Your Cybersecurity Program During the Pandemic: Check-Ins and Updates to Do Now and in the Long Term
Data Privacy & Security Alert 04/01/20 Heather L. Buchta
With our country necessarily focused on fighting the coronavirus, our organizations are left even more vulnerable to a cyberattack. There was a significant increase in the number of ransomware attacks in 2019 and we expect that trend to continue, especially in light of the pandemic. We have already seen a trend in the last 12 months that ransomware and phishing attacks have been focused on several types of organizations: healthcare, education, managed service providers, manufacturers that use ERP systems and governmental agencies. These are the exact entities at the forefront of the pandemic. Healthcare organizations are focused on serving an increased volume of patients suffering with the virus. Educational institutions have gone completely online, virtually overnight. Managed service providers are straining against the increased demand of their clients. Manufacturers (particularly in the paper goods industry and the medical supply industry) are feverishly trying to keep up the supply chain. States, cities and counties have all entered crisis-mode, trying to maintain a sense of calm within communities. With so much focus diverted to the physical and mental health of society, inevitably bad actors are going to attempt to exploit the diversion.
As everyone struggles to be productive and get work done, the risk is increased that security corners will be cut and shortcuts taken. Different workflows and different routines, compounded with distractions, can lead to cybersecurity errors that would not otherwise happen. You can never eliminate the risk of a ransomware attack or a phishing attack, but timely reminders to business teams can help emphasize the risk and bring cybersecurity protections back into your team’s peripheral vision.
Here are some steps you can take now to check the efficacy of your cybersecurity program and lay plans for the next upgrade to your program, ultimately, leading to a reduction in your potential losses, the risks of litigation and the likelihood of governmental fines and penalties, and to protect the reputation of your organization.
Short Term Mitigation Steps
Take 15 minutes to do the following while we are mid-crisis:
1. Employee Training and Procedures for Handling Personal Information
Send out reminders to employees to question emails, texts or other communications that seem strange and to maintain custody of laptops, keeping them locked and encrypted. Lots of people are working from home, so employees may be tempted to provide more credence to communications that come from strange email addresses. Remind workers to question everything that looks remotely suspicious and do not click on links. The mobility of technology, while allowing us all to work from home, necessarily means that devices that were once locked in a secured commercial building are now in our homes.
While IT and legal may lay the policy groundwork for data security, data security and privacy is implemented daily by every employee. It requires the vigilance of everyone in the organization. In the short-term, look at the unique implementation of “shelter-in-place” or “safer at home” orders as it relates to your business and your team. Are there specific processes people should be following for downloading material from the company network Can employees print at home? What protections are there for hard copies of data printed remotely? Are there specific access protocols that need to be changed or strengthened to allow for remote access without opening system back doors? Send out updated communications, and consider them regularly, even weekly during this pandemic to continue to update best practices as you see issues arise.
2. Check in with your service providers.
Just like you, most of your service providers are working from home. Contact your representatives and check to see what additional security protocols they are implementing to ensure the security of your data. Don’t be afraid to ask questions and get documentation. Good service providers have business continuity plans in place to be initiated in times of disaster. They should already have protocols in place for these scenarios. If they didn’t have protocols already in place, at a minimum get written assurances of the protections in being implemented. Send yourself a reminder to check the expiration/renewal date of the contract so you can look at potential replacement vendors.
3. Don’t Forget Changing Privacy Laws.
At this time, we are hearing that the California Attorney General is not going to delay the enforcement date for the California Consumer Privacy Act (CCPA), set to begin July 1, 2020. As a result, although many companies are trying to funnel resources into more critical projects, or are pulling funds for non-essential projects, carefully consider whether CCPA is critical, or at least higher risk to your business, and budget accordingly.
Long Term Plans
It is never fun to have business slow or come to a halt. In particular, if you are one of the businesses hardest hit by the significant economic shutdowns, try to use some of this time to take a bigger picture look at your cybersecurity program.
