This article, written by attorneys Michael Lambert and JP Harris, was originally published in Massachusetts Lawyers Weekly and can be found here.
In the last year and a half, many businesses have significantly increased the number of telecommuters to implement social distancing in response to the COVD-19 outbreak. Increasing outside access to the company’s network and dispersing access to company data to more remote workers increases legal risk that must be managed.
Data privacy and security laws remain in effect through the Coronavirus pandemic, and even if those laws are relaxed, financial pressures mandate vigilance through this period of unrest. In addition, the holiday season poses increased risk for companies regardless of whether your office has not returned to full time in person work. There are steps that companies can take to mitigate the risks that the upcoming holidays pose.
If businesses have not already done so, they should draft and implement written telecommuting policies that make employees responsible to ensure a safe work environment at home, and alert employees of the need for increased vigilance in upholding telecommuting procedures during the upcoming holiday season. The written telecommuting policy should address these cybersecurity concerns:
- Provide specific instruction as to the manner in which employees can access company systems from the outside. If the company provides a secure VPN connection, for example, employees should be required to use it and no other. Companies need to limit the “rogue IT” phenomenon, one in which employees “find their own solution.”
- Require employees to address the security of the home networks. If employees must use personal computers or networks to work remotely, companies’ IT staff should provide instruction to ensure the security of the home networks is as solid as it can be. Employees may need to be guided through the updating and patching process for their computers and firewalls as well as ensuring passwords to home routers are strong. Employees’ personal security hygiene impacts the chances their hardware will be used by hackers to access employers’ data. As a remote offshoot of the companies’ systems, the home networks need to be secured as well.
- Bolster password management. Companies should require employees to change passwords more frequently and disallow the use of the same password for personal accounts as is used to access the companies’ systems. If possible, companies should utilize multifactor authentication as another layer of security before employees can access the companies’ systems. If it has not already, this will become the “standard of care” or expected minimum for most companies.
- Disallow employees from saving any company data locally – on their home computers. The more repositories of data, the more places that need to be protected/the more places hackers can find sensitive data. Saving locally might also contradict data privacy rules/regulations and contractual promises made by the employer to third parties (including the employer’s insurer, which could jeopardize available cyber insurance).
- Dictate sanctioned resources. Companies should create and maintain a list of applications that are approved and disallow the use of any other resources. The fewer applications that need to be patched and updated, the better. Third party apps are an additional vulnerability if they do not treat security seriously. Beyond that, limiting the number of applications eases the burden on the IT department.
- Instruct employees that if they suspect an intrusion or security incident, even one to their home systems, they must report it to the company immediately. Employees’ home networks can be the doorway for hackers to compromise their employers’ systems. It is vital that employees report suspicious activity on their home networks so that their employers can investigate whether there has been an intrusion to the companies’ systems.
In addition to the above steps, companies need to be more vigilant about phishing scams. Hackers are using COVID-19 as a mechanism to deploy nefarious links to employees who are trying to get up-to-date information. Employees must be reminded and trained to refrain from clicking on links that come from unknown sources.
IT departments must also remain disciplined about the companies’ patches and updates. If companies employ a third-party managed services provider, it would be wise to call the provider to ensure they have the manpower necessary to handle all of their clients’ challenges, monitor for intrusions, keep systems up-to-date, and otherwise comply with their obligations. If there is any uncertainty as to whether the provider can keep up, companies should become the squeaky wheel to ensure resources are reallocated and/or take back more control over their own systems.
Companies need to make sure they remain compliant with applicable data privacy laws and rules and, most importantly, honor any representations made as to the security measures it employs. For example, if a privacy policy on a website tells the public that company data is encrypted and remains on company servers, the company cannot deviate from the standard it has set for itself by allowing remote workers to possess company data that is not encrypted. If companies have made certain contractual promises to its customers or partners regarding the measures taken to safeguard data, the companies must be sure their remote workforce continues to adhere to those promises.
Companies need to ensure that their current configuration, with remote workers, is consistent with representations made when the company applied for cyber insurance. During the application and underwriting process, the company undoubtedly completed a questionnaire that included questions about security measures in place. If the remote workforce arrangement contradicts the representations made in the insurance application, it is possible the insurer will later decline coverage for an incident.
