Home OfficeWhat We Have Learned About Remote Workforce Safeguards During COVID-19

What We Have Learned About Remote Workforce Safeguards During COVID-19

Beckage lawyers have been working with businesses to put them in a legally defensible position in pivoting their workforce to a distributed workforce. We have learned a few things from our work and watching what is happening around the globe.

Technical Safeguards Have Had To Quickly Pivot:

Companies are working to narrow their threat surface.

Organizations are working toward making their workforce 100% remote to safeguard employees but with that advantage there is an increase in exposure of company assets “in the wild.” With this increased risk it becomes necessary for those responsible to implement technical safeguards to offset this increased risk. Where preventative controls are not realistic, an organization should look to implement detective controls.

Beckage has evaluated various control options for access management. A few of these are:

• Shortening screensaver times

• Session lockout times

• Tiered approach for modifying user access to high risk platforms, applications, and, where possible, data

• Multi-factor authentication for email and high-risk applications/systems

• VPN and Virtual Desktop Infrastructure

With so many tech vendors selling a variety of services and products, companies are getting lost in the hype and simply want to know how they balance it all as part of a larger game plan.

Organizations Valuing Importance Of Administrative Safeguards:

Companies are realizing how essential it is to have more administrative safeguards in place.

Beckage has reviewed the most relevant policies and procedures that relate to remote workforce. Organizations should analyze if those policy and procedures contain steps or tasks that require key stakeholders to be present.

Additionally, organizations need to confirm that their Incident Response, Disaster Recovery, and Business Continuity Plan are all sustainable with a remote workforce. They should verify that such policies and procedures (including call-trees and responsible party contact lists) are accessible to those who need access. Beckage has suggested that organizations look at cloud-based solutions for storing their policies and procedures. This would enable workforce to access documents even if their network is down.

Physical Safeguards Are Very Important:

With buildings becoming vacant, physical safeguards will become more indispensable than ever. If an organization’s facility is going to have a skeleton crew then there are several questions which need to be addressed such as:

• Who will be responsible for safeguarding assets onsite?

• Does this person(s) have an intimate knowledge of the protocols in the event there is a breach or other criminal activity?

• Does the workforce understand what steps to take in the event they lose a device while working remotely?

• Is the procedure documented and has it been distributed?

• Has the organization walked through the process to commission and decommission devices remotely?

Struggle In Addressing Pandemic & Complying With New Laws:

In the middle of the pandemic, companies have still had to meet the compliance milestones of the NY SHIELD Act and California’s Consumer Protection Act (CCPA), especially where the Attorney Generals responsible for enforcing them have not provided extensions of time to comply despite the organizational disruption of the pandemic.

***

Beckage attorneys, who are also technologists, former CISO and current Certified Information Systems Auditor (CISA) are available to answer any questions you have about the foregoing safeguards and their impact and compliance with NY SHIELD Act, the CCPA, the

European Union’s General Data Protection Regulation (GDPR) or any other privacy or data security statute. Visit us at Beckage.com or call us at 716 898 2102.

Beckage is proud to be the only firm in 2019 named for its “Technology Transactions” practice in Upstate New York Super Lawyers and routinely cited by Law.com for our insights in this fast-moving arena, along with several other awards and recognition in tech and law. We thank you for your business and encourage you to visit our blog regularly for updates on this area of law and others.

*Attorney Advertising. Prior results do not guarantee future outcomes.

Subscribe to our newsletter.

WorkplaceLegal Strategies When Executing a Distributed Workforce Strategy

Legal Strategies When Executing a Distributed Workforce Strategy

In a short period there has been a monumental push for remote working arrangements by almost every existing organization. As a result of the Coronavirus outbreak, our calendar has been filled with appointments to discuss the practical considerations and steps that every leadership team is facing, from executive to technology, including application and business stakeholders. This incident has brought on evaluations of an organization’s readiness through the lens of business continuity, incident response, and more expansive administrative, technical, and physical safeguards.

