Cyber attacks were a serious risk even before the COVID-19 pandemic. As many organizations have instituted work-from-home procedures, the risk is elevated. The increase of non-standard communications, the use of new and untested remote working arrangements and a heightened level of stress and anxiety all create new vulnerabilities for threat actors to take advantage of. Incorrectly addressed emails, theft of company devices and a massive increase in remote connections all increase the risk of a successful cyber attack. Ransomware attacks remain pervasive and may be particularly difficult to address during the COVID-19 crisis. A successful ransomware attack could cripple an organization’s operations, taking out key digital communication and collaboration tools at a time when workarounds and response efforts may be frustrated by social distancing requirements. To further increase the stakes, incidents and cyber-attacks connected to remote working could be reportable under applicable privacy legislation and lead to class actions from affected parties. Given all of this, ensuring that appropriate cybersecurity measures are in place is as important now as it has ever been.
The following checklist is intended to identify some steps that may be taken to limit cyber risks during these challenging times.
1. Have a mobile device and remote working policy in place, and update it if required. If your organization aligns with a security standard (e.g. ISO 27001 or NIST) then ensure that the policies comply with the applicable requirements. These policies should cover the rules and safeguards applicable to remote working, including who can work remotely, what systems are available remotely, what information can be accessed remotely, what access controls are to be applied and how devices and sites are to be configured and protected.
2. Provide information and training to employees, including to:
- identify and avoid phishing emails and websites;
- follow best practices when clicking links and downloading files, particularly from unsolicited and suspicious emails;
- lock computers and paper documents when away from the desk, even if the home seems secure;
- limit printing and shred paper documents if no longer needed, or lock the documents until they can be shredded;
- avoid use of personal email, file sharing or communication services, and always use business accounts;
- avoid saving passwords, work-related emails or documents to personal email accounts, cloud databases and devices;
- not send sensitive information over email (and identify specific types of sensitive information in the organization and implement a secure means of transferring such information);
- only use work-approved software systems and communication platforms;
- ensure others in their surroundings cannot overhear conversations in work-related telephone calls and video-conferences;
- not leave devices and paper documents in vehicles, even for a short time, and even if the vehicle is locked;
- not use unsecured or public Wi-Fi;
- not engage in non-work web surfing or music and video streaming on the work virtual private network;
- verify the security of electronic devices by updating software frequently, ideally with automatic updates; and
- remind employees of acceptable use policies and existing security guidelines.
3. Prohibit access to websites that traffic in pirated content and illicit material (such sites are known to be used for cyber attacks).
4. Your organization’s security measures may be subject to various requirements, including any security standards you align with (e.g. ISO 27001 or NIST), regulatory requirements and privacy legislation (e.g. PIPEDA’s requirement to maintain appropriate safeguards). As your technology environments and practices evolve to address the challenges presented by the COVID-19 pandemic, ensure that this is done in compliance with those requirements.
5. Encrypt all hard drives and thumb drives.
6. Ensure that devices are patched, and that anti-malware and anti-virus software are installed and up to date.
7. Set up multi-factor authentication that requires users to enter multiple “factors” to access a system and/or electronic devices. These factors may include, for example, logging in with a username and password and entering a special token or code issued by a smartphone application. Multi-factor authentication should be mandatory for all users.
8. Where possible, implement data loss prevention tools to block saving files to local devices, access to data sharing sites and printing to home printers.
9. Use software that adds an “external” notice to emails sent from outside of the organization.
10. Send notices to service providers about expectations, including any specific security requirements of the organization.
11. Your service providers may not be able to meet certain requirements that they have previously committed to (e.g. an express requirements that their employees do not work from home). If your service providers ask for waivers from those requirements, carefully consider the implications of doing so and how appropriate security can be maintained in connection with any waiver.
12. Be prepared for a cyber-incident, including:
- Update your cyber-incident response plan, print a copy and keep it in a safe place, and send a copy to legal counsel. You don’t want to get hit with a ransomware attack and discover you don’t have access to your response plan! Take the same steps with any insurance policies.
- If you don’t have a cyber-incident response plan, establish one as soon as possible. The plan should start with an engagement of the organization’s core response team, legal counsel, cybersecurity response consultants and a forensic auditor.
By Jade Buchanan, Michael Scherman, Alyssa Leung, Barry B. Sookman, Christine Ing, Daniel G.C. Glover and Charles S. Morgan
- Should directors consider creditors’ interests when a corporation is near insolvency? - November 21, 2022
- Domestic violence: Obligations and responsibilities of employers in Quebec - October 26, 2022
- An evolving digital privacy landscape—Comparing the federal Bill C-27’s CPPA to Quebec’s Bill 64 - October 24, 2022