filtering network traffic, prohibit ingress and egress
communications with known malicious IP addresses.
8. Remote employees need to secure their home networks. These
employees should use separate devices for separate activities and
they should not exchange home and work content.
9. Regularly audit administrative user accounts and configure
access controls under the principles of least privilege and
separation of duties.
10. Create a comprehensive incident response plan that includes
procedures for notifying the company of a ransomware incident and a
backup plan for the company to continue functioning if critical
systems are inaccessible for a period of time.
11. Follow the Ransomware Response Checklist on page 11 of the
CISA-MS-ISAC Joint Ransomware Guide. https://www.cisa.gov/sites/default/files/publications/CISA_MS-ISAC_Ransomware%20Guide_S508C.pdf
Footnote
1. Thank you to Jacob Sacher, an intern from
Northeastern School of Law, for assisting with this
article.
The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.
Don’t Forget About Cybersecurity With Increased Telecommuting And The Holiday Season –