Working from home is now the norm and it likely will be for many workers and their employers for quite a while, with social distancing and lockdowns being extended into the near future. As a result, employers need to be aware of the expanding cybersecurity risks arising from telecommuting.
“Cybercriminals are not only aware of, but are actively targeting, workers who are remotely accessing confidential and sensitive corporate information,” say attorneys John P. Rondini and Todd W. Dishman of the law firm of Brooks Kushman. “Just as hand washing is critical to stop the spread of the disease, good cybersecurity ‘hygiene’ is required to prevent cyberattacks in this time of crisis.
They aren’t the only legal experts cautioning employers about cybersecurity pitfalls stemming from employees using their own devices to complete work assignments on unknown and possibly untrustworthy networks and systems. As soon as employees were ordered to stay home, warnings began flying fast and thick.
And this doesn’t just extend to laptop computers, PCs and tablets—the public’s widespread addiction to smart phones increases the threat, according to Linn Foster Freedman, an attorney with the law firm of Robinson & Cole.
“We know when we are home on the weekends not to answer our home telephone unless we recognize the number or caller,” she says. “The same is, of course, true for our mobile phones. If the caller is someone we know, they will leave a message and we can call them back. If it’s a scammer or robocall, we ignore it.”
Telephone scams are on the rise during this pandemic. Scammers know that many people are working at home. “People are more susceptible to answering the phone even when they don’t recognize the number because it might be a co-worker or colleague who is trying to get in touch,” she says.
“We used to issue warnings about telephone scams to our senior citizens who were home during the day and vulnerable; now we also need to warn workers who are working at home during this pandemic.”
Many of the phone scams sound familiar, with new wrinkles added to fit the times. The scammers are using the fear of COVID-19 to impersonate the Centers for Disease Control, the Social Security Administration, Department of Labor (regarding possible unemployment benefits), and even promising to hand deliver the check from Congress. The person called is asked to provide personal information to verify their identity, frequently including their Social Security number.
For example, a recent fraud scheme promised home delivery of a Coronavirus vaccine if you provided personal information and payment over the phone. There is no such vaccine, but people are so afraid of the disease that they are falling for this and similar scams.
Invasion Via E-mail
Threats also arrive in the form of phishing attacks sent via e-mail messages, according to Rondini and Dishman. The U.S. Secret Service warns that cybercriminals are distributing mass e-mails posing as legitimate medical or health organizations.
In one instance, an e-mail purporting to be from a medical/health organization included attachments supposedly containing information regarding the Coronavirus. This led to unsuspecting victims either opening the attachment, causing malware to infect their system, or prompting the victim to enter their e-mail login identification to access the information, resulting in harvested login credentials.
The World Health Organization (WHO) also issued a similar warning, revealing that cybercriminals are sending phishing e-mails and, in some cases, impersonating WHO officials in attempts to steal data.
Rondini and Dishman recommend training employees to be on the look-out for such phishing attacks, and to impress upon them that the safest response is no response. Remind employees if they receive a suspicious e-mail, they can validate the e-mail’s authenticity by calling the government agency or corporation that supposedly sent the message.
They also should learn to verify the e-mail address before downloading or clicking on a hyperlink. For example, remind employees they can inspect a hyperlink by hovering the mouse cursor over the URL to see where it leads. Most of the time it is obvious whether the web address is legitimate or not.
Always look for the tell-tale signs of spelling and grammatical mistakes within the e-mail. “Most phishing e-mails are created haphazardly and include spelling, punctuation and grammatical errors,” the attorneys point out. Look for generic greetings like “Dear sir or madam.” Phishing e-mails are usually sent out in bulk and do not include an employee’s actual name. Also tell employees not to feel pressured to act on an e-mail message even when it insists on taking immediate action.
To limit exposure Rondini and Dishman recommend that companies:
● Ensure virtual private networks (VPN) are used when remote workers attempt to access and use sensitive corporate data and information on public networks.
● Require multi-factor or two-factor authentication for login to company networks.
● Implement more robust password management systems.
● Create policies prohibiting work on public networks.
Ransomware and Spyware
Those are good steps to take, but they are not enough protection in some circumstances. More sophisticated cybercriminals can make e-mail messages employees receive look much more realistic to lure them into thinking they came from a manager or customer. In those cases, the result can be much more expensive and disruptive than you can imagine when the bug unleashed turns out to be ransomware locking you out of your own system.
