April 8, 2021

Protecting Information While Working from Home – One Year Later

One year after COVID caused companies to send droves of employees home to work remotely,  how well did those employees do at protecting their clients’ and their company’s confidential information and what can they do better as they continue to work from home?

Increased Exposure Due to Remote Workers

As employees transitioned to the work-from-home environment, the consensus was that the number of data breaches would potentially increase. The expectation was that having a dispersed workforce would create vulnerabilities that would not be present in an office environment. For example, instead of operating on the secured office network, people would have to access the network remotely from their less secure home Wi-fi networks. Employees’ attention was also split between work and family tasks and the employees could no longer walk down the hall to ask the IT department for help.  

In its 2020 Cost of Data Breach Report, IBM Security reports that data breaches cost, on average, $3.86 million dollars and took an average of 280 days to detect and contain. Customers’ personally identifiable information (PII) was the most frequently compromised type of data, and the costliest at about $150 per record. The four cost drivers of such breaches are detection and escalation, lost business, notification, and ex-post response. While the above numbers are based on data available from August 2019 through April 2020 and encompass only a portion of the pandemic-related shift to remote work, the amounts incurred as a result of data breaches during the pandemic are likely to be much higher. Seventy-six percent of the companies surveyed expected remote work would increase the time to identify and contain a data breach and 70 percent said remote work would increase the cost of a data breach. IBM Security found that having a remote workforce increased the average total cost of a data breach by nearly $137,000.

Cybercriminals Are Working Smarter, Not Harder

Cybercriminals appear focused less on stealing mass amounts of consumers’ personal information and more on attacking businesses through ransomware, a type of malicious software designed to block access to a computer system until a ransom is paid, and phishing attacks, the sending of a spoofed email impersonating a trusted source in order to obtain sensitive information or data. The Identity Theft Resource Center, a non-profit organization founded to provide assistance and consumer education, saw a recent shift away from mass cyber attacks seeking consumer information and toward cyber attacks that target businesses.  

Similarly, IBM Security X-Force, IBM Security’s specialized threat intelligence team, found that the number one threat type in 2020 was ransomware, which represented 23 percent of security events to which it responded, followed by data theft and server access. This is not to say that data theft, or the taking of sensitive victim data, is going away. X-Force saw an increase in such attacks from 2019 to 2020.

X-Force also saw a shift in tactics by these ransomware attackers as more companies opted to restore their system from backups rather than pay the ransom. Ransomware attackers now not only encrypt the victim’s data, but also threaten to leak the data on public sites in order to extort larger ransoms. According to X-Force’s estimates, one ransomware gang pilfered more than $123 million in profits in 2020 by accessing and encrypting 21.6 terabytes of data.

Best Practices for Securing Your Systems and Protecting Your Information

Given these trends, now is a good time for a reminder of steps that can be taken to help secure your company’s information.  Below is a non-exhaustive list of steps companies can take to boost the security of their systems.

Require Employees to Utilize Stronger Passwords – Passwords should be at least 12 characters in length and include upper- and lower-case letters, numbers, and special characters. The more complex the password, the more difficult it will be for cybercriminals to crack your password by brute force. This password requirement applies to both an employee’s login credentials for work systems, as well as their home wireless network.

Multi-Factor Authentication (or Two-Factor Authentication) – Even the strongest password cannot keep out a sophisticated cybercriminal from hacking a password (referred to as a “brute force attack”). Multi-factor authentication requires the user to present two or more pieces of evidence to an authentication mechanism before gaining access to the system and continues to be one of the most efficient security priorities for organizations. For example, after entering a password, the authentication mechanism will send a code to the user’s cell phone that must be input into the authentication mechanism before access is granted.

Educate Your Workforce – Companies should not assume that their workforce is aware of and utilize available security measures. In addition to confidentiality agreements each employee should sign, clear policies regarding the protection of company information should be disseminated to your workforce, whether working remotely or not.

Build and Train an Incident Response Team – Incident response preparedness can reduce the cost of a data breach by as much as $2 million, according to IBM Security. This team should be made up of a team leader, an investigator, a communications lead, a documentation and timeline lead, and an HR/legal lead. If the company is unable to fill each of these roles internally, seek out a third-party vendor that can fill the gaps.

Back Up Your Information on a Regular Basis – Having your company’s information backed up and testing the effectiveness of the backups can make a critical difference in your organization’s security. This is especially true in light of the increase in ransomware attacks. Companies have to do their research on how best to back up their data. Cloud storage, local servers, remote servers, and the other possible options each have their own positives and negatives.  

Adequate cybersecurity, like insurance, is better to have now than to need later.  It is incumbent on companies to take the steps now to secure and preserve not only the company’s information, but also that of its customers and clients. And as a reminder, many states are enacting consumer privacy laws that require companies to take certain steps to protect consumer data. For example, under the California Consumer Privacy Act, businesses have an affirmative obligation to establish “reasonable security procedures and practices,” though what exactly that means remains unclear.  

Whether a company is storing its own confidential information or its customers PII, it must take reasonable steps to secure the data, particularly if required by law.  If you are not sure whether the steps you have taken are reasonable, contact your P&F attorney. 

Disclaimer: Laws, regulations, and guidance on matters related to COVID-19 change rapidly. Please contact your Payne & Fears attorney for current guidance.