Efforts to contain COVID-19 have resulted in many employees working remotely for potentially an extended period of time.  While such precautions are in place, it is important to stay vigilant of cybersecurity risks.  There are already reports of COVID-19 related phishing scams and a recent hack of the U.S. Health and Human Services Department amid its pandemic response.  Remote working can exacerbate these risks.  Below is a checklist of key issues to keep in mind on this subject:

  • Employees who use personal computers to log-in to company systems may create additional cyber vulnerabilities
    • Consider reminders to employees to exercise good cyber hygiene on any devices used for work-related purposes, including how to identify when an email is coming from an external source
    • Also consider reminding employees of the importance of safeguarding confidential information, including log in and account passwords, personal identifiable information of customers and others, and sensitive business and market information, particularly given employees may be working on shared devices and in shared spaces
    • Companies should also consider reminding employees to delete confidential, personal, or other sensitive data when no longer reasonably required for business purposes, in order to mitigate the risk that such data is being unnecessarily stored on personal (or work) devices
  • Make sure IT has implemented any overdue protection measures as soon as possible, such as multifactor authentication, which is often the most effective protection against common attacks such as phishing and business email compromise
    • IT should also ensure that it has installed updated patches, particular those that are deemed critical
  • Decreased Information Security staff and/or focus on COVID-19 related issues may result in increased system vulnerability
    • Maintaining security safeguards is critical as attacks may have an outsized impact on a company when a majority of employees are working out of the office and relying exclusively on company IT systems to communicate
    • Make sure IT staff is supported and receiving adequate resources
    • Because there may be fewer IT staff available to monitor systems/respond in real-time, companies may want to ensure appropriate automatic logging is activated so that if an incident occurs, IT has logs of network activity to be able to trace back during any investigation and remediation
  • Communications during an incident response may pose additional challenges when team members are working remotely
    • Make sure the company's incident response plan is up to date with contact information (including backup phone numbers and email addresses) for team members and outside advisors
    • In the event of any delays in response or meeting other compliance obligations due to COVID-19 related issues, make sure to contemporaneously document these issues
  • Touch base with any critical IT vendors to ensure that they do not anticipate any significant disruptions as a result of COVID-19
    • If new vendors are being engaged to support the COVID-19 related response, ensure adequate cybersecurity due diligence

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.