Coronavirus disease, which is also known as COVID-19, poses a number of significant challenges to business organizations.  Many businesses plan to address these challenges by encouraging or even requiring remote work by implementing telecommuting or work-from-home (WFH) programs. Organizations as disparate as hotel chains, major universities, and even the Internet Corporation for Assigned Names and Numbers (ICANN), which administers many of the domains that make up the web, are all de-centralizing their activities and requiring people to work remotely. For many organizations, this will be the first time that they have deployed widespread telecommuting or WFH programs, and it will present a significant technical challenge. However, in the rush to make such remote work programs operate at scale, organizations should also consider the significant privacy, data protection, and cybersecurity risks that they will face.

Baked-in online vulnerabilities could expose data and communications

The primary remote work privacy, data protection, and cybersecurity risks flow from the fact that the organization’s entire data and communications infrastructure is now being examined remotely by numerous people.  In a normal work day, even if most of one’s proprietary data is being hosted in the cloud, this data is usually accessed and utilized within the secure confines of the business itself. In the crisis telecommuting circumstances in which we find ourselves, this same information is being pulled in hundreds or thousands of directions.

At each workers’ home, the security of their own setup will eclipse the organization’s data security. The more individualized, personal networks that are rushed into service by one’s employees, the more likely it is that these networks will be unsecure. For example, the security settings on an employee’s home wifi network may be non-existent or they may piggyback onto a public wifi system. Any of these unsecure options could enable a third party who has compromised that network to gain access to the organization’s supposedly bullet-proof network and expose data to opportunistic cyber eavesdroppers who exfiltrate data, steal passwords, and engage in much more mischief. These strained, varied security circumstances increase the conceptual surface area of an organization and concomitantly increases the risks of accidental breach. Moreover, these risks extend beyond data at rest and may extend to businesses’ internal communications.

In a conventional office, workers communicate in onsite meetings and brainstorm in the break room. If an organization utilizes a work-focused electronic collaboration platform (such as Slack or Microsoft Teams) that messaging will generally only be viewed within the physical and conceptual space of the company itself.  In a remote work world, all of those communications will be read and distributed outside of the business. Suddenly, the types of candid, unpolished conversations that make work operate faster may be at risk of exposure.

Unfamiliar new online tools could also confound privacy, data protection, and cybersecurity efforts

Remote workers use a variety of software and hardware that can be different from the standardized equipment when they are physically located in the office. In many cases, this means there are no set policies and procedures for using the new equipment.  Even where there are well-established policies, the newly-minted remote workers have no experience using those policies, if they have ever read them at all.  Even if remote workers have consumed and understood all of the relevant policies, they are simply not used to using the equipment. This unfamiliarity can lead to enormous, if innocent, operational security failures.

Mixing business with pleasure can multiply security concerns

Remote workers often utilize the same software and hardware to manage their personal and work lives. This can multiply the risks posed by the workers’ personal online lives.  All of a sudden, online dating and clicking on memes can carry heightened operation data risks. Moreover, while the company could implement patches and updates remotely, one will likely have to rely upon the remote worker to enact necessary security tweaks and upgrades. Remote workers may not focus on enacting these security tweaks.  Sometimes this failure may result from simple inattentiveness but other times the remote worker may feel their personal privacy is threatened by the process.

Different expectations of privacy between work and home

Remote work can blur the lines between home and work privacy.  Employees generally have more limited privacy rights “at the office” – in workspaces that belong to the employer – than in their private homes.  These workplace limitations on privacy may also extend to employer owned computers and devices. Companies routinely monitor or search work computers and phones, consistent with their policies.  Remote workers may not appreciate that they are bringing their employer and its policies home with them.  Similarly, employers’ policies and practices may implicate the privacy interests of its employees—as well as their families and cohabitants—when newly applied in remote personal spaces.

Privacy, data protection, and cybersecurity litigation risks

The worst case scenario will involve novel litigation about WFH privacy, data protection, and cybersecurity risks.  While that potential litigation is worth contemplating, the next pragmatic step for organizations involves actually minimizing those risks.

Best practices and hacks

Remote workers must take the following steps to minimize privacy and cybersecurity risks:

  • First, always keep work and leisure separate. Where possible, they should use separate machines. Therefore, it would make a lot of sense to do all of one’s social media or web browsing on a mobile device and all of their work on a laptop. Often people use the same device for both, which can work but requires intellectual discipline, training, and clear employer policies. This work/play separation should also be true for passwords and logins. Always keep personal passwords separate and distinct from work passwords.
  • Second, do not use unsecured wifi or Bluetooth. A public Wi-Fi network or Bluetooth is inherently less secure, because you don’t know who set it up, or who else is connecting to it. In a perfect world, one should never use public wifi. However, for the times that’s not practical, you can still limit the potential damage by: (1) sticking to well-known public networks that are more likely to adhere to certain standards, (2) look for password protected networks, (3) limit your data use across those networks, (4) stick to “HTTPS” connections rather than unsecure HTTP connections, and (5) utilize a VPN, which will encrypt your data traffic.
  • Third, take steps to minimize the impact of a stolen or misplaced laptop. Are there remote features that can remotely brick the device or render the data unreadable? Is the cloud being used strategically to reduce the impact of a lost device?
  • Fourth, engage in regular information hygiene. This can vary by industry but, for example, after completing a project, ensure a client’s data has been encrypted, backed up to secure location, and completely erased from its local savepoint. Consider a policy that client data cannot be sent to and from a mobile device (including offsite laptop) unless it is encrypted.
  • Fifth, religiously install all security updates. To ensure this, companies should consider requiring that devices be brought into the office periodically for security hygiene “check-ups.”

From an organizational standpoint, there are plenty of best practices for security and remote working:

  • Develop and scrutinize your remote working policies and procedures, including how to utilize specific types of devices. One should also consider developing separate remote working v. employer-owned workspace policies
  • Only allow approved devices to connect to company networks.
  • Consider encryption policies for all data transfers.
  • Evaluate Mobile Device Management (MDM) and Mobile Application Management (MAM) platforms that can help to secure remote workers’ data and enforce the company’s security policies.
  • Scrutinize your access protocols. Best practices dictate use of two-factor authentication technology for accessing the organization’s networks, electronic mail, and data.
  • Consider drafting physical security protocols for remote workers. The fact is that many workers have relied upon the business’ physical security safeguards but now may place company assets at risk.
  • In light of the potential for extended office closures, the partially abandoned offices may now be at a new kind of risk. Organizations should ensure that proper security measures and access controls are in place to secure physical and information technology assets for the largely empty offices.