Wed, May 13, 2020

Key Coronavirus Work from Home Cyber Security Considerations

Opportunistic cyber criminals are taking advantage of the fact that many organizations are currently working from home. They see this as a chance to compromise public and private sector organizations who may not be prepared to sustain cyber security levels across a predominantly remote workforce. Individuals and organizations can arm themselves with the right knowledge and tools to stave off privacy and data security risks as they strap in for the long haul and continue to securely work from home.

Given the speed at which the virus hit and the number of people affected, organizations had little time to put together a work from home plan. These circumstances, however, are not unique to Kroll experts Stacy Scott and Julian Grijns, who were joined by Joseph V. DeMarco of DeVore & DeMarco LLP to discuss key considerations and the best practices for individuals and organizations to implement and stay secure in these trying times.

Key Coronavirus Work from Home Cyber Security Considerations

Work From Home Cyber Security Tips

This 30-min webinar covers: 

  • The most common and overlooked cyber risks associated with working remotely
  • Key steps to protect your organization and raise employees’ cyber awareness 
  • Legal ramifications associated with working from home cyber risk 
  • Insurance – am I covered?
  • How to plan for the return to the office environment
 

Download Webinar Slides

Notable Passages From the Presentation

Vulnerabilities with WiFi Networks and Devices 

“Use a pass phrase. Take a sentence that you can easily remember and take the first or second letter from each word and make that your password. Change the default passwords on your network devices at home. A lot of the carriers now, whether it be the Big Box, AT&T or Verizon, whomever you get your internet from at home, offer apps where you can manage your administrative settings like your password and different things like that, where you can change it, which is always helpful. – Stacy Scott

Not leaving work devices unattended is really key. A lot of you will still have some of your global organization policies on there that are auto lock it out, which is great. But just making sure that you're not leaving it around, open for folks that may be coming in your home to do repairs, or cleaning. If you're still having those types of things, make sure those folks aren't able to see your screens, and that data on those devices that you have. – Stacy Scott

So that if, for example, you have a data security incident that exposes either personally identifiable information of customers, or trade secret information or confidential business information that you contractually promised to keep secure, or if you're a regulated entity that you have a loss or compromise of company systems or data, the fact of the matter is your legal obligations are not going to be any lighter by virtue of the fact that the incident happened at home, on a device that was not a company device. – Joe DeMarco

Mindful too you should be of the fact that whatever your company policies are, as they relate to employee monitoring, or your ability to access company information on, let's say, a personal device that an employee is using, those might be a lot trickier in this environment than they were in the office. In the office, you could just kind of have your IT department log into the company desktop to do the patching, upgrading yourself, or maybe to monitor an employee that you're a little concerned about. It gets a lot trickier when you talk about remoting into a personally owned device at home that the employee is using. So there, that's again a law and policy question. The question is, are your polices up to date and do they need to be tweaked at all in light of this new reality? – Joe DeMarco

I think the headline here is you need to treat your home office exactly like you would the security at your normal work office. And if there ever is an incident and it's intertwined in the use of a personal device, it can get dramatically difficult for an investigation to unravel what happened, what was compromised, when you have a combination of work devices and in fact, personal devices where the compromise happened because everyone does a variety of things on personal devices and sometimes recovering that information can make the task all the more difficult, if it leads to a breach of information. – Julian Grijns

Phishing Emails 

All of you have heard the term "phishing emails." These are targeted efforts by cyber criminals of all kinds. They don't have to be in China or Russia, they can be anywhere in the world. They can be in Iowa or anywhere. And the ultimate motivation is multi-fold. It's to obtain sensitive information. It's to start a business email compromise directed at redirecting finances or redirecting a man-in-the-middle attack where a payment or wire is changed and rerouted. – Julian Grijns

The things that are being targeted are benefits, insurance, unemployment and the different health organizations, the World Health Organization, the CDC. Fake information from each one of those organizations is really what we've seen an uptick in, unfortunately. And a lot are going towards health insurance and benefits as well, to try and play on your fears of COVID on the urgency of, "Hey, you might lose these things." There's a lot of, if you haven't seen it, the IRS and fake tax emails that are out there as well. Trying to get you to click on things so that they can either grab credentials and your information, or download software, malware or something else to proliferate throughout your system, and potentially your work email and work network as well. – Stacy Scott 

I think what CISOs  and general counsels and CTOs and other people in the operational functions need to consistently do with their employees is send them reminders. Don't inundate them daily, but send your employees reminders on a weekly basis to be aware of these types of phishing attempts. Give them the top three to five things to notice, as Stacy pointed out, differences in the senders address versus the name and the subject line. I'm aware of a phishing attempt that's been circulating. It appears to come from Microsoft and it alerts the user that they have, make up the number, nine emails stuck in their outbox that have not been sent, click on this link to affect ... complete the sending of your emails. – Julian Grijns

What we've seen from the work at home environment is that unfortunately, creative employees bring a lot of ingenuity to bear on defeating those systems. And I can't tell you the number of times that unfortunately, someone relatively senior in an organization, someone with clout, someone who's a revenue maker or a manager, for again, understandable reasons, they have to work on that deal, while they go to their sister-in-law's wedding in Switzerland, whatever it is, will put information into a compromised web mail account. The problem with that is, as I said at the beginning, you're still legally on the hook. And particularly if you're in a regulated industry, the regulators are going to frown at that. And they're going to frown at that because it's so obvious and longstanding a poor practice, and because it's in a sense a self-inflicted wound. – Joe DeMarco