While not exhaustive, below is a list of some areas to consider in executing a distributed workforce strategy:

Principle of Least Privilege – Has the organization operationalized a principle of least privilege? Does this extend to your remote access management? Opening the floodgates to all end users at once is neither practical nor safe. Discuss a tiered approach and where preventative controls are not possible or practical, implement detective controls. This would look like automated log management, reviews, and analytics to identify anomalous behavior on networks or systems that are classified as mission critical or that handle the most critical data. Take a risk based approach to identity access management and consider a more restrictive policy, you can remind your user base this is a temporary measure. From a security perspective, your objective is to narrow the threat surface; remember the security triad -Confidentiality, Integrity and Availability.  

Remote Desktop Protocol –  Now is the time to check your remote access configurations. We are sure to see a significant uptick in cyber incidents exploiting enabled ports that are commonly used for remote access, this is the point that is frequently the way of entry for ransomware attacks. Audit your network and if you haven’t already, identify servers and devices with ports 22 (SSH), 23 (Telnet), and 3389 (RDP) enabled. Once identified, and where permitted based on your unique circumstances, immediately close port 23 on all systems as well as any unnecessary SSH and RDP ports. It was only a year ago we witnessed Bluekeep, the security vulnerability that allowed for remote code execution through RDP.  

Data in Transit and At-Rest – Revisit your organization’s encryption standards as they apply to data in transit and at rest. With an expanded workforce now remote and handling sensitive and non-public data, an encrypted data at rest conversation should be at the top of your discussion list. The NY SHIELD Act, which became effective March 21st, expands upon the definition of private information to include personal information in combination with various listed data elements (refer to NY Senate Bill S5575B) that “were not encrypted” or “was encrypted with an encryption key that was accessed or acquired.” For financial institutions the FFIEC, which prescribes uniform principles and standards, states that institutions should employ encryption to mitigate the risk of disclosure or alteration of sensitive information in storage and transit.

Password Strength and Two-Factor Authentication – Replace any default or weak login credentials with passphrases. Roughly two years ago the National Institute of Standards and Technology (NIST) published a guidance on this and organizations have been slow to adopt passphrases in place of their typical 8 character passwords. Now is a good time to implement passphrases and communicate this as a necessary response to the recent distributed workforce requirement. Similarly, you should also consider revisiting screensaver and session lockout times, remember, this is about narrowing the threat surface. If you can shorten these times by 5 minutes, the compounding effect across say, 1,000 employees, could be 5,000 minutes of time or 83 hours. That’s 83 hours less time a bad actor has to compromise your devices. In addition, consider looking at failed login attempt configurations, you can adjust this setting to lock an account on less attempts than usual. This can be a temporary measure until your workforce return to the office setting.

Communication – The question which has come up the most has been regarding communication while working remote. Workforce will need to be informed as they transition to remote. Organizations will need to remind their workforce of what is expected of them as it pertains to policies such as acceptable use, BYOD, information security, business continuity, disaster recovery, and incident response. Similarly, the workforce should also be reminded of safe security practices in the home (for example, when was the last time they updated their router firmware?) While company-wide communications will be necessary, tailored communications to various departments may be equally important. For example, the Incident Response Team leader should communicate regularly with all stakeholders. They will need to review the Incidence Response Plan to evaluate whether the procedures have limitations based on physical proximity of all parties with responsibilities. Likewise, physical security may have unique requirements since the offices will largely be empty.  

The push to remote work has forced organizations to revisit their control environments, operational workflows, and technical capabilities. This is an exercise that requires input and coordination across the organization and highlights the importance of a policy governance structure.  

Attorney Advertising. Prior results do not guarantee future outcomes.

Subscribe to the Beckage Blog and Newsletter

COVID-19Data Security Considerations as the Coronavirus Spreads

Data Security Considerations as the Coronavirus Spreads

There has been an increased awareness of the Coronavirus here in the United States since the virus first impacted China in late 2019. This has caused concern for individuals and organizations and, in some instances, led to the temporary suspension of travel for employees of several well-known international corporations. As the virus continues to grow worldwide, businesses face a series of questions regarding the impact the virus could have on their operations. Fortunately, businesses do not have to wait until disaster strikes before putting a plan of action in place and are wise to take data security measures well in advance.

