Privacy & Data Security Challenges in Remote Work
At two years into the pandemic, remote work is still a fact of life for many employers and employees, and cyber threats continue to rise. What are the challenges in ensuring that employers’ privacy and security policies are compliant and effective in these circumstances? This program will review regulators’ current best practices and provide tools to help lawyers advise their clients on the cybersecurity and data privacy rules and principles essential in remote work environments.
Joe Facciponti - Hello and welcome to Quimbee's online CLE course on privacy and data security challenges in remote work. My name is Joe Facciponti, and I'll be presenting this class today. Before we begin, let me tell you a little about myself. I'm a partner and head of the cybersecurity in data privacy practice group at McGonigle, P.C., a boutique financial services law firm. I assist clients in responding to data breaches and improving their cybersecurity compliance programs.
Prior my current role, I served as deputy head of internal investigations at a global financial institution. And prior to that, I was a federal prosecutor for nine years at the US attorney's office in Manhattan, where I prosecuted cyber crimes and into actual property theft cases. I also teach a cyber law class at Cornell Law School. Let's talk a little bit about our topic today. At two years into the pandemic, remote work is still a fact of life for many employers and employees, and cyber threats continue to rise. Today's program will examine the challenges in ensuring that employer's privacy and security policies are compliant and effective in these circumstances. This program will review regulator's current best practices and provide tools to help lawyers advise their clients on the cybersecurity and data privacy rules and principles essential in remote work environments.
Let's begin by examining the state of remote work and what businesses and employees are currently doing. The basic takeaway is that while more employees are returning to the office, remote work seems to be here to stay for many employees by choice. So what are businesses currently doing? Looking at things, nearly a year ago, a May, 2021 Gallup poll found that seven in 10 US white collar workers were working remotely, and 14% of blue collar workers were also working remotely. Further, a March, 2021 survey by the Society for Human Resource Management found that 52% of Americans would choose to work from home permanently, if given the option. This trend continues today, a year later, in which a significant portion of the American workforce continues to work from home. For example, a February, 2022 Bloomberg news article found that today, 61% of teleworkers who have an office say it's their choice not to work from there, up from about a third in October, 2022.
Notably, fewer people cite concerns about being exposed to COVID. Instead, the impetus for returning to the office has shifted. Those that do choose to go in, say they go in because they want opportunities for advancement or the lack of space and resources to perform adequately at home. About one in 10 respondents, say that the main rationale is pressure from their supervisor or coworkers to be in the office. Nearly a third of parents cite childcare as an issue for working from home, which is down from 45% in October of 2020. Finally, about 19% of workers say they fear contracting COVID at work, but this is down slightly from 21% in October of 2020. What this basically means is that many employees are finding reasons to stay at home and continue to work from home, even though the coronavirus is receding as a major concern for work from home. And that this in fact is a trend that employers are going to have to deal with and be prepared for from a cybersecurity and data privacy perspective. So having looked at the trends in working from home, let's take a look at the threat landscape. The first thing you need to know is that cyber attacks are inevitable.
For the past 25 years, we've been in the grip of a digital revolution that has seen more and more businesses and everyday activities move from the real brick and mortar world to the online digital world. The ease with which much of the office workers transitioned to remote work about two years ago on March of 2020 only underscores this point. And just as there have always been bank robbers and shoplifters and catch me if you can identity thieves and con artists in the real world, there are criminals who perform the same function in the digital world. The next basic thing you need to appreciate is that as a business or someone who advises a business, you will be breached. In fact, former FBI director, Robert Mueller said in March of 2020, toward 2012, that "I am convinced "that there are only two types of companies. "Those that have been hacked and those that will be. "And even they are converging into one category, "companies that have been hacked and will be hacked again." In fact, you probably experience several cyber attacks every week in the business that you advise. Just recently, I got a text message purporting to be from the managing partner of my firm's New York office, but of course it wasn't from him. Most of these attacks are easily handled if you know what to look for and are vigilant.
