Annalisa Kolb
Associate Editor
Loyola University Chicago School of Law, J.D. 2023
There is no doubt that the COVID-19 pandemic has affected almost every aspect of life for people around the globe. While the internet has allowed people to stay connected and continue working from home, it has also presented an opportunity for cybercriminals to take advantage of susceptible remote working setups. Cybercrime has significantly increased since the start of the pandemic, prompting corporations to mitigate the risk of a data breach against an onslaught of new vulnerabilities to their internal systems.
Challenges of a remote workforce
Once the pandemic hit, corporations had to swiftly make unprecedented decisions of how to proceed with their employees working remotely. Having a remote workforce comes with numerous dangers when employees rely on their home networks and their own devices to connect to their employers’ online systems. Our increased reliance on digital communication and electronic devices has left us more vulnerable to cyberattacks than ever before. Cloud-connected applications like Google Drive, email and attachments, and third-party messaging systems all hold valuable information and are vulnerable to bad actors. Organizations’ office networks usually have robust security measures, including firewalls, black or whitelisted IP addresses, and closed internal networks. These protections are often not available or as robust for in-home networks.
Not only does working from home present technology concerns, employees’ shifting work habits are also an important security consideration. The Society of Human Resource Management found that thirty-five percent of employees reported feeling tired or having less energy when working from home. Similarly, employees also felt a lack of motivation while working remotely and are more likely to be distracted in their homes. These figures present a significant concern for employers as tired or unmotivated employees are more likely to make careless mistakes.
Evolving cyberattack tactics
Online bad actors have not only taken advantage of the increased network vulnerabilities, but they are also tailoring their attack methods to prey on human fear and the uncertainty brought on by the pandemic. According to the security firm KnowBe4, COVID-19 related phishing emails have increased by 600 percent. Bad actors use these scam emails to exploit concerns about the virus and fool people into handing over sensitive information or downloading malicious attachments. For example, some phishing emails will have a COVID-19 related news story added to their “from” lines to bypass security software meant to filter out illegitimate emails. Attackers actively keep up with the latest pandemic developments to make the emails seem legitimate.
Multiple known malware groups have weaponized COVID-19 information websites and news stories to spread malicious software. The Cybersecurity & Infrastructure Security Agency (“CISA”) reported that one popular type of malware, Trickbot, is actively using COVID-19 financial aid themes to entice clicks. Another, AZORult, is being spread by using a fake case tracking website.
Businesses can mitigate risk
Despite the increased risks, remote work is likely here to stay. A Gartner survey found that eighty-two percent of company leaders plan to allow employees to continue working from home at least some of the time, with forty-seven percent responding that they will give employees the option to work from home full-time. Although it is impossible for a system to be completely impenetrable, organizations should take steps to mitigate the risk of an attack. The NIST framework outlines the five pillars of cybersecurity as protection, detection, identification, response, and recovery.
To begin, organizations must bolster their network capacity to allow an increase in remote traffic. Ideally, all computing devices that connect to an organization’s internal network should function under a corporate virtual private network (“VPN”) to share and store data on a virtual version of the corporate server. Since most malware is mistakenly allowed into the system by employees, educating employees and consumers about online security is another critical step to preventing a data breach. Many organizations have implemented cybersecurity training programs to provide guidance on how employees are targeted and how they can check the authenticity of external communications.
Future regulation
The absence of specific guidance from the government leaves companies largely on their own when deciding cybersecurity best practices. However, the pandemic has brought cybersecurity to the top of mind for organizations and federal and state governments. According to the National Conference of State Legislatures (“NALP”), in 2021, forty-five states either introduced or at least considered over 250 bills or resolutions dealing specifically with cybersecurity. The most commonly addressed issues include: requiring government agencies to implement cybersecurity training, set up and follow formal security policies and standards, and practice their data breach response procedure.
In July of this year, President Biden issued an Executive Order encouraging FTC rulemaking on consumer data collection. The Order encourages the FTC to consider making a rule that deals with “unfair data collection and surveillance of practices that may damage consumer competition, consumer advocacy, and consumer privacy.” Although privacy and cybersecurity are two distinct concepts, creating specific regulations protecting consumers’ online privacy will directly impact cybersecurity practices as consumer data cannot be kept private without robust cybersecurity practices. Specific and comprehensive regulation will give corporations the much-needed framework to ensure they are compliant and avoid litigation if a data breach occurs.