The interplay between IT and legal is complicated enough, but it is even more so when scores of employees work from home. Vigilance is best medicine, at least when it comes to data security and managing the legal risks.
Regarding the upcoming holiday season and cybersecurity concerns of a remote workforce, increased vigilance in conforming to the above and below policies must be practiced. The FBI and the CISA (Cybersecurity and Infrastructure Security Agency) have observed an increase in impactful ransomware attacks occurring on holidays and on weekends when offices are normally closed. Based on recent tactics, techniques, and procedures used by bad actors during holidays and weekends, the FBI and CISA have recommended the following procedures to increase vigilance in conforming to and implementing company cybersecurity procedures for ransomware attacks.
- The FBI and CISA suggest organizations engage in preemptive threat hunting on their networks. Threat actors can be present on a company’s network before the actor shuts down the network alerting the victim to the ransomware attack. Thus, threat hunting involves understanding the company’s IT environment by developing a baseline through a behavior-based analytics approach, evaluating data logs, and installing automated alerting systems.
-
- Behavior-based analytics approach: By implementing this approach, companies can compare their usual online activity with suspected threat actor activity. This would make suspicious activity easier to spot and potentially mitigate or prevent a threat actor from demanding a ransom payment. Differences in normal log-in hours, normal log-in locations, and in server traffic patterns can help detect anomalies caused by threat actors.
- Evaluating data logs: When evaluating company data logs for anomalous activities, companies should look for: 1) numerous failed file modifications, 2) increased CPU and disk activity, 3) inability to access certain files, and 4) unusual network communications.
- Automated alerting system installation: These systems include intrusion detection systems, endpoint detection, and honeytokens.
- Overall Indicators to look for to catch suspicious activity performed by threat actors.
-
-
- Unusual network traffic
- Theft of login and email passwords
- Increase in database read volume
- Irregularities in login times and locations
- Attempted user activity at suspicious times such as during holidays
- Deviations from the company’s baseline network activity
-
- Make an offline backup of your data. Encrypted offline backups of company data can mitigate damages done by ransomware and can prevent the need to pay a ransom. Backup procedures should be regularly conducted.
- Once again, avoid clicking on suspicious links. It is better to be safe than sorry when it comes to ransomware phishing links. Update employees on the latest trends in phishing scam activity. In addition, alert clients to the need for extra vigilance over the holiday season regarding phishing links as threat actors are aware of increased distractions over the holiday season.
- Secure and monitor RDP or other risky services. Companies should monitor remote access/RDP logs, enforce account lockouts after a specified number of login attempts, record these attempts, and disable unused remote access/RDP ports. In addition, companies should review the security procedures and postures of their third-party vendors ensuring all their connections are sufficiently monitored for threat actors.
- Update your software and scan for vulnerabilities. Upgrade software that is no longer supported by vendors to currently supported versions. Regularly patch and update out of date software to ensure the latest available security procedures. Companies should prioritize timely patching of internet facing servers as well as software processing internet data such as web browsers, browser plugins, and document readers. Look for vulnerabilities in these internet facing servers and software processing internet data. In addition, implement automatic updates to antivirus scanning and conduct regular malware scans. Lastly, conduct regular vulnerability scanning to identify and address vulnerabilities to internet facing servers and devices.
- Re-emphasize the need for strong passwords and multi-step authentication.
- Implement segmentation, filter traffic, and scan ports. Network segmentation should have multiple layers where critical communications occur within the most secure layer. In addition, when filtering network traffic, prohibit ingress and egress communications with known malicious IP addresses.
- Remote employees need to secure their home networks. These employees should use separate devices for separate activities and they should not exchange home and work content.
- Regularly audit administrative user accounts and configure access controls under the principles of least privilege and separation of duties.
- Create a comprehensive incident response plan that includes procedures for notifying the company of a ransomware incident and a backup plan for the company to continue functioning if critical systems are inaccessible for a period of time.
- Follow the Ransomware Response Checklist on page 11 of the CISA-MS-ISAC Joint Ransomware Guide.