The spread of the novel coronavirus (COVID-19) has been swift and its impact on the Colorado workplace has been unprecedented and severe. With millions of employees quickly transitioning to working from home, companies must incorporate sound cyber and data security practices into their work-from-home strategy and train employees accordingly.
Working from home brings security concerns that are unique to those seen in a traditional office setting. While working from home, employees may be accessing or transmitting trade secrets, personal information of individuals, and other confidential information. Exposure of trade secrets or confidential business information can cause expensive damages or loss to a company. Exposure of personal information can potentially trigger state or federal data breach notification laws, damage a company’s reputation in the community, result in costly regulatory fines, and expose individuals to identity theft. Moreover, cybercriminals are using the confusion and misinformation regarding the pandemic to scam unsuspecting individuals, take money, and access confidential information.
Data privacy is another concern. Companies conducting business in Colorado must also abide by Colorado’s privacy and cybersecurity laws, which require all companies handling personal identifying information to implement and maintain reasonable security procedures and practices. Colorado law also requires that companies develop a written policy for the destruction or proper disposal of those paper and electronic documents. Companies handling the personal identifying information of individuals in California or the European Union must abide by even more stringent data privacy laws.
In order to mitigate these and other concerns, businesses should take care to train employees and adopt practices as to the following:
- Avoid Coronavirus scams: Advise employees to avoid scammers and watch for websites selling products claiming to cure or prevent the Coronavirus disease. Be on alert for fraudulent emails, texts, or social media posts claiming to be from the Center for Disease Control (CDC), the World Health Organization (WHO), or other government entities which state that they have information regarding the disease and request personal information or money. Do not click on links from unknown sources.
- Use secure WiFi connections: Ask employees to ensure that their Wi-Fi connection is secure. Prohibit the use of public WiFi, including networks used in airports, restaurants, or apartment buildings, and require the use of password-protected home WiFi. If it is impossible to access a safe Wi-Fi network, connect via a Virtual Private Network (VPN) or use your mobile device as a Wi-Fi hotspot.
- Standardize cybersecurity software: Require employees to use employer-provided security software on all devices and to use the latest manufacturer software updates prior to permitting access to any remote systems.
- Secure access to the company server: Require multifactor authentication upon each login to a company portal and only allow remote access through a virtual private network (VPN) with strong end-to-end encryption. Require employees to use unique passwords, which must be changed every three months.
- Off-network communications: As teams move to working from home, other modes of communication, including phone, email, and instant messaging will replace in-person meetings. Employees may be tempted to communicate with each other via informal communications platforms, such as text messaging on personal devices and direct messaging on social media accounts. Inform employees that these communication methods are not secure and pose risks when used to discuss work-related matters, and prohibit their use.
- Allow access to sensitive data on a “needs to know” basis: Companies should review who has access to sensitive data and information. Employees should only be given access to the specific data systems that are necessary to fulfill the obligations and duties of their jobs.
- Keep devices under lock and key: Prohibit working from public places where third parties can view screens and printed documents. Remind employees to never leave a device unattended and to secure their homes if devices containing sensitive information are inside. Require employees carrying devices in vehicles to take devices with them or lock devices in the trunk during stops, and to never leave them in the vehicle overnight. Due to the lack of availability of new mobile devices during the quarantine period, thefts of mobile devices are expected to increase.
These steps are not exhaustive. Depending on the industry or the needs of the business, companies may be required to adopt greater practices; companies may also be subject to more stringent laws and regulations. For example, health plans, health care clearinghouses, and health care providers dealing with personal health information will also be subject to the Health Insurance Portability and Accountability Act (HIPAA). The Coronavirus pandemic has posed a difficult batch of cybersecurity challenges and vulnerabilities for Colorado companies. Businesses must take steps to get ahead of these risks, safeguard their sensitive information and data, and protect themselves.