By Gail Gottehrer, JD, Co-Chair of Technology and the Legal Profession New York State Bar Association
The unexpected shift to remote working in response to the COVID-19 pandemic has created challenges for workers who don’t have a high comfort level with technology and are accustomed to using employer-provided devices, in offices, supported by IT personnel. Further complicating matters, hackers and other malicious actors have seized upon this opportunity to use the technological vulnerabilities of people who are new to working from home to their advantage. In recent weeks, there has been a dramatic increase in the number of cyberattacks, including phishing emails, COVID-19 related website scams, and “Zoom-bombing.” Fortunately, there are steps that you can take to secure your data while you’re working from home that don’t require you to become a technology expert. Here are a few:
- Think Before You Click: Realize that you’re a target for cybercriminals. You may have access to your company’s confidential, proprietary or trade secret information as well as information about its clients’ operations. Even if you don’t work on especially sensitive matters, you may have access to information your company maintains about its employees, such as social security numbers and medical information, which has value to hackers. If you receive an email from a sender you don’t recognize, or referencing a case or client that is unfamiliar to you, don’t open it. If your company has an IT department or a help desk, report the suspicious email to them, and let them check it for you.
- Learn About the Technology: Take some time to learn about the technologies your company has selected to enable employees to work remotely. If you’re not familiar with Citrix or virtual conferencing platforms, take advantage of any training your company offers about these technologies. Develop a basic understanding of the privacy and security options and the default settings that you’ll want to change. For example, the conference call and meeting apps you’re using may be set to automatically record calls and meetings, which can result in you inadvertently creating business records that could be subject to regulatory requirements, subpoenas and litigation holds, and, if recorded without consent, may violate various laws.
- Know Who’s Listening: Be aware of the devices you have in your home that have recording capabilities. While your workplace may prohibit smart speakers, you likely have them in your home. Now that you’re working from home, make sure to disable any smart speakers to eliminate the risk of them recording and storing your business conversations and the confidential, strategic or privileged information you may be discussing.
- Be Wary of Work-Arounds: Resist the temptation to work outside of your company’s email and document management systems. Drafting and saving documents on your personal computer or forwarding work emails to your personal email account may result in you being required to give your employer access to your personal email account and your personal computer to retrieve that data if they become relevant to a lawsuit or regulatory investigation.
- Verify Unusual Communications: If you receive an email from the CEO of your company, or a senior partner at your firm, asking you to send information about employees (e.g., social security numbers, W-2 forms, or other personally identifiable information), client documents, or business records to a certain email address, confirm the legitimacy of the email before sending the requested information. Call the person who sent you the email and determine whether the email actually came from her. If you’re not comfortable calling a member of the C-Suite or a senior member of your firm, call your supervisor or someone in your reporting chain and explain the situation to them. It’s better to be overly cautious than to be a victim of a business email compromise. Similarly, if a box appears on your computer screen asking you to grant remote access to your computer, don’t assume it’s a legitimate request from your company’s IT department. Call your IT department or a senior person at your company to find out if it’s a valid request or an attempted security breach.
- Check Your Printer: If other people are sharing your home printer (including your kids who are attending school remotely), be careful about printing documents that contain confidential, proprietary or privileged information. If you do print them, make sure to take them off the printer immediately to reduce the chances of someone else inadvertently taking your documents along with their printing, and accidentally including them with documents they send to someone else. Once you’re finished with the documents, make sure to shred them or, if you don’t have a shredder, put them in a secure location until you can take them to your office to dispose of them securely. Don’t just toss them in the garbage or recycling bin.
Regardless of the accuracy of the predictions that working from home will be part of the “new normal,” it’s beneficial to learn about the technologies that make remote work possible and the ways to reduce your cybersecurity risk.