As companies dust off their Business Continuity Plans to prepare for possible disruptions and remote working due to COVID-19, here are 10 cybersecurity considerations to add to the list of preparations:

  • Phishing—Look out for coronavirus phishing scams. We have already seen fake CDC updates, IT alerts and software notices that attempt to obtain user credentials or install malware, so consider implementing coronavirus-specific phishing training or testing. It is also a good idea to redistribute any company policies that cover the use of personal computers, smartphones, tablets and WiFi networks for work and emphasize that (a) those policies still apply to those working from home, and (b) security protocols will not be relaxed absent a clear change in policy.
  • More Phishing—Do not send legitimate emails to employees that look like phishing emails, so official COVID-19 updates to employees should have a consistent format and not include links or attachments, which will help employees properly identify phishing emails.
  • Remote Capacity—Consider testing the company’s remote capacity by having many employees try to login remotely simultaneously, and consider adding or expanding use of secure, web-based video conferencing options.
  • Real Time Vulnerability Updates—It will be important to keep on top of new vulnerabilities and scams by subscribing to various threat-sharing groups, including the CISA Alert service, FBI cyber alerts, IT-ISAC and industry threat-sharing groups.
  • Help for the Help Desk—Anticipate the additional burden on the IT help desk and make sure those employees have the policies, training and tools they need to handle the increased number of requests for technical assistance from people working from home, including the ability to verify the identity of employees using measures like phone number authentication, challenge questions and two-factor authentication.
  • Anticipate Remote Work Problems—Employees who experience difficulties using their home computers (for example, printing) will be tempted to use less secure means to accomplish work tasks, such as emailing confidential documents to their personal email accounts so that they can be easily printed at home. Companies should try to anticipate and solve for these problems ahead of time.
  • Essential Employees—Determine how many people, if any, will be needed on-site to protect the network, including patching systems and conducting information security reviews of any new systems that need to be added in haste throughout this period, as well as those needed to conduct investigations and remediation if a cyber event were to occur. Consider backup personnel in case some of those people become unavailable.
  • Vendors—Coordinate with the company’s key third-party data vendors to make sure that their cybersecurity contingency plans are adequate.
  • Update Contact Information—Ensure that contact information is up to date for key employees, especially mobile numbers.
  • Protect Medical Information—If employees become ill, there will be good reasons to want to share that information, but it is also important to maintain the confidentiality of employees’ medical data as required by law, including the medical status and identities of diagnosed employees or family members of employees.
Author

Luke Dembosky is a Debevoise litigation partner based in the firm’s Washington, D.C. office. He is Co-Chair of the firm’s Data Strategy & Security practice and a member of the White Collar & Regulatory Defense Group. His practice focuses on cybersecurity incident preparation and response, internal investigations, civil litigation and regulatory defense, as well as national security issues. He can be reached at ldembosky@debevoise.com.

Author

Jeremy Feigelson is a Debevoise litigation partner, Co-Chair of the firm’s Data Strategy & Security practice, and a member of the firm’s Intellectual Property and Media Group. He frequently represents clients in litigations and government investigations that involve the Internet and new technologies. His practice includes litigation and counseling on cybersecurity, data privacy, trademark, right of publicity, false advertising, copyright, and defamation matters. He can be reached at jfeigelson@debevoise.com.

Author

Avi Gesser is Co-Chair of the Debevoise Data Strategy & Security Group. His practice focuses on advising major companies on a wide range of cybersecurity, privacy and artificial intelligence matters. He can be reached at agesser@debevoise.com.

Author

Jim Pastore is a Debevoise litigation partner and a member of the firm’s Data Strategy & Security practice and Intellectual Property Litigation Group. He can be reached at jjpastore@debevoise.com.

Author

Lisa Zornberg is a Debevoise litigation partner based in the firm’s New York office. She is a member of the White Collar & Regulatory Defense Group, where her practice focuses on white collar defense, regulatory enforcement actions and internal investigations – including cyber investigations – for corporations and financial institutions, as well as complex civil litigation. She can be reached at lzornberg@debevoise.com.

Author

Tricia Bozyk Sherno is a member of Debevoise's Litigation Department, concentrating in employment and general commercial litigation. She has a broad-gauged employment law practice, with experience representing clients in matters involving discrimination and harassment, contracts, corporate raiding and compensation across a broad range of industries. She can be reached at tbsherno@debevoise.com.

Author

Hilary Davidson is a corporate associate and a member of Debevoise's Mergers & Acquisitions Group. Ms. Davidson’s practice focuses on private M&A, with particular experience advising private equity clients. This has included advising on joint ventures, cross-border mergers and acquisitions and secondary and co-invest transactions. She can be reached at hdavidson@debevoise.com.

Author

Christopher S. Ford is a counsel in the Litigation Department who is a member of the firm’s Intellectual Property Litigation Group and Data Strategy & Security practice. He can be reached at csford@debevoise.com.