As companies are increasingly asking employees to work from home to decrease the spread of the coronavirus (COVID-19), Jamal Ahmed, global privacy expert and in-house data protection lead, discusses why businesses should focus on promoting employee cyber-awareness and building fail-safes to defend against opportunistic hackers looking to profit from the COVID-19 panic.
Ahmed founded Kazient Privacy Experts, a global privacy consultancy firm, in 2014. He found that business managers were struggling to understand the complex, regulatory language of laws surrounding data protection, such as the General Data Protection Regulation (GDPR) and needed experts in the market who “could provide compliance services but in a language everyone could understand.”
Data protection “is not about the financial implications anymore, it’s about the trust that consumers have in the company,” Ahmed says - speaking from his experiences as data protection lead at financial services companies Alter Domas and M&G Investments - so businesses have a lot at stake when it comes to keeping data secure. This has been demonstrated by the many heavy fines imposed on multinationals found to be in breach of privacy laws and reputational damages faced by companies including TalkTalk, Google and Facebook.
COVID-19 presents compliance teams with a particular challenge when it comes to data protection because cybercriminals are “taking advantage of the panic and fear,” and Ahmed has seen a significant rise in cyber-attacks against companies during the pandemic. In particular, cybercriminals target employees with tempting e-mails disguised as being from health authorities claiming to have updates on the COVID-19 situation, or links to secret information such as a cure. This, combined with significantly more employees working from home using unfamiliar programmes or digital platforms to share information or communicate, creates a complex, high-risk environment for compliance.
Educate employees on risks and policy
During self-isolation, it is particularly important that all employees fully understand the implications and responsibility of their actions when it comes to keeping data secure. Human error was the third-highest cause of cyber breaches in the world (24%) in 2019, and in a situation where a business has chosen to use a virtual private network to enable all of its employees to work from home, one error could have devastating consequences for everyone using that portal.
Compliance teams, Ahmed explains, must ensure that every employee in their company understands how they contribute to the company’s data security. This starts with in-house handbooks and policies. These should be reviewed to ensure they are up-to-date and include any COVID-19-specific information, and should be written in clear, accessible language.
Ahmed points out that in the UK, for example, the average reading capacity is 11 years old, so when he works with a business to develop a data protection policy, he uses language that an 11-year-old can understand. Avoiding writing in the negative, not reciting legislative phrases, and avoiding unnecessarily complex words can make a huge difference to the accessibility of a policy, Ahmed says. Accessible language ensures that all variety of employees in a company can fully grasp the policy, risks and reasons behind the instructions, making them less likely to make a mistake that could result in a breach. Most employees, all the way up the management hierarchy, are not data protection experts, so the handbooks should reflect this.
Launching an internal awareness campaign to “remind people about the importance of data and guarding confidential and personal information as they are working remotely, and to be aware of their environment at home, such as who might be in the room or able to see the laptop screen” is another way to increase engagement with in-house data policies, Ahmed says. Weekly online question-and-answer sessions or daily update e-mails, for example, would create a space where employees can ask questions and raise concerns. This will not only remind employees of their responsibilities but highlight risks. For example, in his role as a global privacy counsel at M&G Investments, Ahmed is careful to circulate regular e-mail updates on the coronavirus and the data protection strategy to clients and employees to reassure them and keep them aware of how he is approaching the related risks.
To provide more tailored information to teams, Ahmed advises nominating in-house data protection “champions” during the COVID-19 pandemic to be team representatives, collecting questions specific to each teams’ function and activities and approach the compliance team for answers. This will ensure specific information is reaching the relevant people, giving them a reliable source of advice before they act, rather than after.
For companies who have not yet sent their employees into self-isolation, Ahmed says the compliance team should also ensure there is a strong “bring your own device” (BYOD) policy in place to give employees a real-time training experience with the devices they are likely to use from home. This will help employees to comply with company policy on their own devices and teach them to ensure they are secure. It will also reduce the chance of technological glitches occurring which can be a data security risk within themselves (responsible for 25% of all global data breaches in 2019) when the time comes to permit employees to work remotely.
Essentially, the more aware and knowledgeable the workforce is, the better protected the company data is, according to Ahmed.
Fail-safes and disciplinary action
Data protection, however, does not end with the employee. The digital environment a company provides its employees to work remotely within can be an area of huge risk, as practitioners at Paul, Weiss, Rifkind, Wharton, & Garrison say:
“A spike in the number of employees working remotely can create increased network vulnerability, greater risk of inadvertent data loss, and greater financial vulnerability. These risks are exacerbated by cybercriminals seeking to exploit the unique features of the coronavirus situation to engage in more effective phishing and other methods to gain unauthorized access to network systems.”