How serious is the problem? Last October three hospitals in Alabama were hit with a ransomware attack that locked doctors and nurses out of patient records, causing a massive disruption that halted performance of medical procedures while the issue was being resolved. Imagine if that happened today to a medical facility filled with Coronavirus victims fighting for their lives.
The FBI and U.S. State Department recently placed a bounty of $5 million on the head of a Russian cybercriminal accused of developing the tools for ransomware attacks like the ones at the Alabama hospital system. However, as these tools get easier to access and are proliferating throughout the criminal underworld, the attacks now target vulnerable local businesses as well as big organizations.
Spyware is another growing threat, from searching for personal information that can be used for identity theft to the stealing of military and industrial secrets. When this happens also can be subject to costly liability when the system invader steals information about customers, employees and the members of public from your data files and they turn around and sue you. Just ask Target Stores.
Also, foreign governments—especially China—have deployed spyware as a weapon of economic warfare. Several years ago, a major U.S. package delivery firm discovered that barcode readers it had bought from a Chinese manufacturer for use in its warehouses and distribution centers contained a bug that entered the firm’s inventory system and then patiently searched for months to locate an entry point for gaining access to the company’s accounting system.
If you haven’t already done so, you should enlist attorneys to help conduct an assessment of possible security threats, suggest attorneys Harold D. Mooty III and Andrew Tuggle of the law firm of Bradley Arant Boult Cummings. This inquiry should address four questions: What is the nature of the data? How is it currently stored? What are the current threats? How is the data protected from these threats?
Although an in-house or third-party IT professional can assist with this process, the company’s leadership team should be briefed about the audit results in order to develop a plan that is tailored to the firm’s needs. Also, the plan should be documented and updated as new threats emerge.
“There is no such thing as perfect cybersecurity,” Mooty and Tuggle stress, and no company can be reasonably expected to spend unlimited resources to protect all data from all threats. However, cost-effective alternatives are available. They cite the example of an assessment that reveals if you don’t maintain a complete backup of the data from your local server.
There are numerous ways to back up data, they note. You could choose to send daily backups to a secure, offsite and offline storage facility, or choose one of many cloud storage options now available. “Either way, a comprehensive backup of data can reduce—and in some cases eliminate—the financial harm suffered in the aftermath of a data breach,” the lawyers say.
Other Steps to Take
Nearly every large-scale data breach involves an employee inadvertently delivering “The Package” of malicious code onto the computer network. Cyberattacks are becoming more complex and harder to spot, Mooty and Tuggle explain.
They cite the example of two parties to a real estate transaction who negotiate payment via wire transfer at closing. If a criminal knows that one party is expecting to receive wiring instructions, then they can impersonate the other party and send a fraudulent e-mail with different account numbers.
“Sometimes the e-mail address is spelled differently upon closer inspection, while at other times the correct e-mail account has already been compromised when the wiring instructions are sent,” Mooty and Tuggle observe. “In other words, otherwise diligent employees may miss any discrepancy.”
This makes it absolutely necessary for employers to educate their workers about cybersecurity best practices, they emphasize. “Many precautions are basic, but lapses are daily exploited by criminals around the world.”
Mooty and Tuggle say three precautions are universally applicable:
● Passwords and login credentials to an organization’s network should be complex and reset on a scheduled basis. Access to certain data should be restricted by layered security tools such as multi-factor authentication.
● Employees should be trained on the dangers of clicking hyperlinks within e-mails or websites. There are numerous filters that are available on the market to either warn or prevent an employee from downloading external content onto a client’s network.
● Security patches for a client’s network, desktop and mobile software should be kept up to date. “Consider a security patch to be a vaccine to a known and diagnosed threat,” the lawyers say. Many employers fall prey to cyberattacks where the malicious code is specifically written to find and exploit software that is out of date.
Employees must be vigilant, because one click of the mouse can do irreversible damage to a business. Training can be made part of new employee orientation and onboarding, but it should also be part of continuing education for the client’s employees.
Some employees will require more training than others, but the only way to determine whether the training is working is to test the employees with real-world threats, Mooty and Tuggle suggest. “While a written test can be effective, it is more beneficial to simulate threats through disguised e-mails or links. This can quickly identify those employees who need additional training and supervision.”