Working Remotely? Here Are 4 Often-Overlooked Steps That Secure Your Data
The private sector could learn a great deal from the federal government about securely managing teleworking employees. If we follow its lead, there are many steps for securing data that can be implemented quickly and inexpensively.
July 10, 2020 at 10:30 AM
9 minute read
The original version of this story was published on Legal Tech News
This article appeared in Cybersecurity Law & Strategy, an ALM publication for privacy and security professionals, Chief Information Security Officers, Chief Information Officers, Chief Technology Officers, Corporate Counsel, Internet and Tech Practitioners, In-House Counsel. Visit the website to learn more.
Most businesses either shut down temporarily or sent all their employees home to telework by mid-March of this year. By the time you read this, Americans will have been working from home for more than three months. This has never happened before in this country during the age of technology. As millions of Americans logged on to their home networks and personal desktops, laptops, tablets and mobile phones in an attempt to keep their companies afloat, cybersecurity issues rose to the forefront of the many issues that companies had to manage. Many corporations, and law firms in particular, have already suffered breaches. Many are unaware that a breach has even occurred. American industry was not and is still not adequately prepared for this transition. The responsibility to keep corporate and client data safe is shared by the company and the employee.
The private sector could learn a great deal from the federal government about securely managing teleworking employees. The federal government has an extensive telework program run by each agency. The rigor of each program largely depends on how data is classified within that agency. Even with different protocols across agencies, the government overall knows how to securely manage thousands of teleworking employees. If we follow its lead, there are many steps for securing data that can be implemented quickly and inexpensively. Here are four categories of cyber strategies that can be implemented for large-scale teleworking with very little effort.
|The Three A's: Assets, Antivirus and Additional Protocols
Private sector businesses should learn to follow the federal government's process for telework regarding assets and devices. Federal employees that telework are typically issued a federal asset or device, like a laptop or tablet instead of a desktop. The laptop is given an agency-specific image that includes antivirus software and an approved access portal like Citrix.
If your company or firm cannot issue a standard device to each employee, then require each employee to have an approved antivirus subscription. Your IT department or IT person can select an AV program that best interfaces with your network configurations. It is important to understand that having more than one type of AV subscription on any device can cause problems for the device. It is best to remove old AV applications from your laptop if you are going to download or upload a new AV subscription. The benefit of distributing company-owned devices is that the company can control the who, what and how of its employees touching the network. Additionally, the data on the device can be collected — even remotely — and preserved for human resources and litigation purposes.
Last, in the federal government, agencies rely on third-party threat intelligence feeds to determine which websites are dangerous. The lists allow websites to be blacklisted and whitelisted by an entity. In the private sector, companies can subscribe to commercial sites like FireEye, ThreatConnect, Flashpoint, CrowdStrike, etc., for subscriptions that monitor third-party threats. Anyone can research the best option and pricing for their entity. These steps are the responsibility of the company and can be relatively inexpensive to implement.
|Reboot, Reboot and Reboot Some More
Employees need to be active partners in the protection of company and client data. Once employees are working from home, they should create a rebooting schedule for all their assets. Let's start with Wi-Fi routers. Home Wi-Fi routers should be rebooted at least once a month if you connect work-related assets to your home Wi-Fi. Routine helps. It is recommended to turn the router off and then unplug it for five minutes. After five minutes, plug it back in and wait for the lights to come back on. Rebooting the router serves the same purpose as rebooting your laptop; it allows updates and clears out the garbage. It also serves the additional purpose of increasing your Internet speed.
Second, your laptop should, ideally, be shut down every day (not restarted). If you forget to completely shut down at least once daily, try to do it at the end of your workweek. Save and close all open documents and programs and shut down your computer. This allows Microsoft programs to run updates and to clear out any temporary files. Many updates are security patches. Maintaining updated security patches is a must if you want to protect your asset or device from ransomware.