So let's talk about some cyber attack statistics. Cyber attacks have of course increased. Of those who have experienced a breach, two in five, 41% happened in the last year. This number has doubled from 21% in 2019, making a significant threat, shift in the threat posed Globally, malware is a source of security attacks followed by ransomware and phishing, yet when it comes to how attacks occur, the message is clear. Internal threats and human error are still of great concern. A third of businesses stated that malicious insiders and human error are the greatest risk to them, followed by external attackers. According to data on suspicious activity reports, which are reports that financial institutions and money services businesses must file under the Bank Secrecy Act in the United States when they encounter suspicious transactions and they are filed with treasury departments, Financial Crimes Enforcement Network or FinCEN, the number of suspicious activity reports or SARs filed for ransomware attacks in the first half of 2021 are up 30% over the total number of ransomware SARs for all of 2020. So if the trend is that people are continuing to work from home, even as the pandemic recedes, cyber attacks are increasing throughout all industries and all sectors. So what are regulatory bodies saying? Well, back in may of 2020, FINRA, Financial Industry Regulator, regulating mostly broker dealers issued a regulatory notice sharing best practices implemented by FINRA member firms to supervise a remote work environment during the pandemic. That notice emphasized the need for a heightened focused on cyber security and confidentiality. Similarly, back in August of 2020, the SCC, the Securities and Exchange Commission published similar guidance, stating that the SCC recommends that firms pay particular attention to the risks regarding access to systems, investor data protection, and cyber security.
Let's talk a little bit more about the SCC's guidelines, which although they apply and are intended to apply to businesses and primarily, financial institutions, they hold lessons that apply to pretty much any business with a remote work environment. The SCC was primarily concerned about the following risks in a remote work environment for financial services firms, such as broker dealers and investment advisors. But as I said, their advice applies to many businesses. The SCC wanted to see that these businesses were one, protecting their customer's assets, two, were adequately supervising the conduct of their personnel and employees, three, regarding against investment fraud or pretty much any kind of fraud, we're also focused on business continuity and the ability to continue functioning, even though for folks who are in a work from home environment, and finally, the protection of investor or customer and other sensitive information, so confidentiality.
For example, when it comes to protecting customer assets, the SCC recommended that companies implement additional steps to validate the identity of the investor and the authenticity of disbursement instructions, payment instructions, including whether the person is authorized to make the request and bank account names and numbers are accurate. The SCC also recommended that each investor has a trusted contact person in place, particularly for seniors and other vulnerable investors so that employees, if they're confronted with sending a request, say to withdraw all of a client's funds and wire them to an account, have somebody they can contact who is trusted to confirm those instructions and that they are not fraudulent. When it comes to business continuity, the SCC recommends that the firms it regulates have security and support for facilities and remote sites that may need to be modified and enhanced. Relevant issues that firms should consider include, for example, whether additional resources and measures for securing servers and systems are needed, the integrity of vacated offices and facilities are maintained, So if you have a business full of sensitive data and servers and files on office location where most people are not actually working and it's kind of deserted, that you're still securing that facility from intrusion and from people coming in and stealing your files. And that relocation infrastructure and support for personnel operating from remote sites is provided and that remote location data is protected as if this is in the same manner that it would be protected in the office.
The SCC warned that if relevant practices and approaches are not addressed in business continuity plans and business and broker dealers or firms do not have built-in redundancies for key operations and key person succession plans, mission-critical services may be at risk. When it comes to protecting personal data held by financial institutions, the SCC recommended the following. The SCC recommended that these institutions make enhancements to their identity protection practices such as by reminding their investors to contact the business directly by telephone for any concerns about suspicious communications and for firms to have personnel available to answer those investor inquiries.
The SCC also recommends that firm personnel and employees are provided with additional trainings and reminders and otherwise spotlight issues related to phishing and other targeted cyber attacks, and we'll talk about phishing in a little bit, sharing information while using certain remote systems, in other words, unsecure web-based video chat, encrypting documents and using password-protected systems, and destroying physical records at remote locations. The SCC also recommends that businesses conduct heightened reviews of personnel access rights and controls as individuals take on new or expanded roles in order to maintain business operations.
