Privacy and data protection in the COVID-19 era
COVID-19 has moved faster and at a scale that has left most businesses and organisations gasping. Amid the economic upheaval, lockdowns, physical isolation and finding new ways of delivering goods and services, business owners have also had to transition employees to work remotely. And in the mad dash, many have neglected privacy and data protection.
Just a few months ago, many business owners hadn’t even contemplated having their workforce work offsite, let alone prepared for it. As workers hurriedly made their way home – computers and access codes in hand – business owners may have had little time to carry out checks or put new policies and procedures in place to protect privacy and data.
Privacy and cyber security-conscious business owners who previously wouldn’t even allow employees to access work emails on their private mobile phone, have sent their employees home to work using work computers with access to networks and/or BYO devices. They have also found themselves quickly adopting technology, such as video conferencing, livestreaming, messaging apps like WhatsApp and collaboration software like Zoom, Microsoft Teams, Slack and Skype, to keep in touch with clients and staff. And many businesses may be caught short as cyber crims exploit working-from-home (WFH) arrangements.
Over the past month, a spike in cyber incidents has been reported globally and media reports are awash with news of “zoombombing”, where virtual meetings have been gate-crashed by everyone from high-profile comedians to trolls, trackers and hackers.
Although WFH has presented many SMEs with cyber security threats they hadn’t anticipated, business owners can take steps to shore up their cyber defences and protect their companies from being exploited.
Tips to improve cyber security
Employees should be reminded about all relevant security policies and practices, as they apply equally in the home as in the workplace.
Train employees on best practice data protection (passwords, network security, portable device security, locking computers when unattended), email security (recognising cyber risks such as spam, scams and phishing emails) and handling confidential/private information (including their responsibilities and obligations). With hackers exploiting COVID-19 fears, it is important employees are told to expect phishing emails and trained to accurately identify and handle them safely.
Remote desktop protocol (RDP) enables employees to access their work computers or the company’s primary server from home. And while convenient, a poorly secured RDP is an invitation for cyber crims, so choose one with high-level security (a 2019 Check Point study found security problems with some of the most popular RDP tools for Linux and Windows).
Businesses should ensure employees can access their computer using a virtual private network (VPN) with multi-factor authentication (MFA). IP addresses that are allowed to connect via RDP should be whitelisted and unique credentials for remote access (especially for third parties) should be in place.
In addition to installing security software that includes a firewall, anti-virus, anti-spyware, SPAM filters, anti-hacking and anti-phishing toolbars, ensure security updates/patches are installed.
Use mobile device management (MDM) tools to set up devices with a standard configuration, and also to remotely lock devices, erase data or retrieve a backup. Also make sure devices encrypt data at rest, to protect data on the device if it is lost or stolen. While most modern devices have encryption built in, it may need to be switched on and configured.
All data should also be regularly backed up using multiple platforms (especially if employees are not accessing work servers which are backed-up onsite and instead are storing data on local computer drives etc.) and to the cloud (ensuring the cloud service has all the security required).
BYO device security
If the business decides to allow employees to use their own phones, tablets, laptops or desktop devices, check that the private device is clean and that it has the same level of security as the work system, including firewalls, which create a barrier between the device and the Internet.
Employees should also ensure their Wi-Fi connection is secure using a minimum of WPA2 security and always lock their devices.
Once employees return to the office, business owners should also ensure all data comes off the BYO devices.
Some experts suggest that one-on-one video calls using Skype or FaceTime offer greater protection. If the business needs to involve more parties in meetings, ideally the service should use end-to-end encryption, which scrambles content so that no-one apart from the sender and receiver can see the content.
As anyone who has access to a meeting link can join the virtual meeting, businesses should ensure that meeting invitations are not posted on social media or shared with third parties in other ways. To this end, avoid using these apps for public meetings or events, as these are particularly at-risk of zoombombing.
Settings to stop anyone but the host from sharing material, such as slides, pictures, videos or spreadsheets, should also be activated.
WFH and cyber insurance
Regardless of whether a business owner has been on the front-foot or caught on the hop when it comes to cyber security and protecting privacy and data as employees WFH, risk management is paramount. Risk strategies should include having a robust Business Continuity Plan, training employees, prioritising IT security measures, accessing authoritative risk management advice and ensuring an adequate Cyber Insurance policy is in place.
Whether a business’ Cyber insurance policy extends to cover staff operating from home will depend on the policy wording. Some will only respond if the policyholder notifies the insurer of the change in operations and policyholders should check if the cover extends to the employee’s personal computer system.
Bottom line: If the policyholder is doing something different to the norm (such as allowing staff to WFH), then the normal rules of disclosure apply and the underwriter should be advised in advance, so everyone knows where they stand and arguments down the track can be avoided.
Ultimately, good risk management will always be a great investment – and an important element in business sustainability through these challenging times.
For more information about Cyber Insurance, please speak to your EBM Account Manager.