Last, your mobile device should be powered off every night and allowed to fully reboot. Many employees conduct work on company distributed mobile devices as well as personal mobile devices. Emailing, texting and Web surfing are common activities on mobile devices. Rebooting a mobile device serves the same purpose as rebooting your laptop: updating applications and cleaning out temporary files, including harmful ones. Routine in this respect helps too.
|Too Many Passwords
Federal agencies have multifactor authentication for many applications and passwords expire at least every 90 days. You must have a PIV card, a username, a password and a pin. It is difficult to keep up with all that, especially the passwords. However, it is important to know that every password you have ever had, has been captured and put on the Dark Web. Every. Single. One. The only weapon in your arsenal against the stolen password is to change them frequently. Government agencies require it and have hundreds of help desk employees who mostly reset passwords. If you do not believe this to be true, go to https://haveibeenpwned.com and put in any of your email addresses. It will instantly tell you how many times you have been "pwned" (from gamer-speak for being "owned" or dominated by another player). Then learn to change all your passwords, frequently.
If you like password managers, use one. There are several apps that will help you manage the myriad passwords that you must have. Use one for work-related passwords. Don't use a password manager for non-work-related websites. Just click "change password" and select the recommended password. The recommended passwords are long and complex. Don't write them down. Just change them again the next time you visit the site. Again, this works for anything that is not work related. It also keeps you from using a variation of the same password over and over again and getting pwned. If you can manage it, add facial recognition to your laptop. Utilizing the facial recognition feature of your laptop will help you get into your laptop and keep everyone, except your twin, out.
|Zoom and Teams (but Primarily Zoom)
Zoom is a great tool to use to connect with your colleagues, clients, friends and family members. Zoom is what conference rooms used to be for millions of people. However, wherever people go, hackers go. There are thousands of fake Zoom sites that are presumably created to capture Zoom IDs and passwords. Fake Zoom links are used for phishing. Zoom bombing (joining a meeting uninvited) is used to steal confidential information and/or trade secrets and harass legitimate attendees. The following tips will help you have a secure Zoom experience.
- Instead of using your unique Zoom ID for all meetings, allow Zoom to issue an ID for meetings where confidential information will be shared. When the meeting is over, the ID alone will have no value.
- Use a password. If the meeting has a unique ID and a password, it will be nearly impossible for Zoom bombing to occur.
- If you are the host of the meeting, use the Zoom waiting room. The Zoom waiting room requires attendees to be admitted one at a time by the host. This is time-consuming for large meetings, but if knowing who is attending your meeting is important to you, the Zoom waiting room is the equivalent of roll call.
- Do not share your Zoom ID with anyone you don't trust, including family members. Untrustworthy people have family too. If hackers have your personal Zoom ID, it is just a matter of time before your password can be cracked.
- Upgrade to a paid account. The paid Zoom account has end-to-end encryption, encryption at rest and encryption in motion. What does that mean? It means that without the Zoom ID, the password and admission from the waiting room, there is no way to decrypt the conversations within the Zoom meeting.
Please, use all five of these safeguards for work-related meetings. In fact, use these safeguards for all Zoom meetings. These precautions are important, easy to implement and all but one are free.
Why not just use Microsoft Teams? Microsoft Teams is another great tool for audiovisual conferencing, and the security and safety of Teams is great. However, not even half of all federal agencies have Teams capabilities. Using audiovisual conferencing tools was not the norm for federal employees. Until the COVID-19 pandemic of 2020, most federal employees attended meetings in person or via conference call. Therefore, these Zoom tips are for federal agencies too.
The above tips are the least burdensome and least expensive protocols that any individual or organization can put in place to keep company and client data safe while teleworking. These are mostly procedural steps that can make it more difficult for ransomware attackers to breach your organization. Trying to get past multifactor authentication takes a great deal of effort, and if you reboot and change your password frequently enough, hackers just move on to the low-hanging fruit. Do not be the low-hanging fruit.
Kenya Parrish-Dixon, Esq., is a leading expert in e-discovery, information governance and records and information management with a cybersecurity focus. She is general counsel for the cybersecurity startup Empire Technologies Risk Management Group and can be reached at [email protected].
This content has been archived. It is available through our partners, LexisNexis® and Bloomberg Law.
To view this content, please continue to their sites.
Not a Lexis Subscriber?
Subscribe Now
Not a Bloomberg Law Subscriber?