An opportunistic hacker could access a company’s network through an employee’s unsecured home or public network, and Ahmed explains “one mis-click from an uninformed or disgruntled employee” could grant a hacker access to the server being used by dozens of employees if a company is using a remote desktop app or virtual private network.
Compliance teams, working in collaborating with the IT team, can help build fail-safes into the way a remote work system works to hamper cyber-attacks. Data encryption, for example, should be the standard for sharing through any communication programme, from Skype to Whatsapp, Ahmed says, and this is what he has been advising the companies he works in.
In addition to making staff aware of their obligations, Ahmed advises giving them a “documented COVID-19 process” to follow, which includes clear instructions to keep data secure. Crucially, Ahmed says staff should be trained and instructed to ensure all e-mail attachments that contain personal or confidential information are password protected, and that the passwords should be sent via a different communication channel (such as Whatsapp or another secure app) in case a cyber hacker is monitoring inboxes. Ahmed refers to this as “two-factor verification.” This is very simple advice, Ahmed admits, but “it’s where most people fall down and human error is where most problems happen,” so building fail-safes into systems to help catch human error is crucial to maintaining a secure system.
Non-compliance with the COVID-19 compliance policy should be met with disciplinary action to reflect the seriousness of the offence because it is, after all, the company’s reputation at risk, Ahmed says. When it’s employees who are actively ignoring advice or policy, then this is a problem which has to be dealt with quickly to avoid company-wide complacency. “It’s about trust” between the employee and the employer, Ahmed says, to both fulfil their duties and understand the consequences, which in turn maintains the trust of consumers and customers. In the world of data privacy, it can be as harsh as a company being “shown the door” if they are seen as not trustworthy with data in the industry, Ahmed says. If trust is breached on the employee’s side due to complacency, therefore, then there has to be disciplinary action. Recently, Ahmed has had cases where employees have repeatedly been making the same mistakes which have endangered the company’s data, so he has asked the business leaders to implement “a process where if they make the same mistake again, they are disciplined, and we have seen a significant decrease in that behaviour.” The way to identify this kind of behaviour and encourage compliance, even with employees being outside the office, is to conduct random, sporadic audits where an employee’s activity is reviewed to ensure they are following procedure, Ahmed advises.
Establishing a strong procedure and ensuring employees understand the importance of compliance now will stand companies in a good position to meet not just the current compliance demands of COVID-19, but the future demands of a world which, in Ahmed’s opinion, is moving increasingly into the digital realm.
The future is digital
One positive outcome from COVID-19 is it will increase people’s awareness of the benefits of digital platforms and the benefits of homeworking. The pandemic is, from a remote working perspective, accelerating what was already a global trend towards homeworking. In fact, in the US alone, the number of remote workers has increased by 159% between 2005 and 2017. But it has also caused many international conferences and events to be cancelled or moved to digital platforms, and the imposed lockdowns and movement restrictions will inevitably “make people realise the benefits of [digital platforms] and we will see more of an uptake in this kind of communication,” according to Ahmed. And the benefits range from saving money and time, to reducing the carbon footprint in multi-national corporations and, crucially, more control over data.
“If we are doing [conferences and events] digitally, rather than in person, you have a lot more control over how your data is shared and who can access it. You can increase access management, you can have more visibility about who is accessing and using the data and you can put restrictions in place. Whereas at an event, you’ve hardly got any control over how anybody is sharing information, who with and what they are doing on their devices… so you have a lot less control,” Ahmed explains.
So to the many businesses who Ahmed describes as “fearful” to introduce a remote working requirement because they may lack the capability or capacity to allow colleagues to do so, perhaps it is best to adopt it now to adjust to the future. Denying workers the “freedom” to work remotely during the COVID-19 pandemic endangers the company’s reputation if it contradicts government advice, because this can be seen as failing to meet an employer’s duties to protect the health of their staff and by association their families. A company who is seen to be unnecessarily requiring their employees to take the risk of coming to the office is placing itself in a very precarious position.
Using strong data protection policies, in-house enforcement, and promoting awareness, Ahmed urges companies to “put themselves in a position where they are not endangering themselves, their employees or the families of their employees by not putting in place the capacities and boundaries that every company should have in place in 2020.”
Lexology PRO Compliance is including articles relating to COVID-19 in the main Lexology newsfeed in order to provide in-house counsel users with practical information and first-hand experiences on how to navigate the current market.
Lexology PRO Compliance
Lexology Pro Compliance, a unique information platform for chief compliance officers, general counsel and their teams. With a focus on anticorruption, antitrust and data protection -three core compliance areas for businesses around the world, Lexology PRO Compliance provides users with analysis, interviews, legal research, know-how materials, global comparative tools and more.
Find out more by clicking here.