Staying (cyber) safe during the COVID-19 pandemic

Autor

Christopher Jeffery

Partner

London

Don't increase GDPR risk – there is no waiver of GDPR obligations

The obligation to take appropriate technological and organisational measures to protect against the unlawful access to personal data remains. You should consider what that looks like with what is now likely to be a highly distributed IT network (large numbers of employees working from home) with a significant number of unknown risks (employee home network security – or lack of it).

Act now to catch-up and address the increased cyber risk

Security researchers are already reporting very significant volumes of phishing emails trying to take advantage of the new environment (for example, attaching documents claiming to have updated guidance relating to COVID-19 which contain malware, or emails with links to updates or information on how to claim financial support). Clients should be reminding employees of the risks around phishing, and carrying out additional training if they have any concerns. Employees working in an environment in which they do not normally work also increases the risk of mistakes, and may make them more likely to fall for phishing emails.

Security teams are working remotely too

Remember that IT security teams are also working remotely. In some cases that can create additional risk and difficulty in dealing with attacks. There is already an increase in activity by hackers trying to take advantage of the current situation. Consider whether you have sufficient internal capability, and if you are using outsourced InfoSec providers, can they provide their contracted level of support in the current environment?

Remind employees of confidentiality obligations, policies and controls

Remind employees and consultants of relevant requirements in IT security and acceptable use policies, such as not forwarding work documents to personal email – there is an increased risk of this because, for example, it may be easier to print from personal email) – not printing documents unless essential etc. Working from home creates risks around confidentiality, as employees print documents which they may not be able to destroy as securely as they would in an office environment.

Employees should also be reminded that if they do click on phishing emails linked to coronavirus, they should contact the IT department immediately and follow their instructions. If an employee realises that they have clicked on a phishing link and then given away a password, they should change that password on all relevant logins and websites immediately.

Patching is still key to security

Pushing out security patches (and similar) is more difficult with employees working entirely from home, so consider whether your patching mechanisms are still appropriate, and put in place additional steps and testing if you have concerns.

Are policies adequate for the current situation?

If you don't have IT and security policies which are adequate for working from home, or the information monitoring and risk management structures in place to identify and remediate risks created by the current situation, we can help draft or revise policies and procedures.

How secure are home networks, and does your technology sufficiently mitigate any risk?

Employees may have insecure home Wi-Fi networks, or may connect on unsecured public Wi-Fi. While this will not be an issue if you have proper VPN arrangements in place, for some, it creates a significant risk; we have helped clients with a number of data breaches arising from senior employees connecting to unsecured networks. Home networks contain a number of potential compromise points which InfoSec function may not be able to manage/mitigate, so ensuring the security of connections to work systems from home is crucial.

Where is confidential information/personal data going?

Working from own devices (rather than a corporate laptop/phone) can create security issues such as auto-syncing with cloud providers resulting in confidential information being uploaded to the cloud, possibly being inadequately secured. Employees should be disabling such auto-sync functions. They should also be reminded about prohibitions/limitations on use of personal email – standard corporate policies should still apply.

Who is listening?

A more esoteric risk is that many homes now contain connected devices which are capable of listening to and recording conversations. While more sophisticated devices have wake-word requirements that should minimise risk, other connected devices capable of listening and recording (such as home CCTV or baby monitors) may pose a security risk.

Ensure that devices are encrypted at rest

Work devices should preferably be encrypted with whole disk encryption. This is included in most modern operating systems, but may need to be activated. Employees should also be reminded, in a blame-free way, about how to report lost or stolen devices, as it is more common for devices to be stolen or lost when working outside the office.

Disable removable media

Difficulties with working remotely mean that employees are more likely to use USB drives or other removable media at home. Removable media should be disabled using MDM settings, with only devices supplied by the business being enabled for use. This limits the risk of cross-infection via removable media. Tools to remotely lock and/or erase data stored on devices should also be enabled.

Review NCSC guidance

Businesses should also look at the NCSC guidance to help reduce the risk of cyberattack when employees and consultants are working from home and on home devices during the coronavirus pandemic. The guidance covers cyberattack, cyber threat, devices, mobile devices and phishing.