Measures to mitigate the outbreak of COVID-19 have led to an unprecedented increase in remote working across the board, leaving many businesses exposed to new and challenging cybersecurity threats. Here are some recommendations for compliance and data protection officers from regulators and experts.
As governments and businesses work on limiting the spread of COVID-19, social distancing measures have led to a sudden spike in remote work arrangements as companies look to adapt, survive and continue working across all sectors.
Conducting activities remotely, however, poses a number of complex challenges from a data protection perspective and many businesses will have had little time to implement remote working protocols or to adequately train and prepare their employees on the dos and don'ts of working from home.
Cybersecurity incidents have increased since the outbreak of the virus and are expected to increase further during the coming months, as fraudsters look to leverage the uncertainty created by the crisis. “There is indeed evidence that criminals are exploiting the coronavirus online, especially due to people working from home, which gives rise to a higher risk,” says Anne Vallery, partner at WilmerHale. Last week, Europol released statistics detailing the wave of opportunistic cyber-criminals coming up with new means of exploiting unsuspecting businesses and individuals during the COVID-19 crisis, labelled “pandemic profiteering”, while government authorities and regulators around the world have issued guidance on how best to mitigate these new threats.
We’ll shed light on some of the key cybersecurity challenges for organisations, and how compliance teams can help implement the right measures to protect their company’s data.
Review guidance from regulators and government authorities
In the context of COVID-19, the Irish Data Protection Commission (DPC) has recently published remote working guidance. While the blog is aimed primarily at users rather than employers, many of the tips still apply and should inform employers’ policies and practices, according to Deputy Commissioner Graham Doyle. In addition, the DPC has previously published guidance on a range of matters that will facilitate organisations implementing data protection safe remote working arrangements including Guidance on Phishing and Social Engineering Attacks, Guidance on Data Security and Portable Storage Device Recommendations.
“If companies review this guidance, particularly as regards security practices, and ensure that appropriate technical and organisational measures such as IT solutions and clear comprehensive usage and data security policies are implemented to protect against unauthorised or unlawful processing and against accidental loss, destruction or damage to personal data, data protection should not be a barrier to remote or flexible working arrangements,” says Doyle.
Similarly, the UK’s Information Commissioners Office (ICO) has made it clear that data protection should not be a barrier to homeworking and the UK National Cybersecurity Centre has issued tips to help organisations prepare for an increase in home working, including advice on spotting coronavirus-related scams. The EU agency for Cybersecurity (ENISA) has also published best practices for cybersecurity when working from home, while the US Cybersecurity and Infrastructure Security Agency (CISA) has released tips on defending against COVID-19 cyber scams and risk management advice in light of the for novel coronavirus crisis. “There is a stream of guidance on homeworking being issued currently including some that detail preparing your organisation and staff, which contain helpful practice guidance,” says Grant Campbell, partner at Brodies LLP. “Keeping an eye on that guidance would be highly recommended.”
Conduct a risk assessment
While many organisations allowed home working to happen pre-COVID-19 as part of more general flexible working arrangements, companies need to ensure that they apply the same kinds of security measures that they would use in normal circumstances, while also reviewing new risks in light of the current situation.
“Any company that has previously had at least some employees working from home part of the time should already have security measures in place, but the scale of homeworking during a pandemic may test the robustness of those measures,” says Sue Foster, of Mintz, Levin, Cohn, Ferris, Glovsky and Popeo LLP. “Assessing weaknesses and rolling out appropriate security solutions for homeworking should be one of the very highest priorities of companies during the pandemic.”
It is not only in the business’ interest to keep systems and data secure by applying appropriate technical and organisational security measures in light of the new circumstances brought about by COVID-19, it is also a legal obligation, so companies need to assess new risks and update systems accordingly, says Foster. “The GDPR does not expressly address homeworking – it applies regardless of the nature of the workplace… there is no “homeworking during a pandemic” exception to the GDPR’s requirement that controllers have appropriate technical and organisational measures in place to protect personal data.”
