As COVID-19 continues to spread in the United States and around the world, more employers are permitting, and in many cases requiring, their employees to work from home. For example, on March 12, Amazon recommended that all global employees who are able to work from home do so through at least the end of March. Microsoft, Twitter, and other companies, large and small, have issued similar recommendations or mandates.
As more workforces shift to remote working environments, it is imperative for companies to review security processes and procedures related to remote access of corporate systems. Cybercriminals are not only aware of, but are actively targeting, workers who are remotely accessing confidential and sensitive corporate information. Just as hand washing is critical to stop the spread of the disease, good cybersecurity “hygiene” is required to prevent cyber attacks in this time of crisis.
Recent news reports and industry experts have highlighted the fact that cybercriminals are leveraging the confusion and chaos around COVID-19 to mount cyberattacks. According to a study conducted by Check Point Software Technologies Ltd., coronavirus-themed domain registrations are 50% more likely to be from malicious actors. In one specific example, hackers are selling malware that impersonates the COVID-19 tracking map maintained by Johns Hopkins University. The malware requires users to download software to generate the fake map.
The risks are real, and the threats are growing. From phishing attacks to dangers stemming from employees conducting work using personal electronic devices, companies must be more vigilant than ever to guard against a breach. Notably, many companies don’t have business continuity and remote working policies in place. However, now there is no choice for such companies but to have their employees work from home. There are a number of steps companies could take to help mitigate the risks.
Earlier this week, the U.S. Secret Service issued guidance around coronavirus-related phishing scams. “Cybercriminals are exploiting the coronavirus through the wide distribution of mass emails posing as legitimate medical and or health organizations,” according to the guidance. “In one particular instance, victims have received an email purporting to be from a medical/health organization that included attachments supposedly containing pertinent information regarding the coronavirus. This led to either unsuspecting victims opening the attachment, causing malware to infect their system, or prompting the victim to enter their email login credentials to access the information resulting in harvested login credentials.”
The World Health Organization (WHO) issued a similar warning that cyber criminals are sending phishing emails and, in some cases, impersonating WHO officials in attempts to steal data. Companies should train and notify employees to be on the look-out for such phishing attacks, and remind employees to:
- Be cautious about any coronavirus-themed email that seeks personal information such as passwords or Social Security numbers. Government agencies and companies do not send emails requesting private and confidential information. The safest response is no response. Remind employees that, to the extent they receive a suspicious email, they can validate the email’s authenticity by calling the government agency or alleged corporation sending the email.
- Always verify the email address before downloading or clicking on a hyperlink. For instance, remind employees they can inspect a hyperlink by hovering the mouse button over the URL to see where it leads. Most times it will be obvious whether the web address is legitimate or not.
- Always look for the tell-tale signs of spelling and/or grammatical mistakes within the email. Most phishing emails are created haphazardly and include spelling, punctuation, and grammatical errors.
- Look for generic greetings like “Dear sir or madam” or “Dear <name>”. Phishing emails are usually sent out in bulk and will not include an employee’s actual name.
- Don’t feel pressured to act on an email that insists upon immediate action. Phishing emails try to persuade you to take action without fully considering potential risks.
Risks Related to Use of Personal Devices
Remotely working employees may be accessing and transmitting sensitive data from unsecured networks, such as public Wi-Fi networks at coffee shops, which are more vulnerable to attack. As a result, companies are at greater risk of exposure, along with liability stemming from state, federal, and/or international privacy and data notification laws should sensitive data be exposed. Risks are compounded to the extent employees use personal devices to conduct company business. To limit exposure companies can:
- Ensure virtual private networks (VPN) are used when remote workers attempt to access and use sensitive corporate data and information on public networks.
- Require multi-factor or two-factor authentication for login to company networks.
- Implement more robust password management systems.
- Create policies prohibiting work on public networks.
With more employees working remotely, it is critical that companies be more vigilant than ever in the development and enforcement of cybersecurity and data privacy policies. Companies should communicate and reinforce cybersecurity policies clearly and frequently—and conduct remote training as necessary—to encourage adherence to them. Doing so will help guard against a costly data breach.
To the extent you would like more information on how to protect your company against a cyber attack, best practices regarding the development of cybersecurity policies, or require assistance with a cybersecurity incident, please contact John Rondini, co-chair of our Cybersecurity & Privacy practice group or shareholder Todd Dishman.