News, Insights & Events
Maintaining Data Security Practices in a Newly Virtual Workplace
March 26, 2020
Brooke Penrose is an associate in Burns & Levinson’s Intellectual Property and Privacy & Data Security practice groups. She concentrates her practice on counseling creators and innovators in a variety of intellectual property transactional matters. Brooke counsels a wide array of clients in navigating the ever-changing landscape of privacy and data security laws. She can be reached at bpenrose@burnslev.com or 617.345.3287.
Over the last few weeks, businesses across industries have been forced to rapidly evolve into virtual workplaces in order to accommodate an unprecedented portion of the workforce working from home in support of the social distancing efforts meant to dampen the spread of COVID-19. Operating a virtual workplace to safeguard the physical health of our workforce though should be done in parallel with safeguarding a business’ data, particularly with respect to any personal data. Here are some key operational tips to help ensure that the transition to a virtual workplace continues to adopt data security best practices:
- Restrict Access. Ensure that access to any business data requires log-in credentials—whether through VPNs, cloud storage solutions, device locks, etc.—so that only authorized users can access your business’ data. A username and strong password need to be required each time a user wants to access your business’ data. Employees should be required to adopt strong passwords (e.g., at least eight characters and contain at least one letter, number, and special character,) change passwords at least quarterly, and avoid reusing passwords across different services. If data is particularly sensitive, adopt enhanced security features, such as two-factor authentication.
- Secure Network. Employees should only connect their work devices to password-protected networks with secure settings that are not open for public access. If possible, employees should use routers that are protected with WPA2 or WPA3 encryption settings. Employees can typically check their network security settings by reviewing their network settings on their device.
- Secure Device. Where possible, employees should be required to maintain separate devices for work that will not be shared with other household members or used for personal uses. In addition, any device used to access the business’ data should be required to be kept up to date with anti-virus and anti-malware software. If data is particularly sensitive, adopt enhanced restrictions such as a data encryption and/or remote data wipe capabilities. Finally, users should be diligent about investigating third-party apps and other downloadable software onto their work devices before downloading. Use of the COVID-19 outbreak by cybercriminals is rampant and there are already examples of apps preying on people’s concern over the outbreak by claiming to offer features that allow the user to locate N-95 masks or notify users when an infected person is nearby. Instead, these apps infect the user’s device with ransomware, spyware or malware. Users should be alerted as to these scams and encouraged to avoid downloading third-party apps on work devices, particularly if the app purports to relate to the COVID-19 outbreak or offer functionality that seems too good to be true.
- Monitor Activity. Your business’ IT or other appropriate network administrator should continue to be on the lookout for suspicious network activity, such as significant and unexpected spikes in traffic. Consider adopting an intrusion detection system for your business’ network.
- Observe Existing Policy and Procedures. Finally, keep in mind that all the “best practices” for data security in a traditional workplace still apply. Do not open attachments from people you don’t know, don’t share your passwords with others, be mindful of phishing attempts and other suspicious emails that request users provide information that could enable someone to access data without authorization.
Ideally, many of these principles should already be reflected in your business’ written information security policy and/or its privacy policy and employees should regularly be reminded of their obligations to maintain the security of the business’ data. Given the massive shift to remote work though, this may be an opportunity for your business to revisit its existing policies and practices and consider updates, particularly if its policies and practices have not been reviewed and updated recently.