In these strange and uncertain times, a significant number of employees will be working from home for the foreseeable future. For many that will be a new experience and for others, at least, a significant change in working pattern. For many employees, and employers, the right infrastructure and measures might not be in place, or if they are, they may not have been properly tested.
Cyber and hacking criminals do not care and are already taking advantage. Organisations and their employees, as well as individuals, all need to be extra vigilant and exercise caution. Here are some of the key things to think about.
Now, more than ever before, we are relying on our digital systems and infrastructure to allow our organisations to continue to function, and to allow our employees to have contact with each other, with clients, customers and other third parties. On a personal level too, our primary contact with those outside our home will be on a digital platform.
A broad-based cyber attack could therefore have a devastating impact, not only on an organisational level, but there could also be a risk of widespread infrastructure failures that could take down entire networks and leave people completely isolated.
Everyone needs to be more cyber-aware than ever.
Phishing attacks often provide hackers with the first route into an organisation. They are commonly hidden in emails where individuals are invited to click on links that take them to webpages run by cybercriminals. They are extremely creative in devising new ways to exploit users and technology to access passwords, networks and data. When working from home, away from other colleagues and the workplace environment, and perhaps distracted by children or other family members at home, people may be less vigilant and may click on a link they would have thought twice about in the office.
The National Cyber Security Centre (NCSC) is urging businesses and the public to consult its online guidance, including how to spot and deal with suspicious emails, as well as mitigate and defend against malware and ransomware. In the last week, the NCSC has also issued guidance for organisations on preparing for an increase in homeworking.
Employers should remind employees to think carefully about opening unsolicited emails and/or links within those emails and being wary of attachments and clicking on any hyperlinks within attachments. Employees also need to be careful about revealing sensitive or financial information in an email and should not respond to unsolicited email requests for this information.
Many people are understandably interested in information specifically relating to the coronavirus and it has been widely reported that hackers are already preying on people's heightened anxiety and desire for more information in this area. Individuals must take care to check that any emails received are from a trusted source and not allow curiosity for detail on COVID-19 to override their need to remain vigilant.
The NCSC guidance on homeworking includes a reminder that the most important thing is for employees not to panic if they do click on a link that is suspicious and to contact their IT department to let them know.
Clearly it is best to not get to that position at all. Make sure workers are reminded of their cybersecurity training and consider if it is necessary, or prudent, to issue additional guidance given the additional cybersecurity challenges that need to be managed.
Anyone accessing a corporate network should be doing so via a virtual private network (VPN), creating an encrypted network connection that authenticates the user and/or device and encrypts any data in transit.
However, working on laptops and other devices away from the office will mean they are at more risk of being lost or stolen. Many devices have the tools to allow data to be retrieved and/or wiped remotely in the event that a device is lost, but the effectiveness of those tools depends on the device being adequately secured, and on any theft or loss being reported immediately. Ensure workers understand the importance of software and security updates on their devices and making sure certain strong passwords are set, to ensure they are fully protected and what they need to do to help with this.
In addition, not everyone will be set up to work from home as effectively as from the office and it is more likely that people might consider using their own personal devices to support them. They may not realise the risks involved in forwarding company or personal data to personal email accounts, or accessing it on personal devices to allow multiple documents to be viewed at the same time, or perhaps documents to be printed more easily. Organisations need to make sure employees are aware of their position on using personal devices to work remotely and, if the use of personal devices is allowed, are fully up to speed with the bring your own device to work (BYOD) policy.
The Information Commissioner's Office (ICO) has also acknowledged that we are all facing unprecedented challenges during the coronavirus pandemic. Clearly data protection laws remain in place but the ICO has accepted that information may need to be shared more quickly and people may need to adapt the way they normally work. It has produced some guidance on dealing with personal data during this time.
For example the government, the NHS and other organisations will need to make sure people get vital public health messages via phone, email or text and individuals will not need to give them consent for this to happen. If a person becomes ill with coronavirus, their employer might need to tell colleagues, but this does not mean they will need to give out the individual's name.
The ICO has also accepted that resources, whether they are finances or people, might be diverted away from usual compliance or information governance work. The ICO will not penalise organisations that need to prioritise other areas or adapt their usual approach during this extraordinary period. The guidance acknowledges that as a consequence, individuals may experience delays in responding to information rights requests, such as data subject access.
Any data protection breach will still however require an organisation to notify the appropriate data protection authority - in the UK, this is the ICO. There may also be an obligation to notify the applicable sector regulator, for those engaged in regulated business. Notwithstanding the unprecedented challenges, organisations still risk facing substantial penalties for breaches involving personal data.
The message is clear, remain vigilant and make sure employees do not let their guard down because they are working remotely.
- Organisations need to make sure employees have access to protected devices and connections.
- If possible, have a dedicated source of help available for queries and problems to be raised.
- Warn employees about the increased likelihood of phishing attempts and scams and ask them to remind themselves of any company policies that may be available.
- Stress the importance of ensuring all available updates are downloaded onto company devices and of individuals using strong unique passwords.
- Remind employees about any BYOD policy and the issues that could arise if personal devices are used for business purposes.
- Stress that employees should report any suspicious emails, if there is any doubt that an email is genuine just don't open it - better to be safe than sorry.