The SCC further recommends that firms use validated encryption technologies to protect communications and data stored on all devices, including personally owned devices. Ensuring that remote access servers are secured effectively and kept fully patched is also important as is enhancing system access security, such as requiring the use of multifactor authentication, and these are things that we will talk about in more depth later.
Finally, the SCC said that adding new or additional cyber-related issues related to third parties, and in other words, supervising those third parties for their cyber risks is also important for firms, and we'll talk about that later as well. And when the SCC says firms, they're referring mostly to broker dealers and investment advisors and the like, but as I said, these recommendations can pretty much apply to any business operating within the remote work environment.
Finally, the Cybersecurity and Infrastructure Security Agency or CISA published an alert regarding VPN or virtual private network security, explaining that as organizations use VPNs for telework, more vulnerabilities are being found and targeted by malicious cyber actors. CISA encouraged organizations to update VPNs, network infrastructure devices, and devices being used to remote into work environments with the latest software patches and security configurations. In other words, CISA recommends that businesses make sure that their architecture for having employees work remotely and log into their business network remotely are updated and patched or guarded against the latest cyber threats.
So let's talk a little bit now about what can go wrong, and we'll do this through a little case study. And that case study is about a significant cyber attack, which happened in the past two years that highlights the threats that businesses face in a remote work environment, and that's the SolarWinds attack, which if you remember, was publicized in late December 2020 and early 2021, so a little more than a year ago. According to a report published by the New York Department of Financial Services, which is a regulator in New York state that regulates financial institutions and insurance companies, the SolarWinds attack is to date the most visible, widespread, and intrusive information technology software supply chain attack. In other words, a cyber attack that corrupts IT software and uses that software as an attack vector. Supply chain attacks are dangerous because the malware is embedded inside a legitimate product, and because supply chain attacks can allow an attacker to access to networks of many organizations in a single stroke, slowing backup here in case you unfamiliar with this concept. Some hackers can hack your business directly and take sensitive data or get up to other mischief once they have access to your systems. But other hackers opt for a strategy of attacking some central point or service provider or software provider that many businesses use and rely on. And when they attack that central third party, they can corrupt that third party systems such to anyone who does business with that third party, whether it's by purchasing their software or relying on their services can also then become infected with whatever malware the hackers are distributing and also subject to become vulnerable, which takes us back to SolarWinds.
What is SolarWinds? It is a Texas-based software company that develops products for IT infrastructure. In 2020, SolarWinds had over 320,000 customers across many sectors, including the government, financial services, telecommunications, and others. Orion was a SolarWinds product that monitors and manages the performance of an organization's network, systems, and applications in a single window or application. In a nutshell, so that means that many businesses relied on this Orion product from SolarWinds to monitor and manage the performance of their business networks. In a nutshell, in 2019, hackers got access to SolarWinds system and planted malware in the Orion product that would allow the hackers to get access to any system running Orion. During most of 2020, SolarWinds unknowingly distributed the corrupted version of the Orion product to its customers.
By late 2020, SolarWinds learned about the breach and issued a series of patches to its customers to eliminate the malware in the Orion product. At that point, the New York Department of Financial Services got involved, an aspect that companies it regulates to report on whether they were affected by the incident and how they handled it. The New York Department of Financial Services then issued a report on the SolarWinds attack and list of recommendations that organizations can take to strengthen their cybersecurity practices to protect against future attacks. Among those recommendations were the following. That businesses should include processes for due diligence and contractual protections that will ensure the company can monitor the cybersecurity practices and overall cyber hygiene of their critical vendors. In other words, if you're going to have a business like SolarWinds providing you with mission-critical software, you should have some sort of diligence program in place to ensure that that business is not susceptible to the kind of hacks that could result in them selling you a product that's laced with malware. The New York Department of Financial Services also recommended that businesses adopt a zero trust mindset and assume that one, any software installation, and two, any third party service provider could be compromised and used as an attack vector.
