This article appeared in Cybersecurity Law & Strategy, an ALM publication for privacy and security professionals, Chief Information Security Officers, Chief Information Officers, Chief Technology Officers, Corporate Counsel, Internet and Tech Practitioners, In-House Counsel. Visit the website to learn more.
Most businesses either shut down temporarily or sent all their employees home to telework by mid-March of this year. By the time you read this, Americans will have been working from home for more than three months. This has never happened before in this country during the age of technology. As millions of Americans logged on to their home networks and personal desktops, laptops, tablets and mobile phones in an attempt to keep their companies afloat, cybersecurity issues rose to the forefront of the many issues that companies had to manage. Many corporations, and law firms in particular, have already suffered breaches. Many are unaware that a breach has even occurred. American industry was not and is still not adequately prepared for this transition. The responsibility to keep corporate and client data safe is shared by the company and the employee.
The private sector could learn a great deal from the federal government about securely managing teleworking employees. The federal government has an extensive telework program run by each agency. The rigor of each program largely depends on how data is classified within that agency. Even with different protocols across agencies, the government overall knows how to securely manage thousands of teleworking employees. If we follow its lead, there are many steps for securing data that can be implemented quickly and inexpensively. Here are four categories of cyber strategies that can be implemented for large-scale teleworking with very little effort.
The Three A’s: Assets, Antivirus and Additional Protocols
Private sector businesses should learn to follow the federal government’s process for telework regarding assets and devices. Federal employees that telework are typically issued a federal asset or device, like a laptop or tablet instead of a desktop. The laptop is given an agency-specific image that includes antivirus software and an approved access portal like Citrix.
If your company or firm cannot issue a standard device to each employee, then require each employee to have an approved antivirus subscription. Your IT department or IT person can select an AV program that best interfaces with your network configurations. It is important to understand that having more than one type of AV subscription on any device can cause problems for the device. It is best to remove old AV applications from your laptop if you are going to download or upload a new AV subscription. The benefit of distributing company-owned devices is that the company can control the who, what and how of its employees touching the network. Additionally, the data on the device can be collected — even remotely — and preserved for human resources and litigation purposes.
Last, in the federal government, agencies rely on third-party threat intelligence feeds to determine which websites are dangerous. The lists allow websites to be blacklisted and whitelisted by an entity. In the private sector, companies can subscribe to commercial sites like FireEye, ThreatConnect, Flashpoint, CrowdStrike, etc., for subscriptions that monitor third-party threats. Anyone can research the best option and pricing for their entity. These steps are the responsibility of the company and can be relatively inexpensive to implement.
Reboot, Reboot and Reboot Some More
Employees need to be active partners in the protection of company and client data. Once employees are working from home, they should create a rebooting schedule for all their assets. Let’s start with Wi-Fi routers. Home Wi-Fi routers should be rebooted at least once a month if you connect work-related assets to your home Wi-Fi. Routine helps. It is recommended to turn the router off and then unplug it for five minutes. After five minutes, plug it back in and wait for the lights to come back on. Rebooting the router serves the same purpose as rebooting your laptop; it allows updates and clears out the garbage. It also serves the additional purpose of increasing your Internet speed.
Second, your laptop should, ideally, be shut down every day (not restarted). If you forget to completely shut down at least once daily, try to do it at the end of your workweek. Save and close all open documents and programs and shut down your computer. This allows Microsoft programs to run updates and to clear out any temporary files. Many updates are security patches. Maintaining updated security patches is a must if you want to protect your asset or device from ransomware.
Last, your mobile device should be powered off every night and allowed to fully reboot. Many employees conduct work on company distributed mobile devices as well as personal mobile devices. Emailing, texting and Web surfing are common activities on mobile devices. Rebooting a mobile device serves the same purpose as rebooting your laptop: updating applications and cleaning out temporary files, including harmful ones. Routine in this respect helps too.
Too Many Passwords
Federal agencies have multifactor authentication for many applications and passwords expire at least every 90 days. You must have a PIV card, a username, a password and a pin. It is difficult to keep up with all that, especially the passwords. However, it is important to know that every password you have ever had, has been captured and put on the Dark Web. Every. Single. One. The only weapon in your arsenal against the stolen password is to change them frequently. Government agencies require it and have hundreds of help desk employees who mostly reset passwords. If you do not believe this to be true, go to https://haveibeenpwned.com and put in any of your email addresses. It will instantly tell you how many times you have been “pwned” (from gamer-speak for being “owned” or dominated by another player). Then learn to change all your passwords, frequently.
If you like password managers, use one. There are several apps that will help you manage the myriad passwords that you must have. Use one for work-related passwords. Don’t use a password manager for non-work-related websites. Just click “change password” and select the recommended password. The recommended passwords are long and complex. Don’t write them down. Just change them again the next time you visit the site. Again, this works for anything that is not work related. It also keeps you from using a variation of the same password over and over again and getting pwned. If you can manage it, add facial recognition to your laptop. Utilizing the facial recognition feature of your laptop will help you get into your laptop and keep everyone, except your twin, out.
Zoom and Teams (but Primarily Zoom)
Zoom is a great tool to use to connect with your colleagues, clients, friends and family members. Zoom is what conference rooms used to be for millions of people. However, wherever people go, hackers go. There are thousands of fake Zoom sites that are presumably created to capture Zoom IDs and passwords. Fake Zoom links are used for phishing. Zoom bombing (joining a meeting uninvited) is used to steal confidential information and/or trade secrets and harass legitimate attendees. The following tips will help you have a secure Zoom experience.
- Instead of using your unique Zoom ID for all meetings, allow Zoom to issue an ID for meetings where confidential information will be shared. When the meeting is over, the ID alone will have no value.
- Use a password. If the meeting has a unique ID and a password, it will be nearly impossible for Zoom bombing to occur.
- If you are the host of the meeting, use the Zoom waiting room. The Zoom waiting room requires attendees to be admitted one at a time by the host. This is time-consuming for large meetings, but if knowing who is attending your meeting is important to you, the Zoom waiting room is the equivalent of roll call.
- Do not share your Zoom ID with anyone you don’t trust, including family members. Untrustworthy people have family too. If hackers have your personal Zoom ID, it is just a matter of time before your password can be cracked.
- Upgrade to a paid account. The paid Zoom account has end-to-end encryption, encryption at rest and encryption in motion. What does that mean? It means that without the Zoom ID, the password and admission from the waiting room, there is no way to decrypt the conversations within the Zoom meeting.
Please, use all five of these safeguards for work-related meetings. In fact, use these safeguards for all Zoom meetings. These precautions are important, easy to implement and all but one are free.
Why not just use Microsoft Teams? Microsoft Teams is another great tool for audiovisual conferencing, and the security and safety of Teams is great. However, not even half of all federal agencies have Teams capabilities. Using audiovisual conferencing tools was not the norm for federal employees. Until the COVID-19 pandemic of 2020, most federal employees attended meetings in person or via conference call. Therefore, these Zoom tips are for federal agencies too.
The above tips are the least burdensome and least expensive protocols that any individual or organization can put in place to keep company and client data safe while teleworking. These are mostly procedural steps that can make it more difficult for ransomware attackers to breach your organization. Trying to get past multifactor authentication takes a great deal of effort, and if you reboot and change your password frequently enough, hackers just move on to the low-hanging fruit. Do not be the low-hanging fruit.
Kenya Parrish-Dixon, Esq., is a leading expert in e-discovery, information governance and records and information management with a cybersecurity focus. She is general counsel for the cybersecurity startup Empire Technologies Risk Management Group and can be reached at Kenya.firstname.lastname@example.org.