Many businesses are adapting to new, remote working environments along with novel ways of doing business. This is due to the global spread of the COVID-19 pandemic and the coinciding restrictions set down by the various authorities on physical interaction. Fortunately, digital interaction is one area in which individuals have no need to practice “social distancing”.
The current working environment has resulted in cyber proximity. Organisations are becoming increasingly reliant on digital channels of communication for business continuity and adjusting their customer offerings to ensure compliance with governmental restrictions and expert advice.
This increased reliance on digital channels exacerbates a number of threats from a cyber hygiene perspective. There are steps that organisations should take to assess their data security practices and procedures. In this article, we identify a number of these cyber threats and we outline some practical tips that can be taken proactively by businesses to protect against them.
Key Cyber Threats: What risks occur when employees work remotely?
- Physical Security: In setting up a remote working environment, many employees removed laptops and hard copy files containing confidential or commercially sensitive information from their office buildings. This means that organisations can no longer to the same extent control and/or restrict the further dissemination of information stored on these devices or contained in the hard copy files. To the extent work laptops are secured, this serves to mitigate the data security risk somewhat, however, there is still a risk of hard copy material being easily accessible to third parties.
- Vulnerability of Personal Devices: An increased number of employees continue to log-in to systems remotely and from personal devices to which, in many cases, organisations have not applied the appropriate encryption or security measures. This means that any data stored and/or transmitted via these devices may be vulnerable to attack, alteration, loss or destruction. In particular, these devices may not have the appropriate “anti-malware” software to protect against such incidents. This risk is heightened by reports that there has been a recent surge in phishing attacks and fraudulent activity as hackers seek to exploit the vulnerability of less secure systems to access commercially valuable information.
- Communication Channels: The absence of daily, physical interaction has resulted in employees carrying out work-related communications and/or meetings through unofficial channels such as WhatsApp or other personal messaging platforms. This creates a risk that critical and other business-related data, communications and decisions are not being recorded to the appropriate company systems and, again, that important business information is being stored on personal devices which, as outlined above, do not contain the adequate security safeguards.
- Disruption to Supply Chain: The increased dependence on internal company IT units and/or IT suppliers as businesses shift to remote working means that IT support and security teams will be placed under pressure. This pressure may lead to disruption or delays in the effective provision of IT security services as resources get diverted from IT security to address urgent clamours for IT support and maintenance services.
Practical Tips: How can your business counter these cyber threats?
To combat these cyber threats, businesses should use this period as an opportunity to remind employees about the fundamentals of cyber hygiene. This includes:
- encouraging employees to use stronger passwords (particularly when accessing company systems) and to continuously back up their data;
- encouraging employees to ensure operating system updates and appropriate anti-malware/virus software are downloaded where personal devices are in use;
- reminding employees to switch off, lock or store devices carefully when not in use;
- making employees aware of the increase in cyber attacks and how any such attacks and emails can be detected (sample phishing emails are often an effective method of achieving this);
- encouraging employees to flag any suspicious emails and continuing with, or increasing, cyber security training;
- updating company security policies and procedures to take account of new working conditions and sending copies of company security policies and guidelines to employees. Employers need to consider the varying levels of technological understanding within the business and ensure that these policies and guidelines are user-friendly; and
- actively discouraging the use of personal accounts and informal messaging platforms as channels to share and/or discuss business-related information.
Businesses should also try to implement:
- appropriate security measures, such as two-factor authentication; and
- adequate technical controls, such as filtering technology, to identify suspicious emails and mitigate against the increased risk of phishing and other well-known threats.
Ultimately, the extent to which a business will need to adapt its data security policies and procedures will depend on the extent to which remote working has been tested in practice within the organisation before the COVID-19 crisis. Many businesses are adapting to this new landscape with relative ease, while others are finding it difficult to apply the same data security measures to a remote working environment.
Notwithstanding the many challenges presented by the COVID-19 pandemic, the implementation and maintenance of robust security policies is expected by regulators and remains critical to businesses in continuing to provide customers with a trustworthy, reliable and efficient service.
We are available to advise businesses with any issues they face. Please contact Anna Ní Uiginn, Rachel Hayes or your William Fry contact with any queries.
Our partners, associates and our support teams are available as usual to support your business. We also have a specific COVID-19 Hub to help you.
Contributed by: Anna Ní Uiginn & Rachel Hayes
Follow us on Twitter @WFIDEA and @WilliamFryLaw