The coronavirus outbreak is spawning an army of telecommuters whose growing numbers could expose the cybersecurity holes of unprepared Long Island businesses, technology, business and legal experts say.
Companies large and small with varying degrees of expertise in managing telecommuters have dispatched laptop-toting employees to work at home as New York mandates the closure of non-essential businesses.
Companies large and small with varying degrees of expertise in managing telecommuters are dispatching laptop-toting employees to work at home in response to government guidance calling for "social distancing."
That telecommuting wave potentially could expose the data of flat-footed organizations, said Stephen Breidenbach, co-chair of the cybersecurity, privacy and technology practice at the law firm Moritt Hock & Hamroff in Garden City.
"A lot of companies haven't prepared for this," he said, and hackers are constantly sending out automated "bots" to scan networks for their soft underbelly.
"Once they get a response, they hit it with everything they've got," Breidenbach said. "It doesn't take that much to get into a system."
A 2019 study by the Federal Reserve Bank of St. Louis found that though the remote working trend has been growing, only 3% of full-time U.S. employees were telecommuting as of 2017, up from 0.7% in 1980.
All that has changed in recent days as businesses seek to sustain operations while shielding workers from the virus.
On Friday, Gov. Andrew M. Cuomo ordered all non-essential businesses in the state to close in an effort to slow the spread of the virus that causes COVID-19. The edict, exempting grocery stores, Internet service providers, pharmacies and other providers of “essential services,” goes into effect Sunday night.
Henry Schein Inc., a Melville-based distributor of dental and medical products and Long Island's largest public company by revenue, began a "work-from-home policy" for many of its 19,000 employees worldwide on March 16.
At Edge Electronics Inc., a Bohemia electronics components distributor, about 85% of its 42 employees are working remotely, said president and chief executive Adrienne Giannone.
A client letter from Kaufman Dolowich & Voluck LLP, a law firm with offices in Woodbury and nationwide, said the firm is encouraging colleagues to telecommute.
Just a "handful" out of a staff of 50 remained at the offices of Bohemia accountancy Cerini & Associates LLP, said founder Ken Cerini. "We're pretty much closed here."
Adam Schwam, president and chief executive of Farmingdale-based Sandwire Corp., an IT services manager that maintains about 5,000 devices for its clients, said the sudden upsurge in remote working can strain company resources.
"Let's say you had a company of 100 people with 10 people telecommuting," he said. "Now you have 90 [telecommuting]."
Breidenbach said that the telecommuting volume alone could put some companies at risk.
"Do you have the infrastructure to have that data going in and out?" he asked.
Another potential weak spot comes when telecommuters' machines lack basic defenses like virtual private network software used in creating secure connections.
VPNs create an encrypted tunnel between two machines, but failure to install the software opens the possibility that a hacker could intercept the traffic.
Schwam said that businesses also are increasingly adopting two-factor authentication, which adds a layer of security on top of the standard user name and password.
Two-factor authentication requires users to insert a special key or enter a code sent to a mobile device or generated by an app on a mobile device.
Steven Kuperschmid, co-chair of the cybersecurity and data privacy practice group at Ruskin Moscou Faltischek P.C. in Uniondale, said that telecommuters should beware of downloading email attachments.
Hackers use "social engineering" to impersonate colleagues, IT staff or even the federal Centers for Disease Control and Prevention to trick email recipients into falling for a "phishing" scam and clicking on a link that downloads malware.
Even a simple Google search could put a system in jeopardy, said Nikolaos Nikiforakis, a computer science professor at Stony Brook University.
For instance, new telecommuters could search for software to hold remote teleconferences with co-workers. Instead of clicking on the link for the maker of the software, they may click on an advertising link from a third party that carries malware.
"People have to be extra vigilant," Nikiforakis said.
Tensions within an organization also can open security holes for hackers, Breidenbach said.
In larger organizations, the IT staff typically seeks to expedite the log-ins of users, sometimes in ways that are at odds with best security practices.
"Just because you have an IT staff, that doesn't mean they're security conscious," Breidenbach said. "There's a struggle between computer security and the IT staff."
Cyber-attacks strike even the largest Long Island companies.
In 2018, Veeco Instruments Inc., a Plainview maker of equipment used to manufacture semiconductors and solid-state lighting, disclosed that its computer systems were hacked.
In 2019, Verint Systems Inc., a Melville maker of cybersecurity software, said hackers mounted an unsuccessful ransomware attack.
An April 2019 report by The Hiscox Group, a specialty insurer and cybersecurity training company in Bermuda, found that 53% of U.S. businesses reported a cyberattack within the prior 12 months, up from 38% during the previous 12-month period.
The average cost of a U.S. cyber incident was $119,000, the study said.
Exacerbating the problem is that many cybercriminals are operating in countries that have no extradition treaties with the United States, putting them outside the reach of the law, Breidenbach said.
"I'm not going to be able to go into Russia and say, 'Give me this guy's computer,'" he said.
Organizations that do get hacked face weightier risks than simply paying ransom to an overseas hacker.
"Forget ransom," said Cerini. "It's letting your clients know your system has been compromised, that their social security numbers are out there. That creates loss of faith."
Still, cybersecurity is just one front of a larger struggle with the impact of the new coronavirus, Schwam said.
"In the grand scheme, I think no one can escape this," he said. "We're fighting a war now."
Telecommuting security tips
Issue: Letting workers connect to business systems with their own computers, tablets or smartphones.
Solution: Supply secure computing devices or require workers to let the IT department install security software such as virtual private networks (VPNs) on personal devices.
Issue: Phishing scams in which hackers pose as trusted clients, colleagues (such as the IT staff) or even the Centers for Disease Control.
Solution: Educate your workers to examine messages, including URLs, to ensure they actually came from a trusted source.
Issue: User is uncertain if a URL or file is legitimate or fake.
Solution: Before clicking, scan the URL or file with VirusTotal (virustotal.com/gui/home/upload), a solution recommended by Theresa Payton, former White House chief information officer and now chief executive at cybersecurity firm Fortalice Solutions.
Issue: Losing track of sensitive digital or physical files that are removed from company facilities.
Solution: Take an inventory of all important files, digital and physical, that pass into the possession of employees.
Issue: Employees use personal email or unsecure cloud storage to transfer files.
Solution: Educate workers to use only company email and company-approved file-sharing services.
Issue: Employees are careless in sharing or storing passwords.
Solution: Two-factor authentication adds another layer of security through a code often generated via test message or a mobile app.
Issue: Free public wifi networks are insecure and can be harnessed by hackers.
Solution: Educate workers to use secure wifi networks and a VPN as an additional layer of protection.