Nine Tips to Enhance Your Company's Cybersecurity When Employees Work Remotely
Justin P. Webb and Rebeca M. López, Godfrey & Kahn, S.C.

The coronavirus (COVID-19) pandemic increased employee teleworking and telecommuting, a trend that seems likely to continue for the foreseeable future, whether through flexible work schedules or companies deciding to formally endorse permanent remote work for some or all of their employees. As a result, an increased amount of business is now conducted over the internet. This change brings significant legal risks to employers’ doorsteps.

In 2020, the U.S. Federal Bureau of Investigation (FBI) Internet Crime Complaint Center (IC3) received a record number of complaints—791,790—with reported losses exceeding $4.1 billion. This represents a 69% increase in total complaints from 2019. According to the FBI, most complaints involved phishing, ransomware and cyber scams, as well as extortion carried out through email. Individuals and businesses suffered the greatest losses through compromised business email, as well as scams in which individuals mimicked the account of a person or vendor known to the victim that were used to gather personal or financial information, also known as “social engineering.”

The FBI and Cybersecurity and Infrastructure Security Agency (CISA) have issued advisories and warned that the threat of vishing (social engineering through voicemail), smishing (social engineering through SMS or iMessages) and phishing schemes targeting remote employees is even greater today.

Employers must take steps to create and follow policies to limit the risk posed by cybersecurity threats and legal counsel can assist clients in instituting best practices to do so. The following nine high-level considerations and steps may be implemented by businesses to reduce their risk of a cybersecurity breach.

Tip #1: Ensure Access to Dedicated and Skilled Information Technology Resources

Remote work requires dedicated and skilled information technology staff and vendors. For any vendors, employers should have their agreements reviewed by knowledgeable counsel to ensure the arrangement addresses cybersecurity risks and liabilities, including when the vendor will notify the employer of any incident and how the vendor will secure the employer’s information.

Tip #2: Manage the Devices Accessing the Employer’s Systems

Perhaps the most important decision to be made is whether to allow employees to use personal devices when accessing the employer’s network, systems, and information. Personal devices present the greatest breach risk because they are not centrally managed and controlled with restrictions and security measures.

It is best practice for employers to install mobile device management software on any device that accesses company email, systems, documents, etc. that will, at a minimum, allow the employer to remotely terminate the employee’s access to the employer’s systems, and to delete or wipe employer information from the device. If the employer will remotely wipe information or use mobile device management to monitor employee activity on devices, employees must be made aware that such software is being installed on their personal or company-provided laptop and of the corresponding consequences for misuse.

If the employer uses employer-owned mobile devices, advise employees that they should not save personal information, documents, and photos on those devices because that information could be lost if their computer, phone, etc. is wiped upon termination, departure, or a cybersecurity incident.

Tip #3: Require Strong Passwords and Implement Multifactor Authentication

Employers should require employees to use complex passwords and change their passwords frequently. More importantly, multifactor authentication is best practice. Typically, this system requires an employee to enter a code generated on a separate device as a secondary step to logging in. Multifactor authentication helps guard against hackers guessing an employee’s password or using credentials harvested from a data breach to break into the employee’s account.

Tip #4: Update, Test, and Train Employees

Employers should send regular updates to employees regarding the latest cybersecurity risks and point out tips to identify scams. Training employees on good cybersecurity hygiene, how to identify phishing emails, and what to do if they have questions or concerns can go a long way to prevent employees from responding to or clicking on links that threaten the employer’s operations. Finally, businesses should test their employees, particularly those working remotely, by sending mock phishing emails to see if employees are able to identify and properly address the scams. Most importantly, employees should be told who to call and what to do if they suspect an incident has occurred.

Tip #5: Monitor Employee Access and Activity

If possible, use software that alerts the business if an employee is downloading large amounts of company data or other sensitive information. Such activity, including sending this information to a personal email account, may signal an employee is preparing to end their employment and compete with the business, or that an attacker has gained access to the employee’s account.

