Help us fund local COVID-19 reporting in our community

Law in the Marketplace: Security measures to take when working from home

For the Monitor
Published: 4/11/2020 7:31:28 PM

This is the second in a series of columns in Law in the Marketplace with practical tips on using federal and New Hampshire laws and orders to deal with the COVID-19 pandemic.

Many of us are working from home these days, and that’s opened up a whole new world of questions.

To dig deeper, I turned to my colleague Cameron Shilling, who is a leading cybersecurity attorney in New Hampshire, and chairs McLane Middleton’s Information Privacy and Security Group.

As New Hampshire businesses rapidly transition to remote workforces to combat the coronavirus, some already support remote work with sound cybersecurity protocols. For them, the transition may occur fluidly. Businesses that lack these protocols, may face serious cybersecurity risks.

Here’s what to consider.


Businesses that already have cybersecurity protocols for remote working should ensure that their employees are fully aware of them and fully comply with them.

Businesses that do not should immediately create temporary protocols and, as soon as possible, they should create permanent ones.

Both the temporary protocols and the permanent ones should reflect the guidelines below.


Businesses should permit employees access to their business networks using only company computers, with encrypted hard drives, up-to-date anti-virus/anti-malware, strong passphrases/passwords, and locks after 15 minutes of inactivity. Employees should not have administrator privileges. Employees should be instructed to shut down their company computers when not in use, and not to allow family members to use them.

Virtual Private Network

Access to a company’s network should be only through a secure company virtual private network (VPN), which has multi-factor authentication, prevents downloading to a local drive, prevents access to local printers and internet-of-thing (IoT) devices, and is configured with robust logging.

Employees should not be allowed to use the VPN on a personal computer.

Video Conferencing

Businesses should require participants in video conferences to use passwords to access the meetings, should limit or prevent participants from sharing content, and should structure meetings as webinars instead of conference whenever possible.

Mobile Devices

Businesses should permit employees to access company email only using a mobile device that has a password or biometric. More effective controls exist with a mobile device management application.


Remote access to company email and cloud storage should be allowed only using a company computer or mobile device discussed above, with a strong password and multi-factor authentication. Outlook Web Access should be disabled.


Home and public wi-fi are vulnerable. Employees should be prohibited from using insecure public networks. Businesses should ensure that home networks of executives have a company monitored firewall, and that other employees use a VPN described above.

External drives

Businesses should prohibit employees from using external or USB drives, unless encrypted and company-owned. Disabling USB ports or installing an application that encrypts drives are effective protections.

Attacks and crime

Hackers are capitalizing on the coronavirus crisis. Businesses should have safeguards against phishing and social engineering, such as headers alerting employees to emails from outside the organization, a button permitting employees to forward suspicious email to their information technology (IT) department, and a ‘sandbox’ that executes links and attachments in a safe environment. Businesses also should require employees to confirm the authenticity of every monetary transaction via a secondary authorization (such as voice confirmation).


Privacy laws remain in effect during this crisis, including laws protecting health and personal information (including HIPAA, the European General Data Protection Regulation and the California Consumer Privacy Act). Businesses must not disclose health or personal information about anyone who is or may be affected by the coronavirus unless they comply with statutory requirements.

(John Cunningham is a Concord tax and business lawyer. He has published “Limited Liability Company Operating Agreements” and “Maximizing Pass-Through Deductions under Internal Revenue Code Section 199A.” Both are the leading books in their fields.)

Concord Monitor Office

1 Monitor Drive
Concord,NH 03301


© 2019 Concord Monitor
Terms & Conditions - Privacy Policy