By Alejandro H. Mercado Martinez, Esq., author of Descubrimiento de información electrónica en Puerto Rico
DON’T SAY WE DIDN’T WARN YOU!
As of this date you might have already bumped into innumerous articles and postings concerning the cybersecurity challenges that remote working arrangements may have on organizations because of the COVID-19 pandemic.
Therefore, this might probably be one of those many articles with which you have stumbled upon and senselessly decided to ignore. Nonetheless, as the saying goes, «no man [or woman] learneth but by pain or shame.»
As such, if you do not want to fall victim of a cybersecurity blunder and be the next headline story of a massive breach, I strongly encourage you to spare a few minutes of your precious time and read-on.
Once done, I guarantee you will be convinced that it was a time well invested.
Increased Cyber-Attacks and Hacking Attempts
Think about it.
Because of the health and financial crisis brought about by the COVID-19 pandemic, organizations around the world have had no choice but to transfer their operations to remote «at home-employee access» locations in an attempt to stay afloat economically.
Overnight, employees have unexpectedly seen themselves placed in the front lines of cybersecurity defense.
In the wake of this ramped-up remote access to corporate servers, cybercriminals have been naturally trying to capitalize on the heightened tension by being more ruthless and persistent in their malicious attempts to exploit remote access and teleworking capabilities.
This risk is pronounced by the fact that many of the security software and hardware controls provided by companies, such as Intrusion Detection Systems, are not generally deployed in personal home networks.
Together with this, corporate security controls and IT operations are being strained simply because IT teams are unprecedentedly having to address remote workforce problems and implementing provisional IT solutions in an expedited manner to confront these increased risks.
According to the Federal Trade Commission (FTC), Federal Communications Commission (FCC), and the Federal Bureau of Investigation (FBI), ever since mid-March – during the rise of the pandemic – there has been a steady increase in the volume and scope of cyber-attacks towards company employees working remotely through the use of COVID19 arrayed phishing and ransomware campaigns, remote access desktop control attacks, and distributed denial of service (DDoS) attacks.
Presently, the FBI’s Internet Crime Complaint Center has reported receiving more than 3,600 COVID19 related complaints.
By the same token, some security experts have reported that in the span of just a few weeks online threats have risen six-fold or 37% on a monthly basis compared to the normal level of threats generally monitored. With this in mind, another key point that should not be overlooked is the time it generally takes for businesses to discover a breach and contain a breach.
According to a 2019 study performed by the Ponemon Institute on behalf of IBM, the average time required to discover a breach is one hundred and 197 days, and the average time to contain it is 69.
Given these points, the risks are undoubtedly real and must be addressed.
Te recomendamos el curso en línea Descubrimiento de información electrónica en Puerto Rico. Tiene 1.5 horas crédito y está aprobado por el Programa de Educación Jurídica Continua del Tribunal Supremo de Puerto Rico.
Limited Relief in Regulatory Enforcements
All things considered, the foregoing circumstances are coupled with the challenges caused by the limited relief of regulatory requirements. As of this date, only a handful of regulators have agreed to ease some of the regulatory burdens.
However, the general trend appears to indicate that federal and state regulators will maintain, if not reinforce, data security, and privacy compliance. In fact, and despite these limited waivers, the Department of Health and Human Services’ Office of Civil Rights has declared that it still expects all covered entities and business associates to comply with HIPAA’s Privacy and Security rules, irrespective of the emergency situation. Other countries have assumed a similar stance.
For example, the European Union’s Data Protection Board (EDPB) recently made clear that organizations are not exempt from complying with the General Data Protection Regulation despite the operational challenges brought about by the pandemic.
Statewide, the state of New York’s most recent amendment to its data breach notification law, the «Stop Hacks and Improve Electronic Data Security Act», and its corresponding data security requirements, went into effect despite it being the epicenter of the pandemic.
Likewise, California’s Attorney General has declined to heed the calls from businesses and trade groups to delay the California Consumer Privacy Act’s enforcement date set for July 1, 2020.
So what considerations should businesses take into account in order to protect themselves and overcome these challenges? First, companies may want to adopt Multifactor Authentication (MFA) methods, if not already in use, and verify that administrative accesses are restricted in accordance with roles and job descriptions.
Organizations may also want to consider Mobile Device Management (MDM) solutions for their business – if not currently in place – inasmuch as they allow businesses to manage how employees use and access company data on their mobile devices, and restrict the installation of unreliable applications and software.
Although the use of company-issued devices is preferable, to the extent that some members of the workforce are using their own personal devices to perform their duties, organizations should similarly guide employees in implementing adequate security measures in such devices including the installation of anti-virus and firewalls, and configuration of browser privacy and security settings.
It is also recommended that the network connection of other local employee devices such as printers and USBs be secured and encryption at rest and in transit on the devices and removable media be used for performing their responsibilities.
Equally important, employees should be alerted of common cyber-attacks currently being employed and trained on how to detect and handle them.
Not to mention that they too need to be reminded of the importance of verifying the accuracy of email addresses and accessing links or download attachments from unrecognized sources, and to refrain from sharing information with unintended recipients or in response to calls from unfamiliar sources.
In the same fashion, password management policies and procedures need to continue to be strongly enforced. Above all, companies should also review their current Incident Response Plans (IRP) and Business Continuity Plans (BCP) to determine whether they are adequately geared towards remote work and secure access to their information systems.
In the event that no relevant guidance is in place, now is definitely a good time to review your organizations’ privacy policies and security guidelines. Moreover, it is essential that organizations ensure that the security software on employee devices and Virtual Private Network (VPN) connections to be used by employees for accessing their information systems are appropriately patched.
At the same time, organizations should make sure that they have robust and segregated backups of their critical information systems. In terms of outside vendors, organizations are strongly encouraged to have them acknowledge their continued commitment to comply with their ongoing obligations and outline the remote work protocols and/or security measures that have been implemented to mitigate the cybersecurity risks associated with the pandemic.
This is a good practice to the extent the contracting entity may ultimately be held liable for their subcontractors’ acts and omissions and, depending on the contractual relationship between the parties and the nature of services, force majeure defenses will most likely serve as grounds for disagreement.
Last, but not least important, companies should carefully review the language of their cyber insurance policies so as to understand how coverage applies and determine whether their terms adequately cover the organizations’ contemplated risks. Failure to do so may translate into greater risks that could result in loss.