Hackers, I think at this point, it makes sense to talk about a little bit about hackers and how they behave. What you may see in movies about hackers sitting in front of a computer with multiple screens, typing away quickly, breaching firewalls and the like is rarely how hackers actually get access to a business's network. Hacker's biggest tool is to exploit the trust of employees and businesses, that trust that businesses place in their employees and in their vendors. When some business hires an entity like SolarWinds to provide them with IT services, they're not thinking that SolarWinds could have been corrupted by hackers. They're giving SolarWinds complete trust. So what the New York Department of Financial Services says is you should really treat these critical third party vendors as entities that can and will be compromised and used as an attack factor. The New York Department of Financial Services also said that you should have a vulnerability management program that prioritizes your organization's patch testing, validation process, and deployment, including which systems to patch and in what order they should be patched. In other words, make sure you have a program in place that when a critical vulnerability is announced in a particular product or system or service, you have a way to immediately patch that vulnerability, such that you're not susceptible to any threats. And that you should address these, quote unquote supply chain compromises in your written incident response plans, which are written plans that all businesses should have for how to deal with data breach or critical cyber attack.
So now that we've covered this background, let's talk about the challenges that businesses face in the remote work environment. I'll start by giving you a quick overview of these challenges.
And there are about five primary areas that we'll cover today. The first area has to do with issues with network access by remote employees and the employees use of their own personal devices versus your business-issued devices. The second area is managing data loss prevention and data leaks and how to stop the unauthorized loss or theft of data. The third area is countering phishing attacks, business email compromises, and account takeovers. How to stop attackers from duping your employees into compromising the company's or a customer's assets or accounts or data. The fourth area we'll cover is third-party service provider risk, which is highlighted by the SolarWinds incident. Are your third-party providers protecting the data you give them? Are they selling you products that are not corrupted with malware?
Another incident, another example of third-party risk was a case that was investigated and prosecuted by the US Department of Justice in which Chinese hackers working for the Chinese government allegedly breached the systems of managed service providers, which provided outsourced IT services to companies. You may be familiar with this if you're a business or you advise businesses that have outsourced IT services. They're the people who you call when you need someone to remote into your desktop to fix an issue or help you troubleshoot a problem if you don't have those people working in house in your own business. The problem was in that case, these hackers working for a Chinese state security agencies were able to breach the systems of these managed service providers and then use that access to remote in to the company's customers to steal their data.
And finally, the fifth area that we'll cover is tricky issues of employee privacy. Surveilling employees may be prudent, but where does it cross the line to become a privacy and legal issue? So let's talk about network access. What are the things that you can do to ensure that only the folks you want to have access to your system actually have access to your system? And first, we should talk a little bit about the distinction between remote work and working from an office. Obviously, managing access to a business's network is a critical part of cybersecurity compliance for any business, regardless of where your employees are located. However, if your employees are located in an office with their desktops or laptops hardwired in to the company's network, there's one less factor that you need you to worry about as you can see that your employees are there in the office, accessing your system. When you open up your network to remote access, you don't know who is accessing your system, unless you can verify that the people who are trying to access your system actually are accessing your system. And also you have to concern yourself with data that's being transmitted between your remote employee and your network is not being intercepted and stolen or snooped upon by bad actors.
So that's where something like a virtual private network comes into play. A virtual private network or VPN is a way to maintain a secure, encrypted connection between whatever device your employee is using and your company's network. They are most useful when your employees are using unencrypted and public wifi networks where malicious actors could be snooping on your activities. So if you're at a Starbucks or an airport and you use the public wifi there, keep in mind that if you're not using a VPN, it's very likely the network traffic you're sending is not encrypted and that anyone else who's connected to that wifi network could be spying on you. VPN networks are also useful for home wifi networks where multiple members of a family or roommates may be using the network. VPNs also ensure that no one else using the same wifi network can read your web traffic. Of course, if hackers already have access to your client's mobile device or a computer, the VPN will not protect you as the VPN will only, in that case, give the hackers a secure connection to your business's network. So let's talk about other ways that you can ensure that only folks who are supposed to be accessing your system are accessing your system. I've mentioned before, multifactor authentication, which is sometimes referred to two-factor authentication. They're not exactly the same thing. Multifactor authentication means more than one way of authenticating and two-factor authentication just means two ways. But the basic concept here is that this kind of authentication requires something else besides just a password to establish access.
