Work-from-home (WFH) is here to stay. COVID-19 accelerated the transition to remote working and has left many firms struggling to manage the ripple effects of cybersecurity and compliance.
During times of chaos and change, cybercriminals capitalize on poor planning and uncertainty.
Hackers worldwide have stepped up their game, including targeting remote workers to gain easy backdoor access to corporate systems to then carry out ransomware attacks and steal client data.
In a recent Barracuda Networks study, 46% of businesses already had at least one cybersecurity incident within the first two months of shifting to remote work. Other reports show the number of data breaches skyrocketing by as much as 300% since COVID-19 and the surge in remote employees, with ransomware attacks up 90% alone. Many companies, including law firms, already have suffered data breaches.
At this crucial time, one successful cyberattack could deal a devastating financial and reputational blow to your firm, including liabilities and penalties for noncompliance with data breach laws. Unfortunately, it is not a matter of if but when a remote worker will inadvertently cause a cybersecurity incident. Employees will now have to play a much more active role in maintaining cybersecurity.
Now is the time to focus your firm’s efforts on a secure and compliant remote workforce plan.
WFH RISK FACTORS
Here are some of the most common ways employees can be a security risk working from home.
- Phishing emails: Remote workers tend to let their guard down in the comfort of their home. A fake email can trick the employee into clicking on malware-laden links or attachments, giving hackers access to or control of the computer and, ultimately, access to your firm’s network.
- Home office insecurity: Managing the security of employees who work from home can be a monumental task due to insecure home Wi-Fi networks that are connected to other computers and devices, not to mention the difficulty of keeping computers and work documents inaccessible from everyone else in the home.
- Bad security software: Some remote workers use their personal computer for work. Without adequate security software, along with regular checkups and oversight, it can be a gaping security hole.
- Shadow IT: Without easy access to expert technical support, employees may try to troubleshoot their own computer and network problems or ask a friend or family member for help, potentially creating big security risks and unauthorized access to confidential data.
As employees are getting used to the new reality of working from home, firms are under pressure to make sure they can continue to work safely while maintaining compliance with federal, state and industry data security requirements. Here are a few best practices to consider:
Network Vulnerability Testing
Setting up remote employee access to your firm’s systems can introduce a number of security risks. If you open remote access on your firewall or server, ensure it’s configured properly to prevent hackers from using known vulnerabilities like Remote Desktop Protocol (RDP). Now is a good time to have your firewall or network server tested by a qualified third party to look for remote access security risks and other known exploits.
Computer and Home Wi-Fi Security
Make sure the employee’s computer (whether personal or corporate-provided) is locked down with approved antivirus and regularly maintained with security checkups including software updates and patches. The same applies to mobile devices. If you don’t have the means to easily do this type of maintenance across a distributed workforce, consider sourcing external help.
Be sure to secure the employee’s home Wi-Fi network with proper levels of encryption and password strength. Encourage or help employees set up a separate Wi-Fi connection for work, isolated from all other computers and devices such as smartphones, home security systems, smart TVs, gaming systems, smart thermostats and virtual assistants.
Data Access Protection
Limit access to confidential and sensitive information with strong passwords and, where possible, multifactor authentication (MFA) for accessing the computer, cloud services and the firm’s network. Using approved or firm-provided virtual private networks (VPNs) should be mandatory for remote network access.
If an employee’s computer is compromised by a hacker, a VPN can essentially turn into a direct backdoor channel for cybercriminals to access the firm’s network — because the attack is coming via a known, trusted connection. It is vital to ensure every employee’s computer, mobile device and home network are all secured, patched and checked regularly.
Security Awareness Training
In addition to regular cybersecurity awareness training for all employees, anyone given authorization to work remotely for any amount of time should complete training on your company’s WFH security best practices. Employees should also sign appropriate information security and nondisclosure agreements that include details of your firm’s WFH policies.
Consider providing all personnel with continuous security awareness updates and alerts about the current known threats they should watch out for.
On-Demand Technical Support
Be sure to provide employees with access to remote technical support services to troubleshoot and resolve any tech or security issues with their computer or home network. Employees should be prohibited from fixing problems themselves or asking a friend or family member for help with a computer being used for work purposes.
If your firm does not have the capacity to provide this level of on-demand remote tech support, there are expert solutions available that work together with your current IT infrastructure to save your firm time and money — as well as keep your workforce productive and secure.
WFH employees should be reminded of their responsibility to report any potential cybersecurity or data breach incident, no matter how small. Failure to report incidents in a timely manner can increase the costs of a data breach and impact compliance with data breach disclosure laws.
Breach response, containment and investigation now may involve looking at an employee’s personal computer or setups in their home environment. Your WFH plan should include policies and procedures that allow your firm to conduct necessary and timely breach response activities through a remote workforce setup.
It is also advisable that you review your cyber insurance policy for any exclusions or special conditions for incidents related to remote employees.
Ensuring data breach compliance for law firms has never been more critical with the dramatic increase in cybercrime, the targeting of remote employees, and the rapid convergence of our personal and professional lives.
By adopting these best practices and taking steps toward improving your firm’s security, your firm can mitigate the cyber risks with this new normal.
About the Author
James Harrison is the Founder and Chief Executive Officer of the cyber defense solutions company INVISUS. As chief strategist and product visionary for INVISUS, he led the development of the company’s cybersecurity, identity theft, and InfoSafe® data breach compliance and breach response lineup that protects businesses and organizations throughout the United States and internationally. Harrison frequently writes for, speaks and trains in a wide variety of industries and trade groups, including speaking at several ALA conferences and chapter meetings in association with ALA VIP business partner BreachPro.
Article Source: October 2020 Issue of ALA Legal Management Magazine