Privacy & Security Concerns in the time of a Pandemic

If “necessity is the mother of invention,” coronavirus (COVID-19) forced many around the world to rethink their daily lives from work to school to entertainment. It has now become imperative to digitally transform our places of work, education etc to be able to operate effectively.

Those companies able to use technology well to keep going and rethink their business model for the future by fast-tracking digital transformation will be ones ahead of their competition. “Industry 4.0” embraces a view of a new digital. It strives to marry the digital world with physical action and thus blur the boundaries between worlds as we know them. 

 Key Risk in Digital Transformation

• The point of origin – How much does the company already rely on digital technologies?
• The speed – How fast can the company be viably transformed?
• The scope – How much of the company should be digitally transformed?
• The goal and competitive advantage – What is the purpose of the digitalization, and how can the digitalization serve as a competitive advantage?
• Human resources and communication – Who are the specialists that will be at the center of implementing the digital transformation?
• Outsourcing – To what extent would the outsourcing of expertise be more profitable than the establishment of in-house expertise?

Cloud Services

The decision to for businesses to retain critical applications in their own on site “data center” or servers in order to have lower latency and more control over performance gets turned on its head when suddenly the offices are empty and all employees must work from home.

“Every IT director is getting going phone calls that says we want to be in the cloud now,” Ian Campbell, the CEO of Nucleus Research Inc told Silicon Angle. Campbell said with certainty that mass migration is on its way.

Cloud computing offers companies several advantages including low costs, high performance, and the quick delivery of services. However, without the implementation and enforcement of appropriate cloud policies, companies can be exposed to the risks of data loss, spiraling costs, and underperforming assets.

Cloud policies are the guidelines under which companies operate in the cloud. Often implemented to ensure the integrity and privacy of company-owned information, cloud policies can also be used for financial management, cost optimization, performance management, and network security.

Cloud Adoption Risk

• How is the confidentiality, integrity and availability of data maintained?
• Where is the data stored?
• If the data is stored off-shore, are the additional legal implications and risks assessed and understood? —
• Can the data be encrypted in transit and/or at rest? —
• Who generates, holds and distributes the encryption keys?
• Where is the data encrypted?
• How can you monitor what happens to your data over a diverse cloud-based supply chain?
• How can you make your users access to cloud services seamless yet secure?
• What independently assured certifications and accreditations does the cloud provider hold?
• Where are the cloud providers service centres, and what level of vetting have their staff undergone?
• Can the data and service be easily moved to another provider?
• Does the provider preclude you from conducting your own penetration testing of your own services?
• Is the provider and service compliant with applicable regulation?
• What jurisdiction is specified within the contract for the purposes of conflict resolution?
• Is the cloud contract fit for purpose and compliant with all applicable regulation? 

Data Governance Challenges

With advancements in information technology, organisations now have access to data at a much greater level than they ever did before. This plethora of data gives organizations the ability to catapult their productivity and earning potential — and has the potential to highlight operational inefficiencies and failure to rise to the level of market competition. Implementing the key elements of data governance can help ensure that your organization has the powerful insights necessary to succeed. I believe the best barometer to determine how successfully an organization will weather current and future challenges will be how well they handle data and analytics.

Key elements of data governance any organization should implement:

• Data Integrity: This is the accuracy and completeness of the data. Utilize data standardization practices and data mapping to help ensure that your data is consistent, complete and accurate across all systems.
• Data Storage and Integration: Consider where the data is stored and how this data moves between systems.
• Data Security: Who has access to the data and how is the data protected from data breach scenarios?

Organisational Issues with Work from Home

With the advent of the novel coronavirus COVID-19, many organisations around the world are undergoing a seismic shift on an accelerated timeline towards telework or remote working for some or all employees. In addition to ensuring that the networks, VPNs, and other IT resources are capable of supporting such a shift, organisations that have not built such teleworking into their disaster preparedness plans should be aware of, and take steps to mitigate, the cybersecurity and data privacy risks involved in such a shift.

