Company employees that work from home during the novel coronavirus outbreak must meet data-security requirements or risk regulators’ scrutiny.
The employees may use tools that lack firewalls or tap into public Wi-Fi, creating data-security vulnerabilities, privacy attorneys and security executives said. Many small- and medium-sized companies aren’t prepared for the risk, they said.
The businesses should use coming weeks to harden systems for remote work before the spread of COVID-19, the illness linked to the current outbreak, worsens, said Kirk Nahra, co-chair of Wilmer Hale’s cybersecurity and privacy practice. “This event, unusual as it is, actually is an example of why people should be thinking about it in advance in a crisis,” he said.
Alphabet Inc.'s Google, Facebook Inc., and Twitter Inc. are among the companies that are already letting some employees work remotely as the coronavirus, which has already hit more than 93,000 people globally, spreads in the U.S. Amazon.com Inc. today recommended that employees work from home through the end of March.
Other employers are testing whether systems can handle their entire employee base working remotely in case they later need to send workers home. “The companies that will be most at risk are the ones who are not prepared to have a remote workforce,” said Nicholas Merker, a partner at Ice Miller LLP who counsels companies on privacy and data security.
Businesses, though, may draw the ire of regulators if they don’t adopt reasonable security standards for remote employees or train them to safeguard customer data. Government agencies won’t give “a complete free pass” to companies that don’t uphold data security standards, said Nahra, part of Wilmer Hale’s COVID-19 coronavirus task force.
More employees working remotely increase the risk they’ll transfer data to personal devices for ease of use or connect devices insecurely, said Kimberly Kiefer Peretti, co-leader of Alston & Bird’s cybersecurity preparedness and response team.
“There is an increased chance for devices containing sensitive information to be lost or stolen,” Peretti said.
Employees working remotely must keep up their guard against phishing attacks, Thomas Etheridge, vice president of services at the cybersecurity company Crowdstrike, said. One e-crime actor called MUMMY SPIDER has been using coronavirus as a spam email theme to get recipients to download Emotet malware samples, he said.
Employees shouldn’t “click on links or download items sent as attachment if they aren’t sure of the source,” Etheridge said.
Companies can limit risks by having workers use two-factor authentication processes and Virtual Private Networks, which can provide the same level of security as corporate systems, said Mark Barrenechea, CEO at OpenText, a data management company in Canada.
They also can use the outbreak as an opportunity to prepare data security and business continuity plans for future pandemics, catastrophes, and natural disasters, said Greg Touhill, who was U.S. chief information security officer in the Obama administration and is now president of AppGate, a cybersecurity company.
Remote work requires advance coordination of a company’s technology, security, human resources, and business operations to ensure a successful program, said Gerald Beuchelt, chief information security officer at LogMeIn, a Boston-based provider of remote connectivity services.
“Relying on security training and awareness programs to drive ‘cyber smart’ behavior, not only at work but also at home,” will help keep organizations secure, Beuchelt said.