The spread of coronavirus (COVID-19) in the United States could cause major disruption to business operations across the globe. Corporations are now engaged in daily risk assessments when it comes to protecting individual lives, corporate assets, and how best to maintain continuity of operations.

Employers are having to make hard decisions about whether employees can continue to physically operate from established offices and designated work spaces or whether to allow employees to work from home. Our Labor & Employment Team has identified many issues that corporations and their management teams will need to consider in the coming weeks and months.

COVID-19 is having far-reaching effects well beyond individual health. While developments related to the outbreak are rapidly evolving, companies should expand their contingency planning and decision making to ensure privacy and cybersecurity risks are adequately incorporated.

Unfortunately, with any crisis comes bad actors seeking to exploit the crisis for all types of nefarious reasons. COVID-19 is no exception. Corporations and their management teams should consider a few key privacy and data security items in their planning.

1. Fraud and scams preying on fear; malicious phishing attempts

The WHO recently published an alert warning of scams and malicious emails associated with COVID-19. The alert warned of criminals disguising themselves as WHO representatives in order to steal money or sensitive information. Attackers are using malicious links and PDF documents claiming to contain information on how to protect yourself from the disease.

Wired recently reported on such attempts and included a screenshot example of the types of attacks launched that are connected to fear generated by COVID-19. Trustwave also reported on February 13, 2020, of multiple phishing attacks involving stealing Microsoft Office 365 credentials using a COVID-19 theme.

The WHO alert also provides guidance related to managing risks related to these types of scams. For example, the alert provides detailed guidance on how to prevent phishing scams by verifying sender information through checking the sender’s email address, checking links before clicking, providing personal information only to know individuals, and carefully considering requests for personal information. The alert provides a mechanism to report scams.

What can companies do to counter this?

Companies should closely follow reporting of COVID-19-related cyberattacks and consider subscribing to The Office of Homeland Security Cybersecurity and Infrastructure Agency’s (CISA) alert subscription service.

Additionally, they should designate a management representative to closely coordinate with information technology teams and security teams to consider how best to disseminate messaging related to cyber risks to individual employees.

As companies focus on how best to communicate to employees during this disruptive period, cybersecurity messaging should be a strong consideration for management teams.

2. The increased reliance on and use of Virtual Private Networks

In the event a company faces a large quarantine of its workforce, employees may still access a company’s network while working remotely at home. The Virtual Private Network (VPN) redirects an employee’s connection through the employee’s internet service provider via a remote service run by the VPN provider. The server becomes the secure launching page for the transfer of encrypted data and a masking of the employee’s IP address.

In January, CISA posted an alert on a specific vulnerability associated with remote code execution that can be compromised in an attack. The alert identified the particular VPN provider and noted the software patch needed to fix the vulnerability.

What can companies do to counter this?

The challenge presented by increased employee traffic through a company’s VPN provider, which is the result of more employees working remotely, is a larger community of potential targets for exploitation.

Moreover, regular software patching during a period of disrupted operations becomes increasingly more difficult given the uncertainty associated with the inability to have information technology representatives on site and either physically or remotely executing such patches.

Companies should account for potential disruptions in updates, performance of vendor services, and timely system upgrades and factor this into risk planning for a remote workforce.

Consultation and planning with corporate owners in advance of a quarantine could yield valuable results prior to any disruption.

3. Business continuity and supply chain disruption

The reliance on third-party outsourced information technology service providers among companies operating in the U.S. is another factor for consideration in assessing the likely impact of COVID-19.

Specifically, for business relying on third parties that may be located or provide information technology operations, software development, or production capability in a virus “hot zone,” there could be disruption that creates vulnerabilities or significantly disrupts operations for corporate offices and employees.

The inability to obtain hardware, software, or other critical items related to IT infrastructure could have operational and security implications for business far beyond the scope of what is defined in traditional business continuity plans.

What can companies do to counter this?

In response to these risks, companies should review and update their business continuity plans in consideration of possible disruption to their information technology supply chains.

Information technology teams should quickly identify alternative markets and suppliers, alternative vendors and contingency plans in the event that critical infrastructure, including hardware and software, are impacted during the duration of outbreak.

Additionally, for outsourced operations involving the use of personnel in affected jurisdictions, companies should similarly be identifying alternative labor pools with technical capabilities and capacity in the event of disruption.