Multifactor Authentication 

There are a lot of softwares and companies out there that do offer multi-factor authentication. Apple offers it. A lot of your social media sites. Instagram, Facebook, Twitter, they all offer it. Amazon. Google in G Suite, with your Gmail. YouTube. If you're using Flock, or some other sort of community communication with your teams now online. Dropbox. PayPal. Those all offer multi-factor and I would suggest enabling it. It sends a text to your phone, or gives you a one-time code in an email, or it will even call you to do those things. And so it's easy to set up. Typically, just google or search for those different things that I mentioned, and multi-factor after it, and you'll see where to set it up. And typically, the companies have made it quite easy for you to do that. Even your home devices like Nest, for your AC and your ring-doorbell, those all have multi-factoring. We've seen all over the news where those are hacked into. They're connected to your home network and could be an entry way into your personal device, or your company device that is connected to the same network. Even though it may have its own protections, it is just another way in. – Stacy Scott

In 20 years, of all the hundreds of incidents I've worked across, I've only seen two where multi-factor authentication was defeated by a cyber wrong doer. If you're looking for one of the things that can deliver you the most return on investment from a security point of view, and by the way it's free for the most part, multi-factor authentication is it. – Joe DeMarco

Live Conversations and Communication Apps 

We're obviously working under sub-optimal conditions, most of us, but as I said, the legal obligations remain the same. Just a few practical tips and points. One is situational awareness. Please be out of range of Siri and Alexa when you're on a conference call at home or a video call at home. Please make sure that people who are not party to your conversation don't stray into video or audio range. I know that can be hard. If you plan on videotaping a video call, whether it's on Zoom, or the platform we're using now, please be sure that you have the consent of every single party to that communication, because a lot of states require everybody to consent. And if everybody doesn't consent, then you may have a potential violation of state wiretap and surveillance laws. And you want to keep them out of video and audio range because if they haven't consented, then there could be again, at least a nominal or a technical violation of those laws. So, I think situational awareness is incredibly important in this area. – Joe DeMarco

A lot of the less kind of interesting, sexy options are also just inherently a lot more secure. If you are on a non-cordless, old fashioned, plain old telephone system, landline, it's very hard for wrong doers to access that communication and listen in on you. On the other hand, it's easier if you're using a free conference call line, again which comes from who knows what provider, and who knows what kind of adware is being generated off of it, and who knows where the number's been used before, and who knows where the password has been kept, if there even is a password. – Joe DeMarco

Cyber Insurance and Legal Ramifications

Your ethical obligations as lawyers are the same whether you're working from home on that metaphorical unpatched Gateway, or whether you're working in the most secure and confidential facility you can imagine. Your duties of competence, competently understanding the risks that we've talked about today, your duties as a fiduciary to your clients and your duty to safeguard client property, all those duties which are in all 50 states I'm pretty sure, apply whether you're working in the office or whether you're working at home. – Joe DeMarco

Make sure you have all the right contact information for your insurer and your outside counsel, if you have those. Make sure you have those on hand. They might be in your office, at work. Make sure you know who to call and you have their correct contact information. It may have changed, so just double checking that information. – Stacy Scott

How to Plan to Return to the Office 

Once we hopefully start returning to normal, and you go back, start commuting back to a physical office, your normal office, make sure you go through your desk at home and don't leave sensitive information behind. Make sure that if you did have an approved use of a cloud site that you used because so many of your employees were working remotely, and you're no longer going to need that anymore, make sure sensitive information isn't left on that cloud site, that that's cleaned, the account is closed. – Julian Grijns

I think understanding from a technology perspective where all that data may have gone and removing it. But also, as you move back, if you're in technology, or asking your technology teams and your security teams, ‘If we needed to re-close and go back to remote, how quickly could we flip that switch back? If we're coming back to reopen the office, how quickly can we switch to working in the office?’ And remember to shut down potentially, newly opened remote access options. And, making sure that we're not really affecting business continuity, but also security. And making sure we're turning off things that are no longer in use, but that we can turn them back on should there be a second wave, or another work from home push, or mandate pushed out in different areas. –- Stacy Scott

Hopefully by now, people have settled into a routine, and your IT staff or whoever manages your network or computers has returned to some level of normalcy that you can start to begin to have those conversations now with them. So that you can be prepared to go back when it's time to go back without too much preparation, and then you can prepare to return home without too much preparation. – Joe DeMarco 



Cyber Risk

Incident response, digital forensics, breach notification, managed detection services, penetration testing, cyber assessments and advisory.

CyberDetectER

Proactively monitor, detect and respond to threats virtually anywhere – on endpoints and throughout the surface, deep and dark web.

Ransomware Preparedness Assessment

Kroll’s ransomware preparedness assessment helps your organization avoid ransomware attacks by examining 14 crucial security areas and attack vectors.


Data Collection and Preservation

Improve investigations and reduce your potential for litigation and fines with the strict chain-of-custody protocol our experts follow at every stage of the data collection process.