The early response to COVID-19 left many workplaces in a lurch. People left the office expecting to be back in a week or two and didn’t return until recently. Some still haven’t come back. Law offices adapted by working with their IT teams and support staff to get laptops, virtual private networks and other electronic tools to staff to keep their firms operating. While this kept those firms operating then, today it presents a myriad of risks.
Employees have begun returning to the office with devices that have spent a year or more outside of the firm’s secure network. Work laptops were used to shop for hand sanitizer. Tablets were lent to the kids for early remote schooling sessions. Phones provided access to work email as well as late-night Netflix binging.
Firms must now consider the risk of those mobile devices returning to the workplace.
What are the Risks?
Remote work poses many risks. If your firm’s tech team didn’t play a role in setting up remote employees’ virtual private networks (VPN), that’s a risk that may invite malware to enter your office. If employees used their devices for personal reasons outside of a secure VPN, that opens the device to new opportunities for hackers. Additionally, with the increased use of cloud services during COVID-19, there are more endpoints into the firms’ system to be protected or breached.
Moreover, how your firm managed mobile device use and security during the pandemic might affect the company’s cyber security insurance coverage, exposing your firm to greater risk.
As workers and their devices return to the office, law firm managers cannot rely on just being told virus protection was installed early in the pandemic. That software needs to be updated regularly. With employees working from home, there’s a risk updates were missed.
How can you Protect your Firm?
As employees begin to return to the office, firms need to evaluate, scan, plan and monitor all devices and systems. This will help to ensure your information is as safe as possible.
Evaluate:
Evaluate each employee’s device by asking:
- Were your employees on a VPN at home?
- Did the firm manage or assist in setting up that VPN?
- Have your employees received cybersecurity training?
- Did your employees use work devices for any personal purposes?
- Which devices were regularly patched to security software, and when was the last update?
- Where was confidential data saved?
- Did employees share passwords?
Scan:
Asking questions gives you a good baseline understanding of some risks. However, you must scan all incoming devices and accounts for unauthorized apps, software and any other hidden vulnerabilities. Skipping this step invites unnecessary risk.
Plan:
Once all devices and systems have been evaluated and scanned, create a digital hygiene plan that includes all devices receiving regular antivirus software updates. You should also schedule employees to receive annual cybersecurity training.
Monitor:
Finally, moving forward, all devices should be monitored. Your IT team can set up a system to flag suspicious activities and track changes in apps and usage. IT should also be able to either seal a device off from the firm’s network or, in cases of loss or theft, remotely wipe any sensitive data to ensure the firm and its clients are protected.
Returning to the office is just as daunting for cybersecurity reasons as it is for social reasons. Understanding your risk and ensuring the firm takes the steps necessary to guarantee compliance with its professional liability coverage is important. Having a strong cybersecurity and digital hygiene in place is paramount.