COVID-19: Agile working across Europe - new arrangements come with increased cyber security risk

By:

There has simply been no way around it: the coronavirus COVID-19 pandemic has given organisations across Europe and, indeed, across the world, no option other than to rollout home-working IT solutions if they want to continue operating.

We can safely say that there has been no other single event in recent memory that has prompted such a rapid shift of employees away from the workplace and into the seclusion of kitchen tables, living-rooms and home-offices across the continent.

With the rollout of these remote working solutions, at such scale and with such haste, there is an obvious and inevitable risk with respect to the security of data which must be accessed by a now dispersed workforce. We often see that operational change carried out quickly and under pressure can lead to bad outcomes. The maintenance of good cyber security, despite this shift away from the office, is absolutely vital.

What does the law say?

The law does not prevent organisations from allowing home-working in this way. Organisations must nevertheless be aware of obligations that they are under, which apply from a number of angles.

Data protection law is primarily concerned with the security and protection of personal data and it is under this legislation that we primarily see business risk arise.

Article 32 of the General Data Protection Regulation sets out that organisations processing personal data must “implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk”.

While we generally see issues arise around the confidentiality of personal data, maintaining continued integrity and availability of personal data are also obligations under the legislation.

Organisations will likely also be under a series of contractual obligations and sector-specific rules as well. Businesses must consider contractual provisions that apply regarding the security that will be applied to information and data, where it will be stored and how and when it will be deleted or destroyed.

These are the points of failure. Pushing a large and varied worker-base into home working naturally increases the risk of cyber security being less than required. Organisations may have added burdens according to sector and contractual agreements, but the baseline position of having “appropriate” security is key.

Top tips

Defining what security level is appropriate is difficult and it is often a question answered through a backward looking lens and once failure has occurred. Several European regulators, including the Information Commissioner’s Office in the UK and the Irish Data Protection Commission, have produced high-level guidance. Organisations may wonder what they can do to reduce their risk. There is no “one size fits all” solution.

However, the following points should be considered by any organisation:

1. Devices

  • Check and update policies and training to ensure that devices are:
    • not lost or misplaced; o used in a safe location and particularly if they contain sensitive personal data;
    • locked if the device-owner needs to leave it unattended for any reason;
    • turned off, locked, or stored carefully when not in use; and
    • capable of being remotely wiped if lost or stolen.
  • Whether implemented remotely or through device-owners, ensure that devices are fully updated, such as operating system and software/antivirus updates, and backed up.
  • Implement effective access controls (such as multi-factor authentication and strong passwords) and encryption to restrict access to the device.

2. Emails

  • Check and update policies and training to ensure that workers will:
    • follow applicable policies around the use of email;
    • use work email accounts rather than personal ones for work-related emails;
    • ensure they are sending emails to the correct recipient.

Unfortunately, we have seen increased instances of phishing attacks over the past number of weeks as cyber criminals look to take advantage of gaps in cyber security during the transition to remote-working. The risk of email interception and other types of payment fraud are higher at this time as workers arrange new and different payment paths, for example to avail of employee subsidy payments made available by many European governments to protect jobs and businesses. Training on the new phishing methodologies is therefore business critical.

3. Cloud and Network Access

  • If not already in place, roll out organisational rules and procedures on cloud or network access, login and data sharing and train workers on them.
    • Check and update policies and training to ensure that workers will:
    • only use your organisation’s trusted networks or cloud services where possible;
    • ensure any locally stored data is adequately backed up in a secure manner, if they do need to work without cloud or network access.

4. Paper Records

  • Check and update policies and training to ensure that workers will:
    • maintain security and confidentiality of paper records, such as by keeping them locked in a filing cabinet or drawer when not in use, disposing of them securely when no longer needed, and making sure they are not left somewhere where they could be misplaced or stolen; and
    • take extra care to ensure the security and confidentiality of sensitive personal data, and only remove such records from a secure location where it is strictly necessary to do so.
  • Consider whether to keep a written record of which records and files have been taken home, in order to maintain good data access and governance practices.
  • Carry out remote workplace assessments for workers handling personal data and consider if they should be issued with additional security-enhancing equipment (such as shredders or laptop privacy filters).

If those policies, training and protocols are already in place, then perhaps undertake a round of refresher or awareness training to remind workers of what is expected of them. Those expectations should be underpinned by disciplinary processes that need to be followed in instances of non-compliance.

Finally, businesses must consider the security arrangements of its suppliers or processors that handle data on their behalf. As a first step, organisations can request confirmation and evidence from suppliers that business continuity arrangements have been put in place that continue to meet the technical and organisation security requirements set out in the relevant service contract.

This transition to large-scale home-working has been undertaken under pressure and at speed. While most businesses and their IT teams deserve huge praise for completing this transition remarkably well, the potential for gaps to arise is obviously high. By ensuring that security is maintained over personal data, organisations can ensure that they reduce the risk of issues occurring and continue to serve their staff, customers and communities.