COVID-19 Business, but not as we knew it
Cybersecurity
Five tips for secure remote working
Our Sectors • • • •
Technology, Communications & Digital Media Construction, Land & Planning Personal Affairs, Private Wealth & Philanthropy Retail & Hospitality
Our Expertise • • • • • • • • • • • • •
Arbitration Banking & Finance Charities Commercial & Corporate Data Protection & Information Disputes Employment Family & Matrimonial Insolvency & Restructuring IP & Technology Real Estate Tax Trusts, Estates & Private Client
This information is offered on the basis that it is a general guide only and not a substitute for legal advice. We cannot accept any responsibility for any liabilities of any kind incurred in reliance on this information.
COVID-19 Business, but not as we knew it:
Cybersecurity
Five tips for secure remote working Businesses large and small are struggling to cope with the ongoing impact of the COVID-19 pandemic, as many regular officegoers adapt to remote working for the foreseeable future. This rapid, unprecedented shift has highlighted multiple ways companies are struggling to maintain not just business continuity, but also their data security and privacy obligations. While regulators will perhaps be sympathetic to enterprises grappling with these challenges, now is an excellent time for organisations to evaluate their technical and organisational measures, and address gaps in their cyber security approach. We walk you through our five top tips for maintaining safe and secure remote working.
Johnathan Rees
Marguerite Kenner
Partner johnathan.rees@laytons.com +44 (0)20 7842 8009
Solicitor marguerite.kenner@laytons.com +44 (0)20 7842 8000
laytons.com | 3
Cybersecurity | Five tips for secure remote working
1. A Robust Password Policy
3. Video Conference Procedures
Like toothbrushes, passwords work best when you choose a
Videoconferences may help alleviate the stress of employees
good one, it’s not shared with anyone else, and it’s regularly
missing kitchen conversation, but they may also lead to risk.
changed. Automation tools that impose forced expiry
Assembling a short checklist in preparation for a call can help,
dates provide additional security, such as with furloughed
and might include tips such as making sure no confidential
employees. For a more robust system, enable two factor
material is visible on work surfaces or backgrounds.
authentication – that is, requiring an SMS message or email
Moderators of such calls should encourage everyone to
with an additional password when a user wants to access a
identify themselves, whether by voice or video, to ensure all
system.
participants are genuine. Meeting rooms should be locked once the call starts to prevent disruption. Web cams should be disabled, disconnected or covered when not in use.
2. Maintaining Good Data Hygiene Good password practice applies to home systems as well as
4. Cybercrime Vigilance
office hardware. Default router passwords for home networks
Cyber criminals of all stripes are utilising old practices
are easy for hackers to discover and should be changed.
with new framing narratives to take advantage of a home
While ideally most employees will have laptops or other
workforce. Phishing and malware campaigns with COVID-19
devices configured by their IT staff which can be physically
themes or impersonating health authorities have led to a rise
secured when not in use, Bring Your Own Device schemes
in ransomware attacks. To support employees who may be
are more common and present their own challenges. Use
under increased pressure and suffering from lack of focus,
of VPNs, security tokens, and two-factor authentication can
send short and regular reminders of a company’s IT support
help maintain good data hygiene by keeping confidential
resources when they receive suspicious links or attachments,
information within secure environments. Personal accounts,
and how to seek more help quickly if needed.
especially those on social media networks, should be accessed from outside these environments and ideally, only from
Likewise, IT professionals should remain vigilant for
personal devices.
established exploits such as ‘Patch Tuesday’ attacks or physical
"
Make sure there’s a plan in place for how a breach could be securely investigated without compromising confidentiality or legal privilege.
4 | laytons.com
interception of IT equipment en route to an employee. Crisis response playbooks and critical security checklists need to be updated – even minimally – to adjust for remote working of IT staff and any inability to physically access vital systems such as on premises server logs in older, more vulnerable environments.
Cybersecurity | Five tips for secure remote working
5. Communication and Documentation Ensure all members of your team know how and when to report a potential data breach. This can be anything from a contemporaneous and informal call to internal ticketing systems. If investigating staff require documentation, make that clear at the intake stage to save time. Use concise, informative communications and direct them to the appropriate teams. For example, volume contract processing staff may need added reminders to verify the source of unsolicited email attachments with a telephone call before opening. Lengthy emails about cybersecurity are likely to go unread by many. Aim for impactful communication of key points, with plenty of signposting where more information can be readily located, such as existing policies and any COVID-19 related changes and updates.
"
Remember that devices have eyes and ears.
Review crisis response plans or business disruption reporting lines to make sure they are current and contain all necessary contact information. Check whether critical response windows – internally or with third party vendors – need to be adjusted to avoid delay or confusion in the event of a breach. Finally, make sure there’s a plan in place for how a breach could be securely investigated without compromising confidentiality or legal privilege. Remember that regulators will focus on what procedures and policies are in place, and how well they were adhered to, should an investigation arise.
laytons.com | 5
Cybersecurity | Top tips
Expertise
Corporate & Commercial We provide a complete range of corporate and commercial advice and support for clients who extend from start-ups, individual entrepreneurs and family offices to multinational corporations. We advise on every facet of our client’s corporate legal needs through the complete life-cycle of an enterprise, from its inception, through its growth and expansion to, perhaps, its sale or flotation on a public market. Our teams focus on acquiring a deep understanding of the particular needs and objectives of our clients to deliver advice and outcomes that are tailored to those needs and objectives and which meet them swiftly and cost-effectively. The approach to technical problems is informed, insightful and proportionate, and we take pride in viewing problems from a fresh perspective to provide innovative solutions.
6 | laytons.com
John Gavan
Esther Gunaratnam
Dimitri Iesini
Partner john.gavan@laytons.com +44 (0)20 7842 8000
Partner esther.gunaratnam@laytons.com +44 (0)20 7842 8000
Partner dimitri.iesini@laytons.com +44 (0)20 7842 8081
Robert MacGinn
Brian Miller
Daniel Oldfield
Partner robert.macginn@laytons.com +44 (0)20 7842 8000
Partner brian.miller@laytons.com +44 (0)20 7842 8000
Partner daniel.oldfield@laytons.com +44 (0)20 7842 8037
Daniele Penna
Johnathan Rees
Christopher Sherliker
Partner daniele.penna@laytons.com +44 (0)20 7842 8053
Partner johnathan.rees@laytons.com +44 (0)20 7842 8009
Partner christopher.sherliker@laytons.com +44 (0)20 7842 8015
Cameron Sunter
Liza Zucconi
Partner cameron.sunter@laytons.com +44 (0)20 7842 8036
Partner liza.zucconi@laytons.com +44 (0)20 7842 8092
2 More London Riverside, London SE1 2AP +44 (0)20 7842 8000 | london@laytons.com laytons.com
Š Laytons LLP which is authorised and regulated by the Solicitors Regulation Authority (SRA Nº 566807). A list of members is available for inspection at the above offices.