Editor’s note: Sarah Hutchins and Steve Britt are attorneys at Parker Poe.
RALEIGH – Remote work exploded because of the coronavirus pandemic, and most companies continue using at least some amount of it as they navigate returning to the office. Amid this climate, there are important steps companies can take now to shield their data from increased threats and in advance of a potential second wave of shutdowns, including retraining on best practices and updating response plans based on lessons learned so far.
Cybersecurity professionals have noticed an uptick in phishing attacks, including emails offering essential COVID-19 information and demands for “emergency” access to sensitive data. Companies should be providing regular reminders on how to spot a scam and, if possible, conducting their own phishing tests with their employees. Now is the time for internal testing and training to prevent data loss from a phishing scheme.
- Update and Secure Devices and Systems
Companies should also examine and potentially update all of their systems, programs and devices, including the use of devices that are not company-issued. If a device accesses the company’s system, it needs to stay up to date on security patches and other upgrades. Among other things, a network scan to detect “shadow IT,” decommissioned printers and unpatched software may be a cost effective check on devices touching your systems. In certain instances, it may even make sense to issue company devices and applications that provide more control in pushing updates. Further, remind employees to keep their home networks and routers current too, as well as any smart devices that connect to their home Wi-Fi. The goal is to avoid any weak links in the chain.
Additional security steps include using two-factor authentication, encryption for emails, and secure file sharing through certain software programs. With especially important or sensitive information, another best practice is to limit the number of employees who have access and be able to track who accessed it when. It is also critical to have a strong backup system in a different server environment.
Finally, companies should consider the risks of files and information, be they electronic or otherwise, traveling to employee’s remote work environment and implement safeguards to protect the integrity and confidentiality of the information.
- Review Policies and Plans
Companies are increasingly using biometrics in employee timekeeping and monitoring as well. The use of fingerprints, facial recognition and iris scans in new HR software platforms or other access controls are creating new risks for employers, and a series of new laws in Illinois, Texas and Washington are strictly regulating the use of this new technology. Other laws are on the horizon, including the addition of biometrics to data breach statutes. If considering the use of these kinds of technologies, it can be valuable to consult with an attorney first.
Across the board, these changes may require an update to cyber insurance policies. If a company does not have cyber insurance, it is a cost-effective investment in the current environment.
In addition, it is essential for companies to have a breach response plan in place, as well as to communicate it clearly to employees so they know whom to contact if something goes wrong. That plan also may be due for updating based on lessons learned from the massive trial run of remote work.
The tips above are a few concrete ways companies can better shield themselves amid a mix of remote and in-office work. Partnering with attorneys to review best practices for a company’s specific industry can also be valuable – companies will likely be judged on their compliance with those practices in the event of a data breach. Considering the full slate of industry-specific best practices can add value in other ways too, as the process of working through them can help uncover blind spots.
(C) Parker Poe