The problem is, unfortunately, many employees use easily guessable passwords. Many employees may reuse passwords that they use for other accounts and services that may have already been compromised and thus vulnerable to what's known as a credential stuffing thing attack. So to take a step back and explain this concept. Like many people, you probably have a common username and password that you use for multiple different accounts, because it's too difficult to remember a million different passwords for a million different online accounts that you may have. The problem is, is that sooner or later, your password is going to be compromised because one of these entities that you have an account with is going to be compromised. So it's very likely that your email address, your go-to email address and go-to password, it's sitting on the dark web somewhere waiting to be exploited in what's known as a credential stuffing attack. That's when a bad actor will purchase a list of already compromised usernames and passwords and use that list to attack other websites and other online accounts, hoping that you have an account at the website being attacked and that you've used the same password for it.
So two-factor or multifactor authentication is a way of guarding against employees who use their passwords. Typically, there are a number of ways you can configure MFA or multifactor authentication. One way is to have employees provide their username, their password, and then receive an SMS message or a text message. These are fined for most purposes, but hackers on ways to gauge in what's known as SIM swapping, or basically take control of your phone number and have text messages redirected to them as a way of getting access to your account and avoiding multifactor authentication. So if you have two-factor authentication for your bank account enabled and you get a text message on your telephone, that's usually secure, but if you're a high-net worth individual, and you have say a lot of money in an account or a lot of cryptocurrency in an account and people know that, what they might try to do is that they know your phone number is to engage in a number of different ways of convincing your telephone company to transfer your phone number to another phone and then having a text message sent to them or whatever code it is to get access to your account. So if you really wanted to be completely secure in the use of multifactor authentication, instead of using text messages, you can use one of the many authentication applications that are available or a token fob, which provides a unique and constantly changing token number that employees can enter to authenticate themselves. Another concept that is important in maintaining a secure remote work environment is a concept of least privilege or zero trust.
Basically, you have to treat your employees and your third-party service providers who have access to your systems as if they are the way you might treat people during the pandemic as potentially having COVID. You have to treat your employees and your vendors as if they are potentially harboring malware or a vector for hackers to get access to your system, which means you wanna conduct some basic hygiene around them, and you don't wanna give any of them access to more parts of your network or more data than they need to do their jobs, right?
If you remember the famous example of the target breach from nearly a decade ago, at this point, where a target had a breach that resulted in hackers planting malware on its point of sale terminals in its stores and stealing millions of payment cards during the holiday season one year. Well, how did hackers get to do that? They didn't hack target system directly. They hacked the system of a air conditioning and heating provider, third-party provider for target that provided heating and cooling services to target stores that also happened to have access to target's computer network. And by getting access to this third-party service provider, they were able to then breach target's network, all because target trusted this third-party service provider with having access to its network. So that's the concept of least privilege or zero trust. Make sure that you are not giving people access to systems that they do not need to have access to because of course, they could be compromised and could be a way for a threat actor to get access to your system.
Another example of this is an example, what happens pretty typically is that you might have an employee at a financial institution or an employee at a business that has valuable intellectual property who has access to a database with customer information they don't need to perform their job or access to perhaps trade secrets of a business that they don't need to perform their job, which they might take or attempt to poach and bring to another employer or another business or sell. So again, no need to give your employees or any vendors access to anything that they don't really need. Now, let's talk about personal devices versus business-issued devices. What are the pros and cons of having your employees use their own devices to tell the work versus requiring that your employees use only devices that are issued by your business to telework? When employees work from home, are they using their devices or personal devices? The better practice is to have an employer issue devices to employees because it gives the employer greater control over the device and the ability to limit its use.