Key Privacy and Cybersecurity issues to Consider

• Access to Restricted Systems – Many organisations have systems that are subject to on-premises access only. With the shift to teleworking (by choice or government initiative), these systems may need to be opened up for remote access by authorized users. Ensuring that such systems are configured appropriately and that additional authentication requirements are included for remote access to these specific systems (e.g., additional and distinct password requirements and/or two factor authentication) are key elements to maintaining the integrity of those systems in a teleworking environment.
• Availability of IT Resources for Teleworking – While a certain subset of the employee population may already have organisations -issued devices for remote working, many organisations will struggle to meet the demand for such devices in the event a substantial number of traditionally non-remote workers begin to telework. Assuming that a rapid procurement process is not feasible, this can leave organisations with only two options:
  • Deployment of prior-generation or stored laptops and other devices – In the event prior generation or stored laptops and other devices are deployed, there is a risk that these devices do not have up-to-date security software and have material gaps in their software security patches.
  • Permitting workers to utilize personal devices for accessing organization systems and resources – organisations may have relatively little control over the security of the personally owned devices of their work force, unless those devices have been subject to prior efforts to bring them into conformance (e.g., via security applications on mobile phones).
• Phishing Attacks – Major events provide an attractive opportunity for malicious actors to leverage concerns to attack organisations. Phishing and malware attacks disguised as health updates or updates to sick leave policies can provide an easy method to attack even the most well-trained workforce. The impact of these attacks may be further exacerbated by the remote work force solution depending on what devices are at issue (i.e., organisations -owned or personal devices) and the security solution for remote working (e.g., firewall configurations and remote access to restricted systems).
• Increased Remote Connections – Beyond the strain on VPN and other technology solutions that may be utilized by organisations, an increase in remote connections can provide ample cover for malicious connections to be made. The risk of such connections is further increased if the employee is utilizing an unsecured or compromised connection (e.g., working from the local coffee shop).
• Data Privacy Risks – With respect to the security monitoring of employee and workforce member use of devices outside the office, particularly on personally-owned devices, organisations should thoughtfully address data privacy considerations. Key considerations include
  • whether the organisations has properly issued a privacy notice and/or obtained consent, whether a data protection impact assessment is needed for the monitoring activities, whether a cross-border transfer solution is needed, and whether appropriate terms are in place with any vendors or third parties that may access the data.
  • Employment-related considerations would include whether employee representatives should be consulted on the monitoring activity, whether any data collections could be used at a later time as a basis for discrimination or unfair treatment claims.

Checklist During the Coronavirus Pandemic

Making the decision

• Review existing resources, applicable policies, and customer/client agreements to determine if remote work is feasible, prudent, and contractually permissible. Strategies and Policies to Consider:
  • Data/Digital Transformation Strategy
  • Data Governance Strategy
  • Internal Data Privacy Policy
  • Remote Work Policy
  • Data Access Policy
  • Security Policy
• Have a plan for resources, communications, expense reimbursement, etc.
• Stay on top of developments as plans may need to be changed.

Confirm the IT infrastructure can support remote work

• Be ready to address systems and equipment needs of employees who may not be set up to work from home.
• Beef up staffing, including help desk capacity to support workers not used to remote work.
• Ensure data privacy and security 

Communicate clearly and consistently.

• Ensure critical lines of communication between management are open.
• Examine existing policies closely, such as confidentiality, written information security programs, business continuity, bring your own device (BYOD), etc. Companies without these policies or a comprehensive telework policy, should consider putting them in place. In general, all existing company policies should apply whether an employee is working at the office or at home.
• A localized approach may be warranted based on local conditions. But, be sure managers are on the same page to avoid inconsistent application of policy.
• Provide employees system access instructions and where to go for help.
• Be understanding and solution-oriented

Ensure data privacy and security.

• Implement the work-from-home arrangement consistent with company’s written information security program to ensure the access, transmission, and storage of confidential business and personal information is safeguarded. Some key safeguards include:
  • Permit access only through VPN or similar connection.
  • Require two-factor authentication.
  • Supply employees with secure laptops.

• Ensure data privacy and security communication should include
  • Elements of confidential business and personal information that warrant protection.
  • Minimum necessary rule – basically, only use confidential and personal information as needed to complete the employee’s assigned tasks.
  • Being aware of phishing attacks, which are a particular concern now as threat actors are using the coronavirus as part of their attacks.
  • Knowing where to report a data incident.
  • Saving company data only on the network, and not personal devices.
  • Not permitting others to access the company’s systems, including the personal device that has access to the company’s systems.
  • Avoid printing sensitive corporate materials unless the reason to do so outweighs the risk.
  • Not sending sensitive corporate data to personal email or cloud accounts.

Obtain employees’ agreement to conditions for remote work. Items to cover in the agreement might include:

• Continuing requirement to complete work assignments.
• Maintaining availability during normal business hours.
• Adherence to the company’s data privacy, security, and confidentiality policies.
• Maintaining safe conditions and safety habits at the home office as established at company facilities.
• Ensure all work time is recorded.

To learn more about Data Privacy and the impact it can have on your organization as well as to apply appropriate governance, privacy and data protection controls to help reduce risks, issues and threats, register now for our Data Protection and Information Governance Intensive, March 26th 2019 and Hilton Trinidad. Visit our event page at www.equigov.com/dataprivacy2019 for more information or email us at info@equigov.com; rishi@equigov.com of call at 1-868-461-4572.