The novel coronavirus disease, known as COVID-19, is very disruptive to Indian tribes’ abilities to maintain a viable workforce. This month, many tribal governments are instituting policies and protocols for essential and nonessential staffing, providing alternative workplace options, and even laying off employees.
One popular option is to permit employees to work remotely from their homes. Teleworking requires the tribal government or tribal enterprise to permit employees to connect to the tribe’s information technology network via a virtual private network.
“Tribal governments implementing such an alternative workplace solution should consider simultaneously adopting heightened cybersecurity protocols and policies,” said Patrick Bergin, Managing Partner with Peebles Kidder LLP. “According to a bulletin from the United States Cybersecurity and Infrastructure Security Agency (“CISA”), VPNs can be vulnerable to attacks by malicious cyber actors, phishing emails, and neglected security updates and patches.”
In response, Bergin noted, Indian tribes can take the following steps:
- Instruct the tribal IT department or the tribe’s IT provider to update VPNs, network infrastructure devices, and devices being used to telecommute into work environments with the latest software patches and security configurations.
- Advise and warn tribal employees to be wary of an increase in phishing attempts and email scams. Employees should be advised that phishing attacks can appear to come from within the tribe’s organizational structure and from trusted vendors. In addition, phishing attacks can be disguised as charitable organizations attempting to take advantage of the COVID-19 pandemic.
- The tribe should implement multifactor authentication or strong passwords for VPN connections.
- Adopt, revise, and implement the following tribal laws and policies:
- Telework and remote access security ordinance with the primary objective to insure confidentiality, integrity, and availability/access of the system.
- Policies related to telework and remote access methods, including tunneling, portals, remote desktop access, direct application access, and bring-your-own-device (BYOD).
- Employee protocols to avoid social engineering and phishing attacks, as well as mitigation measures in the event of an attack.
Peebles Kidder encourages tribal leaders to contact the firm if they have questions or require legal advice on cybersecurity protocols and policies.
The firm maintains offices in Sacramento, California; Kansas City, Missouri; Rapid City, South Dakota; and Washington, D.C. All offices are adhering to their local and regional directives directed to social distancing and/or sheltering in place; however, all attorneys are available by phone and email, and are ready and able to meet client needs.