Skip to content

Discerning Data

  • About Us
  • Additional Resources
  • Contact Us

DISCERNING DATA

A Faegre Drinker Blog Covering the Latest in Privacy, Cybersecurity and Data Strategy

  • Privacy
  • Cybersecurity
  • Data Strategy
  • Disruptionware

COVID-19 & Cybersecurity: What Companies and Employees Should Know About Remote Working

Share

The spread of COVID-19 has prompted an enormous shift by organizations to the use and implementation of remote working solutions for a wide range and number of employees. Unfortunately – but perhaps not surprisingly – this shift has provided malicious cyber actors with additional ways to infiltrate remote use networks. The spread of COVID-19 has brought with it a huge surge in data security incidents, as hackers look to exploit new organizational vulnerabilities and distracted and overburdened IT security personnel.

It is understandable that most employees may not have cybersecurity at the forefront of their minds at this time. However, malicious actors have sought and inevitably will continue to seek to exploit the fact that employees – and especially those employees who are new to remote working solutions – currently are less observant about detecting cyber-attacks. Attempted attacks have targeted organizations across all industries, and COVID-19-related cyber-attacks have included, among others, email phishing and business email compromise (BEC) scams. Thus, it is critical for organizations to recognize the current threat environment and maintain an enhanced focus on cyber defense.

In an attempt to assist organizations, the United States Cyber and Infrastructure Security Agency (CISA) recently issued an alert highlighting key cybersecurity considerations and defensive steps that organizations can take to prepare for and combat the rise in cyber threats seeking to exploit remote working solutions. CISA’s alert advised organizations to be aware of the following potential issues related to remote working:

  • As more organizations use virtual private networks (VPNs), more VPN vulnerabilities are being found and targeted by malicious actors
  • Organizations traditionally have been less likely to keep VPNs updated with the latest security updates and patches
  • Malicious actors are increasing the use of phishing emails targeting remote working employees
  • Organizations that do not use multi-factor authentication (MFA) for remote access are particularly susceptible to cyber-attacks
  • Organizations may have limited VPN connections, potentially causing critical operations to suffer

In response to these new remote working risk considerations, CISA recommended that organizations take the following steps to protect themselves:

  • Regularly update VPNs, network infrastructure devices, and devices used to access systems with the latest software patches and security configurations
  • Alert employees to increased phishing attempts and how to prevent these attacks from working
  • Ensure IT security personnel are prepared to address remote access security issues
  • Implement MFA on all VPN connections – especially for those remotely accessing a network
  • Ensure that IP security personnel test VPN limitations and prepare for mass usage
  • Contact appropriate law enforcement or regulatory agencies to report cybersecurity incidents or attacks

In a separate alert, CISA also addressed the rise in COVID-19 phishing and scam emails and advised organizations to exercise caution in handling any email with a COVID-19-related subject line, attachment, or hyperlink. CISA further advised that organizations should notify their employees to be wary of social media pleas, texts, or calls purportedly related to COVID-19.

CISA advised organizations to instruct their employees to take the following precautions in order to prevent against victimization by COVID-19 scams:

  • Avoid clicking on any links in unsolicited emails and be wary of email attachments
  • Use only trusted sources with fact-based information on COVID-19
  • Do not reveal personal financial information in email, and do not respond to solicitations for this information
  • Independently verify an organization’s authenticity before making a donation

In addition to the foregoing, organizations would be wise to ensure that their cyber incident response plan addresses and contemplates potential issues and concerns arising out of remote working. Moreover, organizations should confirm that their crisis management and incident response plans are executable by a remote workforce – including remote IT personnel.

COVID-19 has caused significant disruption to the operations of most organizations throughout the country and, in many cases, employees have understandably lost focus on cyber security. Hackers and malicious actors are seeking to exploit this situation. Therefore, it is crucial that, even in these difficult times, all organizations remain vigilant in their cyber defense. Faegre Drinker’s Privacy, Cybersecurity, and Data Strategy team is available to assist with any COVID-19-related cybersecurity incident planning and response.

The material contained in this communication is informational, general in nature and does not constitute legal advice. The material contained in this communication should not be relied upon or used without consulting a lawyer to consider your specific circumstances. This communication was published on the date specified and may not include any changes in the topics, laws, rules or regulations covered. Receipt of this communication does not establish an attorney-client relationship. In some jurisdictions, this communication may be considered attorney advertising.

About the Author: Peter Baldwin

Peter Baldwin draws on his experience as a former federal prosecutor to counsel clients facing government investigations and cybersecurity issues. View Peter's full bio on the Faegre Drinker website.

About the Author: Jason G. Weiss

Jason G. Weiss leverages a past career as a cybersecurity and computer forensics Supervisory Special Agent with more than 22 years of decorated service at the FBI to guide clients through the complex and high-stakes issues associated with cybersecurity incident preparedness and response and compliance. View Jason's full bio on the Faegre Drinker website.

Receive Email Alerts to New Articles

SUBSCRIBE

March 26, 2020
Written by: Peter Baldwin and Jason G. Weiss
Category: Cybersecurity, Privacy
Tags: Coronavirus, cybersecurity, data privacy

Post navigation

Previous Previous post: $100,000 HIPAA Settlement With Solo Physician Practice
Next Next post: New York’s New Data Breach Notification Law: What Businesses Should Know

Search the Blog

Sign Up for Email Alerts

PODCASTS

Faegre Drinker on Law and Technology

©2023 Faegre Drinker Biddle & Reath LLP. All Rights Reserved. Lawyer Advertising.

  • About Us
  • Additional Resources
  • Contact Us
We use cookies to improve your experience with our website. By browsing our site, you are agreeing to the use of cookies. For more information about how we use cookies, please review our privacy policy and cookie policy. OK
Privacy & Cookies Policy

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may affect your browsing experience.
Necessary
Always Enabled
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Non-necessary
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.
SAVE & ACCEPT