COVID-19 BUSINESS RESOURCES (SPONSORED)
Evolving developments and news surrounding COVID-19 (the “coronavirus”) has prompted immediate action from employers and businesses worldwide. While many businesses have been forced to temporarily shut down, the ones that remain operational have been forced to adjust to working remotely and adopt other protocols to ensure the health and safety of their employees and customers. As employers face the challenge of balancing business with growing health concerns related to the coronavirus, they face additional challenges as their cybersecurity protocols will be tested like never before.
Cybercriminals love a good crisis and uncertainty to manipulate and exploit individuals through cyber-threats, and they also use newly-implemented technologies to try to penetrate a business’s systems. As businesses implement safety strategies in response to the coronavirus pandemic, they must prioritize data protection and cybersecurity concerns to limit their exposure and legal liability.
Increased Risks from Remote Access
Remote access relies on the exchange and transmission of information and data, typically over the Internet. While teleworking, employees may be handling, accessing, discussing, or transmitting sensitive information, including company trade secrets, customer personal information, or confidential financial data.
Since this pandemic started, there has been a palpable uptick in business email and other interruptions, including where Office 365 or Gmail accounts were hacked through phishing scams. One particularly effective scam has been when the hacker sends a fraudulent invoice purporting to be from a legitimate worker with changed wiring instructions where the money transferred goes to the hacker’s account. Another issue is an employee’s remote access in a public setting, such as a coffee shop, can expose sensitive information through eavesdropping, networking hacking, and other forms of unauthorized access.
Smart speakers, virtual assistants, and smartphones also pose a significant risk to the unaware teleworker. Cybercriminals can use nearly silent ultrasound waves to trigger these smart devices to prompt users for their user credentials and passwords.
The leading cause of cyber-attacks worldwide is phishing attacks. Phishing is the use of electronic communications, including phone calls, text messages, and even social media tools, to disguise fraudulent communications as legitimate messages from trusted sources. Through these attacks, hackers seek to acquire sensitive information and often will contain malware-infected attachments or a link that, if opened, will install malicious software on the device and surrender sensitive information. Cyber-attackers attempt to manipulate employees and customers to carry out specific tasks, such as opening the malware-infected attachment or link. For example, the U.S. Department of Homeland Security reports that to gain access to valuable corporate information, cybercriminals are sending phishing emails posing to be trusted health organizations including malware-infected attachments purporting to contain important information regarding the coronavirus.
The Internet is inundated with phishing schemes that are piggybacking off the COVID-19 pandemic. In February 2020, cybercriminals released a website purporting to be a distribution map of the coronavirus outbreak. The malicious online map hosted a convincing impersonation of the legitimate map operated by the John Hopkins Center and offered what appeared to be a tally of the confirmed cases and deaths related to the virus outbreak. However, unbeknownst to users that navigated to this site, malicious password-stealing software was being installed on their computers and mobile devices.
Another COVID-19 related phishing attack mimicked an official email correspondence from the World Health Organization (WHO). The email, which carried the WHO logo, contained a link to a document purporting to contain information regarding preventing the spread of the virus. Instead, the link redirected victims to a malicious website, which attempted to harvest sensitive credentials, including passwords and usernames.
Through these deceiving mechanisms, cybercriminals are actively taking advantage of employees and customers as they attempt to navigate the confusion and barriers resulting from the coronavirus pandemic. As a result, businesses are at increased risk of losing valuable intellectual property, sensitive data, and financial information.
As employers and businesses implement safety and health measures to combat the spread of coronavirus, corporate leadership should consider the following additional corporation actions and best practices:
- Consult with an information security professional or service provider to ensure your organization is properly equipped with the proper technology (e.g. firewalls) and safeguards to reduce the risk of cybersecurity breaches.
- Establish a Telework Security Policy that defines which permissible forms of remote access, which types of telework devices are permitted to use each form of remote access, and the type and amount of access each type of teleworker is granted, and identify and specify particular information and documents that require the utmost care in its handling.
- Specify in writing what employees can and cannot do in the handling of sensitive/protected information.
- Require any PI and PHI be encrypted before being transmitted.
- Ask employees to specify which devices they will use for work and provide encryption services with a company certified security software.
- Equip employee devices with remote access capability, security software, and the latest manufacturer software updates.
- Ask employees to password-protect their personal networks with WPA2 encryption.
- Equip employee issued remote access devices with access controls that limit employee access to minimum services and functions, including disabling employee’s use of administrative privileges use of external thumb drives, hard drives, and third-party cloud services
- Require employees to return sensitive files and paper documents to the office or corporate infrastructure, especially financial and healthcare-related documents
- Require multifactor, two-step authentication for employee remote access.
- Require employees to periodically change their username and password credentials.
- Require employees to use an encrypted virtual private network (VPN) for remote access.
- Include warning labels on incoming messages and emails that originate from outside of the corporate infrastructure.
- Advise teleworkers to refrain from using a speakerphone or conducting work-related conversations in the presence of smart speakers or home surveillance.
- Opt-out of cookies each time when using video-conference apps/functions.
Sara H. Jodka CIPP-US / Member at Dickinson Wright who focuses on data privacy and cyber security issues. Caleb Green is an associate in the Dickinson Wright who has experience in trademark prosecution, intellectual property litigation and enforcement, deportation defense, employment immigration, government affairs, and business matters. Visit dickinson-wright.com to learn how Dickinson Wright can help you.