Is Your Business Protected? Cybersecurity Risks and the Remote Workforce

Due to the issuance of Executive Order 2020-110 on June 1, 2020, this article has since been updated with new information.

On March 25, 2020 Governor Whitmer executed the state’s “stay-at-home” order to reduce the spread of the novel coronavirus (COVID-19). Following the implementation of that order, businesses had to immediately redefine continuity plans in order to keep employees working and to keep their business running. Organizations have started to utilize virtual desktop infrastructure (VDI) and desktop as-a-service (DaaS) applications to allow employees to connect to company data using remote devices, such as laptops. Some businesses have utilized virtual private networks (VPNs) to allow employees to “tunnel” into office networks. In addition, the use of cloud collaboration suites, file sharing solutions, and video conferencing tools such as Zoom, have become the norm.

On June 1, 2020, Governor Whitmer executed Executive Order 2020-110, effectively lifting the “stay-at-home” order and allowing some employees to physically return to work; however, Executive Order 2020-110 states that “[a]ny work that is capable of being performed remotely must be performed remotely.” Thus, having employees remotely working is here to stay, at least for the time being. It is also likely that those employees who are permitted to physically return to work will have a hybrid schedule consisting of on-site and remote work.

Having remote employees dramatically increases a business' cyberattack surface, or all of the vulnerable points where a business is susceptible to cyberattack. Cybercriminals are keenly aware of this fact and cyberattacks are increasing dramatically. The following are just some examples of cyberattacks that businesses may be exposed to by the increased use of remote workers:

• Phishing
  • Phishing Attacks – Attackers pose as a trusted individual/business to trick the employee through the use of an email or instant message, into providing confidential data, such as credit card numbers or login credentials;
  • Smishing Attacks – Similar to a phishing attack but using text messages;
  • Spear Phishing Attacks – Email aimed at a particular individual or organization to gain confidential information. These emails generally appear to originate from an individual within the employee’s organization or someone the employee knows personally;
  • Whale Phishing Attacks – Phishing attacks that focus on a high-profile member of the organization. These attacks are aimed at high-level individuals to gain access to protected company information; and
  • Vishing Attacks – Vishing attacks are phishing attacks conducted by voice, VoIP (Voice over IP), cellular telephone or over a land line.
• Malware – A catchall term for malicious software: viruses, spyware, adware, trojans, etc.
• Ransomware – A form of malware that encrypts a user’s files and demands payment of a ransom to restore access to the data upon payment.
• Man-in-the-Middle Attacks – When a cybercriminal “listens in” on electronic communications between two parties by taking control of the communication or making themselves a “relay” between the two parties while stealing sensitive information from the communication.

Cybersecurity and data protection issues have been a long standing concern for employers. And in the remote working environment it becomes even more important for employers and employees alike to be diligent in their practices and to analyze potential risk. Every business should be asking the following questions regarding the technology in place allowing for remote work:

• Do you have policies in place covering acceptable use and best practices to safeguard all devices being used to conduct company business?
• Are your employees using company-supplied devices?
• If your employees are utilizing company-supplied devices, is your IT department deploying security updates to those devices?
• If using company-owned devices, do your employees know:
  • Who is permitted to use the devices?
  • Where the devices can be used?
  • What types of networks devices can connect to?
  • What application use is permitted/prohibited?
  • How they get assistance if something happens to a device?
• If your employees are using personal devices, what types of network security is being employed?
  • How to safely connect to your data?
  • How/where to store data that belongs to the company?
  • How is organizational data being backed up?
  • Security precautions they need, such as endpoint protection software?
• Do you have standards for internet connections for your remote workforce?
  • Do you permit connecting to company data from public/unsecured networks?
• Does your company have policies in place concerning best practices to safeguard data and systems?
• Do you have the right to wipe (erase all data) on an employee’s personal device in case of breach? Are you permitted? Do you know how?
• Are you requiring employees to use multifactor authentication (MFA) when available? MFA is a method in which a computer user is granted access only after successfully presenting two or more pieces of evidence to an authentication mechanism.
• Does your company have cybersecurity training for all employees?
  • Has this training continued during this work from home state?
  • Do your employees know what to do if they suspect their device/data has been compromised?
• Do we have a response plan in the event of an attack or breach?

Preparation is the key to preventing and defending against cyberattacks. As remote working continues to be required and/or the preferred model of work now that the “stay-at-home” order is lifted, assessing the technology in use by your employees and the risk associated by that use can greatly reduce a company’s chances of being subject to cyberattack. 

If you have questions regarding how businesses, municipalities and other entities can be better protected against cyberattacks, contact the author, Mark Koerner, or another member of Foster Swift’s Cybersecurity Team. If you suspect that your organization has been breached or may be vulnerable to cyberattacks, you may also contact Foster Swift’s 24 Hour Cybersecurity Hotline at 517-FS1-TASK (517-371-8275) to speak to an attorney.

While the information in this article is accurate at time of publication, the laws and regulations surrounding COVID-19 are constantly evolving. Please consult your attorney or advisor to make sure you have the most up to date information before taking any action.