Subscribe Now
NOT FOR REPRINT
© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.
You Might Like
View AllSink or Swim: The Evolving State of Law Firm Administrative Support
Trending Stories
- 1Infant Formula Judge Sanctions Kirkland's Jim Hurst: 'Overtly Crossed the Lines'
- 2Election 2024: Nationwide Judicial Races and Ballot Measures to Watch
- 3Guarantees Are Back, Whether Law Firms Want to Talk About Them or Not
- 4How I Made Practice Group Chair: 'If You Love What You Do and Put the Time and Effort Into It, You Will Excel,' Says Lisa Saul of Forde & O'Meara
- 5Abbott, Mead Johnson Win Defense Verdict Over Preemie Infant Formula
- 6How Much Does the Frequency of Retirement Withdrawals Matter?
Who Got The Work
Michael G. Bongiorno, Andrew Scott Dulberg and Elizabeth E. Driscoll from Wilmer Cutler Pickering Hale and Dorr have stepped in to represent Symbotic Inc., an A.I.-enabled technology platform that focuses on increasing supply chain efficiency, and other defendants in a pending shareholder derivative lawsuit. The case, filed Oct. 2 in Massachusetts District Court by the Brown Law Firm on behalf of Stephen Austen, accuses certain officers and directors of misleading investors in regard to Symbotic's potential for margin growth by failing to disclose that the company was not equipped to timely deploy its systems or manage expenses through project delays. The case, assigned to U.S. District Judge Nathaniel M. Gorton, is 1:24-cv-12522, Austen v. Cohen et al.
Who Got The Work
Edmund Polubinski and Marie Killmond of Davis Polk & Wardwell have entered appearances for data platform software development company MongoDB and other defendants in a pending shareholder derivative lawsuit. The action, filed Oct. 7 in New York Southern District Court by the Brown Law Firm, accuses the company's directors and/or officers of falsely expressing confidence in the company’s restructuring of its sales incentive plan and downplaying the severity of decreases in its upfront commitments. The case is 1:24-cv-07594, Roy v. Ittycheria et al.
Who Got The Work
Amy O. Bruchs and Kurt F. Ellison of Michael Best & Friedrich have entered appearances for Epic Systems Corp. in a pending employment discrimination lawsuit. The suit was filed Sept. 7 in Wisconsin Western District Court by Levine Eisberner LLC and Siri & Glimstad on behalf of a project manager who claims that he was wrongfully terminated after applying for a religious exemption to the defendant's COVID-19 vaccine mandate. The case, assigned to U.S. Magistrate Judge Anita Marie Boor, is 3:24-cv-00630, Secker, Nathan v. Epic Systems Corporation.
Who Got The Work
David X. Sullivan, Thomas J. Finn and Gregory A. Hall from McCarter & English have entered appearances for Sunrun Installation Services in a pending civil rights lawsuit. The complaint was filed Sept. 4 in Connecticut District Court by attorney Robert M. Berke on behalf of former employee George Edward Steins, who was arrested and charged with employing an unregistered home improvement salesperson. The complaint alleges that had Sunrun informed the Connecticut Department of Consumer Protection that the plaintiff's employment had ended in 2017 and that he no longer held Sunrun's home improvement contractor license, he would not have been hit with charges, which were dismissed in May 2024. The case, assigned to U.S. District Judge Jeffrey A. Meyer, is 3:24-cv-01423, Steins v. Sunrun, Inc. et al.
Who Got The Work
Greenberg Traurig shareholder Joshua L. Raskin has entered an appearance for boohoo.com UK Ltd. in a pending patent infringement lawsuit. The suit, filed Sept. 3 in Texas Eastern District Court by Rozier Hardt McDonough on behalf of Alto Dynamics, asserts five patents related to an online shopping platform. The case, assigned to U.S. District Judge Rodney Gilstrap, is 2:24-cv-00719, Alto Dynamics, LLC v. boohoo.com UK Limited.
Featured Firms
Law Offices of Gary Martin Hays & Associates, P.C.
(470) 294-1674
Law Offices of Mark E. Salomone
(857) 444-6468
Smith & Hassler
(713) 739-1250