But let's break down the pros and cons. One of the pros of having employees use their personal device is that it's a lower cost for the firm. You don't have to buy everyone a laptop. You don't have to buy everyone an iPhone. Another pro is that some employees prefer to use their personal device. They know it better, they feel more comfortable with it, and that's what they would like to use. They don't wanna carry around two cell phones, one for themselves, one for their personal cell phone, and one for work. Another pro is that there are applications out there that allow you to have a secure interface with your business network that allow you to secure data and segregate it from the personal data of an employee. You can set up a virtual desktop on an employee's own computer, again, which is segregated from their their personal information and their personal use of the device and you can put some controls on it. Of course, these controls are less than what you would have if you had a complete control device because you bought it and issued it to the employee. What are some of the cons of having employees use personal devices? Well, one is that you may not be able to control all the security settings on device, like location tracking for mobile phones.
If you are an employer, you want that turned on so you can find the mobile phone if it ever gets lost with all the data that's on it, but if you're an employee, you may not be so keen on having your employer track you and you may turn that off on your personal device. You may have less ability to control firewall configurations or lock screen timeouts. You may want a laptop or a phone to go to its lock screen after just a few seconds of an activity, whereas an employee, if it's their personal device, you may want that lock screen to not show up for a few minutes. Another con is that you may not be able to prohibit certain activities like taking screenshots or not taking device to or from certain jurisdictions. Like you may not want employees to take devices to certain countries where they may be hacked or certain countries where you may be prohibited to bring any data that your employee has access to. And also, you may have less ability to restrict employees from visiting websites that are inappropriate from work if they're using their personal device. Another con is that you may not be able to enforce software updates and patches, and sometimes this is critical. As we talked with about the Orion data breach, big breaches often happen when entities fail to patch devices or networks.
And another example of that is Equifax, where Equifax, which had a massive breach, which resulted in the personal information of every adult American being stolen happened because Equifax failed to adequately patch its system upon learning of a major security vulnerability in a piece of software it was using. Another con about having employees use their personal devices is that you may not be able as a business to extract and or preserve all company data or know what the employee did with it. Situations, for example, in which is a lawsuit, and you need that data for discovery or where an employee is terminated and refuses to provide access to their personal devices. So you can't say for sure whether they've taken any trade secrets of your business, or printed them out. And if they did print it out, where is it? Another con is that you may not necessarily be able to lock down ports on a device, like flash drives. And therefore don't necessarily can't prevent an employee from copying sensitive data onto a mobile storage device. And finally, final con of having employees use their own devices is it potentially creates privacy issues for your company because you may have a situation in which you do need to sort through the contents of that phone for litigation or for other reasons, but now you're also stuck, potentially sorting through all the employee's personal data to find the company data. Also, it also creates issues when you're trying to surveil employee conduct to see if they're actually working and how long they're working if you're doing this by surveilling their activity on their private devices. And don't forget about printers. Do you want your employees printing out any material at home? What are the risks, and how can you keep track of what was printed? Are you confident that your employees home printers are secure? Some people use wifi printers, printers that are connected to their computer by wifi and not by a hard line. Again, is that traffic secure and can anyone intercept that traffic? And moreover, do you have any ability to understand what was printed if they're printing it to their home printer? So would you be willing to provide them with a company-owned printer, if that's what you wanted to do, okay? Let's turn now to data loss prevention and maintaining confidentiality.
The first way you handle this is to understand what types of data your employees have access to. And what are the risks to your business? Do your employees have access to personal data, personal data about other employees, about customers, about patients, about test subjects? Do they have access to sensitive personal data, account information, financial information, information about a person's protected status, race, gender, sexual orientation, gender expression, information that could be used to commit identity theft and fraud or deeply personal information, you know, HR data, information about an employee's mental health issues? Do your employees have access to trade secrets or valuable intellectual property of your business? Do they have access to confidential business information and financial information about your business that you wouldn't want other people to know about? And also, do they have access to material non-public information such as that someone they live with who overhears something can then engage in insider trading based upon what they've overheard? Understanding what this data is, how it can be misused, how valuable it is, helps you understand what type of measures you should implement to prevent this data from being lost or to be given to someone without authorization.
