With the rapid spread of COVID-19 and increased need for physical distancing, organizations have worked feverishly to shift to work-from-home models. Even managed review, which has been largely kept onsite, has been transitioned to remote work due to shelter-in-place orders.
For law firms, corporate legal departments and eDiscovery organizations, managing sensitive client data is part of everyday life. However, many of the stringent security measures that sustain a corporate work environment can easily become relaxed in a WFH scenario, and small lapses in protocol can become a big problem before anyone even realizes the gaps.
Here are some of the top threats facing those who work remotely with sensitive data, as well as some tactical strategies to ensure data privacy in challenging times.
Threat #1: Impromptu Connections & the Internet of Things
As employees continue to work from home, there may be situations when work-issued devices “act up” or have trouble connecting resulting in a migration to their personal computers or other devices in order to keep up with the speed of business. In other situations, teams may adopt new forms of communication such as Slack, Skype or even texting for convenience. If your company hasn’t authorized such tools, gaps can easily crop up in terms of data security. Even something as simple as a home printer can be problematic since these devices can store data as it passes through.
Also consider the presence of AI-enabled devices such as Amazon’s Alexa or Google voice assistants in our homes. They are, in fact, “always listening” and despite assurances of relative privacy, there is absolutely no place for such devices to be activated or in the room when a client’s or a company’s confidential information is being discussed.
Threat #2: Cybercrime
During times of crisis, there is often an unfortunate uptick in the emergence of bad actors and phishing schemes. For example, an employee could receive a seemingly innocuous email asking for a bit of personal information in order to receive a government stimulus check. Or we’ve seen examples of COVID mapping programs that can infect computers with malicious software. At a time when everyone is on alert for news and insights about the spread of a disease, people make easy prey.
In addition to this more obvious type of attack, there is also a great deal of information shared via workplace collaboration tools — even those that are authorized for use by the company. Protecting that sensitive information from viruses, malware attacks, ransomware and other risks must be top of mind now more than ever before. This is why clear policies, training and regular communication with employees is paramount to keeping your systems and data protected from external threats.
Threat #3: Internal risks
When people work outside the office, it’s natural for them to unintentionally become more relaxed about protocols. For example, an associate might be using an approved personal computer that gets secured through VPN access, but then forget to logout — potentially making confidential data available to a housemate. Likewise, with the increase of remote meetings, employees may discuss confidential client information not realizing that unauthorized people are within earshot.
If an employee is working with confidential or market-impacting data, having outside parties in the path of this information could easily become a problem and a liability for legal associates, eDiscovery professionals and anyone who manages sensitive client data. In that regard, it’s a good idea to have newly-remote workers re-sign their NDAs as a reminder of core policies and procedures that must be followed on a day-to-day basis.
Mitigating threats and sustaining your business
There are some simple solutions for mitigating the impact of security threats raised by the increased WFH workforce — now and in the future.
First, it’s critical that employees access sensitive company data only through established networks via a company supplied VPN or other secured workspace. Have your employees sign an NDA (even if they’ve signed one before). It’s a good reminder of what’s expected of them regardless of their current work location.
If future legal holds and collections need to take place, consider the additional data sources that may have appeared during this period of remote working. Because even when sensitive data is securely protected, the means of accessing it changes with a remote workforce.
Finally, make sure that your IT teams have tools in place to monitor employees’ remote access. In addition to clear IT policies and procedures, this is the best way to ensure access control and proactively identify looming threats to your business.