Editor's note: This column is part of a series featuring Lakeshore experts offering advice to small businesses as they navigate their recovery through the COVID-19 crisis.
COVID-19 has brought concerns about remote work into sharp relief and has forced employers to confront myriad challenges relating to privacy and cybersecurity. As businesses scrambled to find new ways to communicate and to safeguard data, cybercriminals wasted no time trying to take advantage of the pandemic. As soon as most states began requiring non-essential employees to work from home last spring, ransomware attacks increased by 148%. Google counted more than 18 million malware and phishing emails each day in April and, by May, the FBI’s complaints regarding cybercrime had doubled.
Attorney Hal Ostrow
I have connected with Hal Ostrow — a fellow shareholder at my firm and a transactional attorney who regularly advises clients on matters involving cybersecurity, data aggregation, and information technology — to help understand concerns relating to remote work and how employers can respond to concerns regarding cybersecurity and privacy within their organization.
Many people have been wanting to work remotely — full or part time — for years. Work-from-home requirements issued in response to this year’s pandemic have helped overcome the preconceived notion held by many that a remote workforce would not be as productive as a more traditional, on-premises workforce. Indeed, data tells us that most employers plan to offer remote work options even after it is safe to have all employees on premises full time. Such employers will need to overcome obstacles relating to cybersecurity and privacy.
Security vs. simplicity
Employers should have policies governing where and how employers’ information is stored and accessed, particularly when storing and accessing this information from outside of a secure office network. Policies relating to employers’ data, and customers’ data, should balance security and simplicity. The harder employers make it for employees to work, the more motivated employees will be to find simpler workarounds. Those simpler workarounds often are less secure than commercial services and can place the data at risk. By having — and enforcing — policies requiring employees to only use certain services, and by making those services user-friendly, employers can keep their data and their customers’ data as safe as possible.
Securing home networks and environment
Just as commercial file storage services often offer more robust security than consumer-grade services, the same is true for home networks. When we’re in our offices, our data and devices are often protected by more robust hardware, such as firewalls and policies governing access to various components of our network. Many companies have full-time IT staff or outside consultants, or both, who are constantly updating the business’ network security. Most home networks don’t have anything close to the same level of security. In addition, home networks have an increasing number of devices connected to them, which cybercriminals can use to gain access to other devices on the network.
It’s very difficult to require employees to maintain a certain level of security on their home networks. A more effective approach, in terms of enforceability and compliance, is to have recommendations on home network security settings and requirements regarding computers, tablets, and phones used to access work data. For example, an employer can recommend that home networks have:
- Guest networks that do not permit file transfers.
- Devices that are manually approved before gaining access to the network.
- Passwords that contain a certain number of characters, etc.
An employer can require that computers used to access work data disable file sharing and various incoming connections, contain certain security mechanisms, and be accessed solely by the employee.
Home environments also pose challenges. For example, always-on cameras and microphones can detect and record what are supposed to be confidential meetings. Visitors can also overhear what should be private conversations. Employers can’t mandate who is and isn’t in a home where an employee is working, but it can help for employees to be more situationally aware and have a dedicated workspace, which may be free of smart devices, nanny cams, and other threats to privacy or confidentiality.
In 2020, we’ve heard toilets flush during a Supreme Court argument, we’ve learned a new term — “Zoombombing”; and we’ve celebrated birthdays, holidays, and lifecycle events on Zoom. While a number of concerns about videoconferencing are related to productivity and professionalism, there are also several privacy concerns regarding meeting attendees, file sharing, and screen sharing.
Employers should make sure their policies around videoconferencing include ensuring that users have to register for a videoconference; that meetings require passwords and, where possible, waiting rooms; that screen sharing/recording and file sharing are controlled by the meeting organizer; and that the meeting organizer has the ability to remove participants who aren’t invited or cooperating from a meeting.
Peter D. Rhoades has called the Lakeshore home since attending Hope College and beginning his solo private law practice in Holland in 1993. Engaged in numerous community organizations, Peter continues to serve as a board member and past chair of the Boys & Girls Club of Greater Holland. Over five years ago, he joined Rhoades McKee, which also includes his sister, Mary Jane Rhoades. Rhoades McKee, a full-service comprehensive law firm with offices in Holland, Hastings, and Grand Rapids, was founded by his father, Dale Rhoades, in 1959.
If you have a topic or question you would like Peter to address, send an email to Managing Editor Shandra Martinez at firstname.lastname@example.org.