Personal devices and home networks with inadequate security are a distinct risk to company data, whether personal data or other valuable business data, so it is important for organisations to conduct a rigorous overview of the risks they face and systems that need protecting. “Companies that do not have their own information security personnel should consider engaging an outside consultant or using a robust third party solution as their platform for homeworking,” says Foster.
Review policies and keep staff informed
Given that there is evidence that scammers are seeking to target homeworkers in several ways, including phishing messages that are COVID-19 or IT-related and video-conferencing attacks to try and penetrate security, companies should try to identify the specific risks and extend security defences from technical controls to organisational measures including updating policies and processes and conducting training and awareness for staff.
“In simple terms, many organisations will have homeworking policies and, where they do, they should be making sure that those who are working from home are reminded of what the policies require of them. Do that regularly,” says Campbell. “They should also be cautioned that the risk of scams is heightened at the moment, so they need to be extra vigilant.”
Felicity Burling, of HFW, also points out that while the usual cyber hygiene should apply in times of crisis, more tailored training for staff is key. “Staff should be reminded not to click on links without checking them, and to be wary that emails may be disguised to look as though they are from clients or colleagues. Payments to new account details should never be made without checking that they are genuine, through a variety of different methods,” she says.
Compliance and data protection teams should consider rolling out refresher training on how to detect phishing attacks and other forms of risk related to COVID-19 scams and the organisation’s procedures for responding to and reporting them. Reviewing incident response plans to ensure that the plan’s provisions are still practicable when the company’s IT or incident response team is working remotely is also important. Compliance teams should ensure that the protocols around incident response are clear, and that communication lines are effective and incidents are appropriately flagged and escalated.
Use VPNs and protect devices
Ensure staff understand the importance of keeping software, and the devices themselves, up to date, and that they know how to do this. “All wireless equipment should be protected by passwords, and software patches and firewalls should be kept up to date,” says Burling.
Devices used for working outside an office environment are more vulnerable to theft and damage. Whether using their own device or the organisation's, encourage staff to lock their screens if left unattended, especially if there are children or housemates present according to Itsiq Benizri, senior associate at WilmerHale. “Typically, employees may leave devices unguarded with children who could click on malicious links or communicate outside of company communication systems,” he says. Staff should therefore ensure proper safeguards are in place and that devices are kept somewhere safe when not being used.
It is also important to make sure that staff are aware of what to do if their device is lost or stolen, and who to report it to. Compliance teams should encourage users to report any losses as soon as possible. “The early reporting of such losses may help minimise the risk to the data, and staff who fear reprisals are less likely to report promptly,” says Doyle.
Finally, virtual private networks (VPNs) or remote desktop connections can allow remote users to securely access the organisation’s IT resources, such as email and file services, and encrypts data in transit between the user and a company’s servers. Companies are advised to encourage all staff to connect via VPNs where possible and make sure this is fully patched and updated to mitigate any new threats. “It is recommended, among other things, to make sure employees use VPNs, avoid storing files locally, and connect remotely to the company’s own servers,” WilmerHale’s Vallery points out.
While companies can do plenty to ensure they have the adequate measures in place to protect data during the pandemic, ultimately however, it all comes down to ensuring staff are aware of the risks and what they should be doing. “The most important advice we have – and it is a simple one – is for companies to remind employees of the risks that they are facing and of the fact that such risks are higher when people are working from home in a challenging context,” says Vallery.
Lexology PRO Compliance is including articles relating to covid-19 in the main Lexology newsfeed in order to provide in-house counsel users with practical information and first-hand experiences on how to navigate the current market.
Explore Lexology PRO Compliance
Lexology Pro Compliance, a unique information platform for chief compliance officers, general counsel and their teams. With a focus on anticorruption, antitrust and data protection -three core compliance areas for businesses around the world, Lexology PRO Compliance provides users with analysis, interviews, legal research, know-how materials, global comparative tools and more.
Find out more by clicking here.