Also important to understand is what is the format of the data? Is it in hard copy? If it's printed out, it's hard to keep track of. It's easy to lose. It must be disposed of properly by shredding it. If it's in electronic storage, is it saved in a flash drive? Is it on some sort of media that's easily portable and also hard to keep track of? Is it on a laptop or smartphone? Is it on your company's network, or is it in the form of electronic communications, emails, text messages, telephone conversations? Again, in order to adequately address this issue, you need to understand not just what data your employees have access to, but the means and the format of the data and how it's transmitted. Can your employees keep sensitive data secure? What about video and telephone conversations? Do they have housemates, domestic partners, family members? Are they gonna be talking about truly sensitive stuff that they shouldn't be talking about in front of other people who don't work for that business? What are the policies for secure storage of data? Do they to keep very sensitive data locked up in their homes? So they have to lock their desktops and smartphones whenever they step away from them? What about things like Alexa and Siri that are always on and always listening? And some of that is recorded for Apple's and Amazon's quality testing and assurance. So when you think about what data you have, you have to think about all these things and come up with a sensible solution to protect your data that may require you not allowing employees to print stuff out, you not allowing employees to download stuff onto their personal desktops, things of that nature.
Another question is, what kind of cyber attacks a target remote work? Well, a big one is phishing. Phishing is when someone tries to impersonate someone you know, impersonating your boss, a member of senior management or impersonating the customer, particularly when you might not ever, you know, and particularly in the realm of remote work where you might not have ever at that person face to face and you can't walk down the hallway to check with them in person, hey, did you send me this text message? And phishing is always characterized by a sense of urgency. I need you to wire this money right now. This contract needs to be signed right now. You need to log onto this very sign account and sign the contract, which of course, isn't a very sign account. It's taken you someplace else to get you to hand in your access credentials, your username and password. The people engaged in phishing might have taken the time to research your organization. They might know the names of your supervisor and coworkers. I got a call when I was working at a financial institution and asked for some information about my supervisors and other folks within the legal department. When I asked why they needed the information, they simply hung up. They were probably doing some research for a phishing attack.
Business email compromises are typically what happens after a phishing attack has been successful and they've managed to steal someone in your business's account credentials. Or a business email compromising come from when someone is spoofing you or your client's email domain, except the detection programs to getting better and better at detecting this. A business email compromise seeks to convince you to wire money or change the account number on an invoice so that you can help, you can misdirect client funds or customer funds to someone who's actually an attacker or misdirect your business funds to someone who's actually an attacker because you get an email from a customer that says, hey, I have a new bank account. Please send your payment to me to this new bank account rather than to the account that actually belongs to that customer. Account takeovers are like business email compromises, but also involve gaining access to bank accounts, crypto assets, and things of that nature. What are the best ways to guard against these threats? Well, one of the main things you can do is ensure that your employees have the proper training and awareness of the threats. The training needs to be targeted to your employees and to your business and needs to be practical in nature. You wanna help your employees understand practically what to watch for and how to respond and to have an escalation system in place so that they know who they should escalate issues to.
They know who they should forward an email to. Is this email legitimate? Is this attachment? Is it safe for me to open this attachment? Things like that. You need to have policies and procedures for all of this, but again, you need to make sure everyone knows your policies and procedures and not every detail, at least a big picture. And again, have the policies and procedures for cybersecurity and privacy be practical, something that an employee can actually action and respond to rather than something high level and vague. You need to implement least privilege and access control in your system so that when a portion of your network is breached, whoever is responsible for the breach can't use that access to gain access to other parts of your system. You need to timely implement software updates on your network. If there is a vulnerability that's announced and a common piece of software, you better believe that as soon as that vulnerability is made known, just about every major hacking group is gonna try and find a way to exploit it. So from the time of vulnerability is disclosed, you're gonna raise against time with threat actors who were trying to come up with a way to exploit that vulnerability before you can patch that vulnerability. But then this doesn't go just for new vulnerability that you discovered, it's important to timely implement routine software updates as well. You can implement technological solutions to prevent data from being lost.