What areas are top of mind as businesses of all sizes continue to monitor and prepare for the Coronavirus? Below are some considerations:

1. Review Your Business Continuity Plan: This is a very timely opportunity for organizations to review their current business practices and policies, including the Business Continuity Plan (BCP). Whether it is the Coronavirus, Influenza, or something else the BCP is top of mind for many and it is a good time to evaluate the “what if” scenario. A BCP details how an organization will recover interrupted critical business functions after a disaster or disruption has occurred. Armed with a BCP, executives can respond in an orderly, rational way. A BCP allows decisions to be made along predetermined guidelines and will answer potential questions such as:

a. How many absences can we handle before business operations are interrupted?

b. How do we keep operations running during an interruption?

c. What changes can we make to keep the business operating effectively?

2. Pay Attention to the Pandemic Section: Companies should confirm that the BCPs in place are adequate to address business needs in the event of a pandemic. Often a BCP will have a section that specifically addresses a Pandemic, including such topics as:

a. Workplace safety precautions.

b. Employee travel restrictions.

c. Provisions for stranded travelers unable to return home.

d. Mandatory medical check-ups, vaccinations or medication.

e. Mandatory reporting of exposure, such as employees reporting to employers and employers reporting to public health authorities.

f. Employee quarantine or isolation.

g. Faculty Shutdowns.

3. Review Existing Employee Policies: Now is a great time to review your workplace management policies with a particular focus on the data security provisions you have in place that address such areas as telecommuting, IT use policies, and paid time off. Are you equipped to permit employees to work remotely from home without compromising the data security of your infrastructure or confidential information? Are the appropriate technical and administrative controls in places? Adopting some of these work from home and/or remote options may make sense but could lead to operational challenges and unforeseen data security risks to a business. Some other areas that may need to be addressed include the procedure for sending symptomatic employees home, implementing quarantines for employees returning from high-risk areas, limiting face-to-face meetings, and temporarily shutting down operations.

a. Special Labor Relations Consideration: Be aware of existing agreements and any labor relations issues that may come in to play. For example, businesses operating in a union environment may be impacted by collective bargaining agreements that have special provisions regarding paid time off to union workers in the event of an emergency when employees are prohibited from reporting to work. Always check with counsel before unilaterally implementing any changes to existing policies.

4. Consider the Impact on IT Service Providers: Review your contracts and keep in mind that an outbreak or epidemic can not only affect normal business operations, but also service providers and suppliers. Be familiar with key provisions that could impact your business operation. Review Service Level Agreements and understand how data can be accessed remotely if needed.

5. Remind Employees on Data Security Best Practices & Remote Data Access: With increased concern of the Coronavirus we continue to see scammers utilizing email phishing attempts to target victims. Remind employees to be vigilant when receiving emails, for example not clicking on links or attachments within emails from senders they do not recognize. These attachments and links can contain malicious content, such as ransomware, that can infect your device and steal personal information.

6. Stay Up to Date on CDC Recommendations: Businesses are wise to regularly monitor the CDC website for current recommendations regarding travel restrictions and other precautions that affect business decisions. Regularly communicate updates and changes to your workforce.

7. Educate Your Workforce: Create a culture that understands the potential IT implications when working from home and how their corporate IT and other technical policies apply to home work conditions.  

Beckage is working with global clients and brands on low cost, high impact changes to policies and rolling out policies to address IT and remote working conditions. As a leader in this space, we assist companies in proactively preparing for unforeseen circumstances and business scenarios such as those caused by the Coronavirus. It is much better to be over prepared for these unpredictable circumstances than under prepared.  

*Attorney Advertising. Prior Results Do Not Guarantee A Similar Outcome.

Subscribe to our newsletter.