Tip #6: Promptly Terminate Access

If an employee is terminated, departs, loses a device, or has been targeted by a cyberattack, it is imperative that the business immediately terminate the employee’s access to the business’ systems. The employer should have a written procedure or policy to address cybersecurity in employee off-boarding.

Tip #7: Develop and Maintain an Incident Response Plan

Businesses should develop and maintain an incident response plan that is communicated to the business to address how it will respond when faced with a cyberattack. Minimally, the plan should address preparation, detection, containment, eradication and recovery, and post-incident review. The incident response plan should also include contact information for outside resources that will assist the business in responding to an incident, including forensic providers and outside counsel.

Tip #8: Implement a Telecommuting/Telework Policy

Implement a telecommuting/telework policy which, minimally, includes the following provisions to help enforce and support best practices that protect the business from cyberattacks directed at remote employees:

•    Reference and incorporate the employer’s information technology and cybersecurity policies
•    Detail password, firewall, antivirus software, router encryption, and other security requirements
•    Make clear that third parties and members of the employee’s household cannot use or access employer provided devices for any reason and should not access personal devices that have access to employer resources
•    Prohibit employees from using public or unsecured Wi-Fi connections
•    Prohibit employees from emailing company information to personal email or cloud-based devices, or saving company information locally
•    Provide employees contact information and directions on reporting lost, stolen, or compromised devices and suspected cyber incidents
•    Remind employees that they do not have an expectation of privacy when using devices that have access to company resources and any such device may be remotely wiped

Tip #9: Restrictive Covenant Agreements

Now is also the time to review a business’s restrictive covenant agreements to ensure they properly address employees who are taking confidential information home and to provide for the prompt return of information and equipment after the employment relationship ends.

Author Biographies:

Justin P. Webb is an associate at Godfrey & Kahn, S.C. He is the Chair of the firm’s Data Privacy & Cybersecurity Practice Group. Justin is also the firm’s Chief Information Security Officer and a member of the firm’s Technology & Digital Business Practice Group. He holds the Certified Information Privacy Professional/US (CIPP/US) certification from the International Association of Privacy Professionals. Justin received his bachelor’s degree from the University of California – Los Angeles, and his law degree from Marquette University Law School, summa cum laude. Justin’s practice focuses on helping clients with the legal issues that arise from technology and data in an increasingly digital world, with a specific focus on cybersecurity and data privacy matters. Prior to practicing law, Justin was the Information Security Officer at a top-100 private university, where he was in charge of all aspects of the university’s information security program, including intrusion detection and prevention, incident response, penetration testing, and forensic analysis. 

Rebeca M. López is a senior associate on Godfrey & Kahn, S.C.’s Labor, Employment & Immigration Law Practice Group in Milwaukee. She received her bachelor’s degree from Marquette University and her law degree from Marquette University Law School, magna cum laude. She is admitted to practice in state and federal courts in Wisconsin. Rebecca is a member of the American Bar Association, Defense Research Institute, Eastern District of Wisconsin Bar Association, Hispanic Professionals of Greater Milwaukee, Professional Dimensions, State Bar of Wisconsin, and Wisconsin Hispanic Lawyers Association. Businesses in the service, manufacturing, distribution, retail, and hospitality industries rely on Rebeca to solve the labor and employment issues that arise throughout the course of their operations. Rebeca’s understanding of employment law goes beyond legal theory. Whether she is defending an employer before an administrative agency or advising on hiring, discipline, policies, or practices, Rebeca’s background enables her to bring pragmatic and cost-effective solutions to the table. With prior work experience managing an office and working directly with human resources professionals, Rebeca understands what it’s like to be in her client’s shoes and this perspective guides her in each conversation. Rebeca’s expertise includes defending employers before administrative agencies and state and federal courts in single-plaintiff and class action matters alleging discrimination, harassment, or wage and hour violations. She has successfully guided clients through government audits and regularly conducts investigations into employee complaints.