In addition to having its vaults solutions, you can implement filters and screens and firewalls that scan for and try to keep data from leaving your system. You should implement network monitoring to monitor what's going on in your network and monitor when your employees are logged on and who is logged on for how long and whether they're doing anything suspicious or unusual. You should undertake risk assessments, regular risk assessments of your business network, and also engage in penetration testing to see if there's any parts of your system that are vulnerable. And you can also help protect yourself by not allowing data to be saved locally on devices. Imagine the headache when your employee loses a laptop on which they downloaded a whole lot of sensitive data. How do you mitigate third-party vendor risks? The kind of risk you might get from a SolarWinds kind of attack? Well, one thing is you'll need a third-party vendor risk management program. It doesn't have to be elaborate or finally detailed, but you need to have a basic way of ensuring that you can trust your vendors, that the vendors themselves have cybersecurity programs in place. You can do this by asking them questions with a questionnaire. You can also do this by having them represent things in contracts and guarantee certain things and have certain contractual levels of service around these things. You can do that with some vendors by requesting audit rights to be able to see their cybersecurity programs or see their results of their risk assessments and things of that nature.
Again, you should also implement principles of access control and lease privilege and zero trust so that even though you vetted this vendor, you're not giving them more access to more parts of your system than they actually need and therefore you're limiting the nature of the threat that they post to you. The final part of this course is gonna talk about employee privacy and workplace monitoring, because there's a balance between ensuring that your employees are actually working and crossing the line and engaging in unlawful surveillance. The big picture is that employers can implement technological solutions that monitor their employees behavior when they work remotely. These solutions include monitoring employee web browsing, key strokes, snapping webcam photos of employees to ensure they're sitting at their computers.
However, employers should be aware of the applicable state and federal laws, including the Electronic Communications Privacy Act of 1986, which governs various forms of electronic surveillance and certain circumstances requires employee consent. Employees located overseas in other countries may be protected by other privacy laws, including Europe's General Data Protection Regulation. Employers considering workplace monitoring should also consider the risks as well as the benefits, including potential litigation, regulatory, and reputational risks if workplace monitoring exceeds legal limits or if employee data that is collected through surveillance later becomes compromised through a data breach. Why would you monitor your employees behavior? Well, for one, there's issues about performance and productivity. When employees are not at the office, you can't see if they're working. You don't know necessarily what they're doing. If they're producing work on time and to appropriate standards, that's fine, but you may not know that. So performance and productivity is a reason to monitor behavior. You also wanna monitor their behavior, but you wanna make sure that you're maintaining your data security standards, that your employees, they're not stealing your data and giving it to a competitor. You also wanna monitor they're not engaging in inappropriate conduct or behavior, especially if they're using your company-issued laptops or phones or company-issued or company-approved applications on their own personal devices. You also wanna make sure your employees are not engaged in theft and fraud. That's stealing your money. They're not using their access to your bank accounts to take money from you. So how can employers monitor employee behavior remotely? Well, employers generally have wide latitude to monitor an employee's communication when the employee is using their work email or work devices for communications. You can also monitor your employee's network usage when they log on, how long they log on, what they do once they've logged on where they're logging on from. You have ability to monitor their desktop and what they're doing in a desktop, and you can get even more intrusive depending on your ability to ensure that it's lawful by implementing key loggers, which keys the employee is pressing on their computer or even engaging in some video surveillance. But again, there are legal issues that you need to consider.
For one, there is Electronic Communications Privacy Act, which I mentioned a little earlier. Electronic Communications Privacy Act gives citizens privacy rights in their email accounts and other electronic communications. The federal government, for example, needs search warrant to typically get the contents of any email as you may have in your personal Gmail count. However, the Electronic Communications Privacy Act does not provide the same level of rights to citizens in any electronic communications they may have that are provided to them by their employer. So you do not have privacy rights in your work email address. You do not have privacy rights when you use your work devices for work. And in fact, employers typically reinforce this and it's always a good idea to have a banner that shows up when you log in to remind employees that they do not have privacy rights in their work email address. We also do need to worry about things like the Wiretap Act, which prohibits illegal wiretaps.
That brings us to the end of our program today. I hope that you've taken away some helpful information on how to combat cybersecurity issues and also deal with employee privacy in the reality of remote work today. Thank you for listening to this program.