Industry best practices dictate, and in many states, statutes mandate, that companies have a written cybersecurity program. Look at what policies and procedures you have in place across the organization and take some time to evaluate your practices. Some things to consider in the longer term:
1. Develop, Implement and Maintain a Written Comprehensive Cybersecurity Program.
Many organizations have sophisticated IT information system structures with plenty of technical solutions in place to reduce the risk of a cyberattack, but they are spread over the organization in different business units and different groups.
Assess those existing policies and pull them into one program. If you have gaps, fill them in now while you have time. The regulators say that your cybersecurity program must be in one or more “Readily Accessible” parts and contain administrative, technical and physical safeguards appropriate to the type of business, resources of the organization, amount of data and the need for security of employee and consumer data.
Consider identifying a Chief Information Security Officer or at least a designated employee responsible to coalesce the Program and bring it up to date.
We often put these longer term projects off because of the traditional pace of business. As there is nothing “traditional” about business right now, now could be a time to assess where your security structure sits at an organizational level.
2. Make Sure Your System Has Sufficient Physical, Technical and Administrative Safeguards.
In some instances, state laws go into great detail about the types of safeguards which should be in place to ensure protection of personal information. Some of the more common ones include:
a. Restrict physical and electronic access to data except for authorized users.
b. Use encryption in motion and at rest.
c. Use robust user authentication. We cannot emphasize enough the importance of multifactor authentication in these situations.
d. Monitor systems for unauthorized use or access of personal information.
e. Firewalls and penetration testing
f. Use up to date malware protection software and software patches.
3. Employee Policies.
As part of your program, what employee policies do you already have in place? Do employees understand what personal information is and how they can use it? Do they know who can access it and where they can send it? What training do you already have in place for these employees? Develop security policies for employees relating to the access, use and transfer of personal information and include disciplinary actions for violations of the rules. Do not forget to include policies and process to protect data from access by terminated employees who may have had remote access during this shelter-in-place period.
4. Service Providers.
Look more long-term at your service providers. Your service providers are critical to your data privacy and security program for two reasons: liability for data breaches and regulatory liability for misuse of your data. Evaluate your contractual provisions now with key vendors. Look at expiration and renewal dates and consider what contractual modifications you may need to strengthen vendor’s data security representations and processes and limit vendor’s use of your data. Beware of those situations where you have been doing business with a service provider “forever” as these are the situations where there is the most potential vulnerability that those protections were never put into place or there are not contractual obligations on the service provider to protect you in the case of a breach.
5. Buy Cybersecurity Insurance, But Make Sure you know what you are buying.
If you have been on the bubble about whether to purchase cybersecurity insurance, now is the time. You are going into a rocky time and this is when you are most vulnerable to possible attacks. Remember however that $10,000 of coverage does not begin to cut it. The cost of a data security incident can run into the millions. So don’t be penny-wise and pound-foolish. The time to buy is not after you have the breach. Look at your options now. Talk to your insurance broker. We are expecting to see rate increases this year so sooner is better than later to explore your options.
6. Perform an Annual Review of the Program and a Review each time there is a Material Change to Business Practices.
Regulators require that you must review your privacy program at least annually or when there is a material change to business practices. It is very likely that a regulator would find that the current situation in which we find ourselves is in fact a material change to business practices for all organizations. Again, take the time now, to take note of your system issues and risks, so you can build those into your cybersecurity program going forward. These programs are not static, but have to change with the times. Take the learnings of the challenges presented to your data privacy and security now and use them to build a stronger program.
7. Document, Document, Document.
Document responsive actions taken in connection with any incident involving a breach of security, and engage in mandatory post-incident review of events and actions taken, if any, to make changes in business practices relating to protection of personal information.
Every business challenge presents an opportunity. The struggles of working from home and a pandemic-induced economic downturn are not things that any of us anticipated to deal with in 2020 and are very serious. Let’s remind our teams that there are still criminals out their knocking on the door of your computer systems every day and how to guard against those bad actors. These actions will lead to better policies, processes and procedures that can pay off in the long run.