Working From Home During COVID-19
Five things you should be doing—but probably are not—to be more cyber secure
Written by Shawn E. Tuma
March 2020 will go down in history as marking a quantum leap in the way we lawyers do business from a primary office-based environment to an almost exclusively work-from-home environment. A transition that, under normal circumstances, would have taken many years, took place within hours or, maybe, a few days, as shutdown orders forced people to stay out of their offices and to work from home. There was no time to plan ahead for this transition and most had to adapt on the fly and do the best we could. As much as this pandemic impacted the way we live our lives, it impacted the cybersecurity of our practices as well as our clients’ businesses.
The Pandemic Marked a Quantum Leap in our Lives, Work, and
Cyberrisk is not a new concept. The words “cybersecurity,” “data privacy,” and “data breach” have been an increasing part of our vocabulary since the headline data breaches of 2013. For lawyers in particular, the trend is the same. Hackers consistently target law firms because they see them as a one-stop-shop treasure trove of valuable information. As a result, several prominent law firms have made the news for their cybersecurity events, well over 100 law firms have publicly reported data breaches, and at least one prominent law firm, Mossack Fonseca, closed its doors following a data breach that revealed the Panama Papers.
In the world of cybersecurity, the odds are stacked against you from the beginning as your security must get it right 100% of the time while a threat actor only needs one lucky shot for an attack to succeed. Those odds get worse as your network environment increases and becomes less controlled because the larger your environment is, the more targets threat actors have to attack.
Prior to COVID-19, it was difficult enough to protect computer networks and the information contained thereon when the “network” was primarily contained within the controlled environment of office space in professional office buildings in one or more locations (for those law firms that had multiple offices). While there were those power users who would take their laptops and work remotely while out of the office, they were still the exception, not the norm, as most firm employees were still working in the office.
When COVID-19 sent everyone working from home all of the time, the threat landscape increased exponentially. The only way most firms could adapt was to find ways to provide employees with access to their network from wherever they were located. With all employees being out of the controlled office environments, that network literally expanded to include every location where every employee was located. To provide for communications that were usually done face-to-face, many turned to third-party services that had not been vetted and for which there was no training and no uniform setup process to ensure they were used in as secure of a manner as possible. This led to new trends such as “Zoom-bombing.”1
FBI’s COVID-19 Remote Work Cybersecurity Prevention Tips Are
Required Reading for All
In April 2020, the FBI reported a spike in cybercrime activity since the beginning of the pandemic, with the Internet Crime Complaint Center receiving about 3,000-4,000 complaints a day as compared to 1,000 complaints a day shortly before the pandemic.2 The FBI issued a public service announcement, or PSA,3 addressing this increase in threats. The PSA included an extensive explanation of each of the common threats as well as actionable tips for preventing the most common threats.
Everyone should carefully read the FBI’s tips in the PSA as they are easy to understand and are just as applicable for improving cybersecurity when life returns to normal as they are during a pandemic. There are too many tips to include in this article but the PSA is linked in the endnotes.
Top Five Things We See Organizations Not Doing—That They
Should Be Doing—That Lead to Cyber Incidents and Data
In my practice I advise and lead organizations through the process of investigating and responding to cyber incidents and data breaches. In this role, our team comes in after an event has occurred and, among other things, works with technical cybersecurity experts to assist in investigating to learn how and why it occurred as well as how it could have been prevented. Though I am still just a lawyer, I have learned a lot over the years.
When asked what organizations can do to help improve their cyberrisk posture, the safest answer is always “everything!” Reasonable cybersecurity experts could offer enough tips and advice to fill volumes and, while many would be similar, many would not be and the order of priority would vary significantly. I have my own “Good Cyber Hygiene Checklist”4 but, in the world of cybersecurity, much like in the law, the answer to the question of “what is best?” is often “it depends.” Unfortunately, there is so much information and misinformation out there that many organizations end up not taking any action because they cannot determine how to prioritize or where to begin.
Without an understanding of the particular organization or the unique risks it faces, it is impossible to know what is best or most important. What we do know is what we are seeing organizations not doing—that they should be doing—that most frequently leads to cyber incidents and data breaches. The following five recommendations address what we see exploited most often that are not always on the top of organizations’ priorities.
1. Backups, Backups, Backups! There is another pandemic going around called ransomware and the odds of it infecting your organization are high. For years we heard, “We do not worry about cybersecurity because our data is not that valuable.” The threat actors learned that regardless of how valuable data was to others, data was valuable to the organization itself and, if they could encrypt the organization’s data and make it unavailable, the organization would pay a ransom to regain access to it. Quickly realizing that when an organization had viable backups of their data they would not pay, they adapted their tactics and now, upon first gaining access to the network, locate the backups of the data and either delete or infect the backups, then launch the primary ransomware attack. Organizations must have a backup strategy that accounts for this threat such as the “3-2-1 backup rule,” which is: 3) have a least three copies of your data; 2) store the copies on two different media; and 1) keep at least one backup copy disconnected and offsite. Simply having backups is not enough—you must use a strategy such as this and recognize that the last copy, the one kept offsite, may be all you have left to carry on your operations.
2. Multifactor Authentication, or MFA. Every login for something important must require MFA, which is using two steps to login instead of just one. For example, MFA would require a password plus clicking an app on your phone before you could successfully login. If you are using Microsoft Office 365, Google, or another form of cloud-accessible email, you should be absolutely certain you have implemented MFA.
3. Phishing Training and Exercises. Phishing emails continue to account for the vast majority of attacks on organizations and continue to be effective at delivering malware, viruses, harvesting login credentials, and triggering other fraud schemes such as the business email compromise. One of the most effective ways to combat the threat of phishing emails is by training members of the workforce to recognize phishing emails and then having regular exercises to test them by sending fake phishing emails to see who is clicking on the links or otherwise falling for the phishing email.
4. Remote Desktop/Virtual Network Computing. Do not permit remote desktop protocol or virtual network computing unless necessary. If you do permit it, require that it only be used with a reputable encrypted virtual private network that requires MFA to access.
5. Disk Encryption. Every device that can reasonably be transported from one location to another by an individual should have full disk encryption enabled. Hackers do love to hack but thieves also love to steal and people have a bad habit of leaving devices in the Uber or sitting at the airport. Having encryption enabled could mean the difference between just replacing a lost piece of hardware versus exposing sensitive information on that device and having to notify the world of a data breach. TBJ
Shawn E. Tuma is an attorney widely recognized in data privacy and cybersecurity law, areas in which he has practiced for over two decades. He is co-chair of the Data Privacy and Cybersecurity Practice Group at Spencer Fane and works primarily in the firm’s Collin County office.